OK, quite a bit going on here. So let's get started. Download
smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Please download the trial version of
Ewido Security Suite:
Here
Please read
Ewido Setup Instructions Install it, and update the definitions to the newest files. Do
NOT run a scan yet.
If you don't already have
Aware SE 1.06, please download and set up according to the
Ad-Aware SE Setup instructions.. If you have Aware SE 1.06, please check for and install any updates. Please also download the
VX2 Cleaner tool and install per instructions on that page.
Don't run it yet!
Next, please reboot your computer in
SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\byotvid.dll
Close HiJackThis.
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=> Control Panel=> Folder Options=> View tab. 2. Select " Show hidden files and folders" 3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm. 4. Click Apply=> OK. 5. Close Control Panel.
Note that some of these file(s) may not be present.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds. At this time, also run the VX2 Cleaner tool.
Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido
Next go to Control Panel click Display => Desktop => Customize Desktop => Web => Uncheck " Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Reply.
Let me know if any problems persist. :smileyhappy:
Thanks SpotCheckBilly, it's taken me a couple of days to get round to this! Done as you suggested although I can't run the Panda Activescan. I get a page error when I try to click on 'Local Disks'. I am STILL getting my browser highjacked and URL's redirected although a lot of files were found and deleted during the various scans. Here are the results:
Logfile of HijackThis v1.99.1
Scan saved at 23:08:50, on 14/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Microsoft Windows XP [Version 5.1.2600]
The current date is: 14/12/2005
The current time is: 23:22:37.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
SpySheriff
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
logfiles
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 09:02:11, 15/12/2005
+ Report-Checksum: 9C0A747E
+ Scan result:
HKLM\SOFTWARE\Classes\.s3d -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{166348F1-2C41-4C9F-86BB-EB2B8ADE030C} -> Spyware.ClientMan : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CC4C98F3-E8CA-4321-B1F6-24793B3698BA} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-527237240-1060284298-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
[652] C:\WINDOWS\system32\bjdispl.dll -> Spyware.Look2Me : Error during cleaning
[1844] C:\WINDOWS\system32\bjdispl.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\KaZaA\TopSearch.dll -> Spyware.TopSearch : Cleaned with backup
C:\install.exe -> Dropper.Agent.aed : Cleaned with backup
C:\Windows\SYSTEM\BHO.DLL -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM\NLNP29.exe -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM\WinStart001.EXE -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_519100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_547200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_518500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_753300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_525300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_548400.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_635300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_786700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_516700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_537600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_549600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_557900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_566100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_566300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_588300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_595900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_550500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_676800.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_551600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_623000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_633000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_648700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_729000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_748700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_644200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_596100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_662100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_612200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_568700.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_578400.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_578600.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_699200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_749800.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_630700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_560200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_560800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_584300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_584400.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_603100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_678500.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_528700.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_529200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_601300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_603600.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_603800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_632900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_644100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_661600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_677300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_697300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_699500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_758600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_783100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_785700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_578500.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_674800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_689300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_693100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_529800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_532100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_564100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_564300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_733200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\ctbv2.dll -> Adware.SAHA : Cleaned with backup
C:\Windows\SYSTEM32\cm1.dll -> Spyware.ClientMan : Cleaned with backup
C:\Windows\SYSTEM32\abycfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Windows\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
C:\Windows\tool1.exe -> Proxy.Xorpix.e : Cleaned with backup
C:\Installer.exe -> Spyware.Look2Me : Cleaned with backup
:mozilla.11:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.36:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP851\A0067728.exe -> Downloader.PassAlert.d : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP851\A0067733.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0067745.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0067753.exe -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068974.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068748.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068766.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068769.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068773.exe -> Proxy.Xorpix.e : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068975.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP850\A0067466.exe -> Downloader.Qoologic.at : Cleaned with backup
Save L2MFix to your desktop Double-click l2mfix.exe.
Click the
Install button to extract the files
Follow the prompts
Open the l2mfix folder on your desktop.
Double-click l2mfix.bat and select option
#1 for " Run Find Log" by typing " 1". (without the quotes)
Press enter.
This will start the scan.
Note: it may appear nothing is happening. Please be patient until scan finishes.
When scan is complete, Notepad will open
with a log.
Copy the contents of that log and paste
it into your reply to this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.
Please note: While running option #1, you may receive an error similar to this:
''C:\windows\system32\cmd.exeC:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications."
Choose "close" to terminate the application. Please use option #5 or the web page link in the l2mfix folder to correct this error. Do NOT run the "fix" portion without resolving this first. :smileyhappy:
Here's the main reason why you sometimes have to split replies because of the character limits. (Just one of those for-future-reference things. LOL)
Ffor some reason that no one has been able to explain yet, sometimes when you copy/paste from Notepad into the message box, it will doublespace the lines. This usually ends up causing the need for splitting log files into two posts.
Usually, you can keep this from happening by unchecking the word wrap feature in Notepad before doing the select all/copy. Not sure why this works, but it seems to.
Now on to the next step. :smileyhappy:
Please close any programs you have open since this step requires a reboot.
From the
l2mfix folder on your desktop:
Double-click l2mfix.bat
Select option #2 for Run Fix by typing
2 and pressing enter.
The process will start.
Note: Your desktop and icons will disappear (this is normal).
L2mfix will continue to scan your computer
When it's finished, you will need to reboot.
Press any key to reboot.
After the reboot
Notepad will open with a log.
Copy the contents of that log and
paste it into your reply to
this thread, along with a new
Hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!If after the reboot the log does not open double click on it in the
l2mfix folder. :smileyvery-happy:
Hi George, thanks for the tip. Here are the results.
L2mfix Beta 121505 Creating Account. The command completed successfully.
Adding Administrative privleges. The command completed successfully.
Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful
Running From: C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 576 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 676 'winlogon.exe' Killing PID 676 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 380 'explorer.exe' Killing PID 380 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1284 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332 Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332 Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332
Zipping up files for submission: adding: Documents and Settings/jon/Desktop/l2mfix/backregs/notibac.reg (deflated 63%) adding: Documents and Settings/jon/Desktop/l2mfix/backregs/shell.reg (deflated 74%)
Restoring Windows Update Certificates.:
deleting local copy: f82m0if1e82.dll deleting local copy: kxdca.dll deleting local copy: lvru0999e.dll
The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00
The following are the files found: **************************************************************************** C:\WINDOWS\system32\f82m0if1e82.dll C:\WINDOWS\system32\kxdca.dll C:\WINDOWS\system32\lvru0999e.dll
Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00
The good news is, no double spacing this time. LOL The bad news is, it looks like part of the L2Mfix log got cut off. These logs are often too long (even without the double spacing), so this is quite common. Not to worry as long as you have not deleted anything from the l2mfix folder.
Depending on how much of it got cut off, it may take two separate posts just for that log file. Would you please also include a fresh HijackThis log?
I know it's kind of a pain having to post all of this, but if we don't get all of this particular infection removed, it will just happen over again. Look2Me is often very tenacious and doesn't like to give up easily. Fortunately we have enough weapons in our arsenal to get rid of it. :smileyhappy:
I've been back into the L2MFix Folder and looked at the log again. It is exactly as I posted and cuts off at the same point! Not sure what happened there. I'm gonna run the fix again to get a fresh log and will post it here later.
OK, apparently there is a file missing. L2MFix came up with the same log, but popped up a message at the end telling me to fix line 020 with HJT. Any ideas how to do this? Here is the HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 13:15:21, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
OK, running the fix again, I'm sure, produced a completely different log. No problem. Let's continue on, looks like we are almost there. Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
The system seems much better now, thanks! I've no longer got my browser hijacked and everything's running smoothly. My only concern is AVG occasionaly pops up with a Trojan Horse alert. The latest was C:/drsmartdownload.exe which I've not installed or downloaded. How can I be sure I'm virus free?
Anyway, here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:30:00, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
If AVG reports that this file is on your machine, you can do a search for it using either Windows Explorer or Start=>Search. If you find it, just delete it. You can also do either one, or both of these free online Trojan scans:
If you are unsure about your onboard protection, there are always the free scans at Trend Micro and Panda. What you feel comfortable that your machine is malware free (which according to your latest HijackThis scan it is), follow the recommendations below to keep it that way. :smileyhappy: Reboot your computer, and try using different programs and make sure everything is running ok. If you're still experiencing problems, post back a description and wait for advice before continuing with the cleanup. Download, install and run
Cleanup! from
Steven Gould, then:
1. Click "
Cleanup!"
(
wait for the program to finish scanning your system, and selecting files to be removed.)
2. Exit the program and reboot the computer, if necessary.
For more information about using
Cleanup! see
here.
If everything is running ok, let's do the final cleanup... 1. Run "
Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded
MicroWorld AV (
MWAV), run it again - but don't scan, just click "
Clear Log" and exit the program.
3. Go to
www.trendmicro.com and click "
Free Online Scan", then "
Scan now, it's free!". Follow on-screen prompts.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
Spywareblaster=> SpywareBlaster will prevent spyware from being installed.
Spywareguard=> SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware=> If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware
To protect yourself further:
IE/Spyad=> IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file=> The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Google Toolbar=> Get the free google toolbar to help stop pop up windows.
I also suggest that you delete your temporary files by deleting all files and folders that are in those folders (do
not delete the
temp folder itself), for example:
C:\WINDOWS\Temp\---Everything After the \.
C:\Temp\---Everything After the \.
C:\Documents and Settings\username\Local Settings\Temp\---Everything After the \.
Repeat for all users.
Also delete your Temporary Internet Files:
Click Start=>Control Panel=>Internet options.
Under the Generaltab.
Click Delete Files button.
Place a check-mark in Delete all off-line content.
Click OK=>OK
Exit Control Panel
Repeat for all users.
Empty the recycle bin:
Right-click the Recycle Bin icon on your desktop.
Select "Empty Recycle Bin".
Repeat forall users.
Note: you can also do the above steps using a program such as
Cleanup! from
Steven Gould or
CCleaner.
SpotCheckBilly
932 Posts
0
December 13th, 2005 00:00
OK, quite a bit going on here. So let's get started.
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite: Here
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you don't already have Aware SE 1.06, please download and set up according to the Ad-Aware SE Setup instructions.. If you have Aware SE 1.06, please check for and install any updates. Please also download the VX2 Cleaner tool and install per instructions on that page.
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
O1 - Hosts: 158.234.3.63 ukp-axn8uxga82u
O4 - HKLM\..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINDOWS\system32\mstool.exe
O4 - HKCU\..\Run: [kbdpl] C:\WINDOWS\System32\kbdpl.exe
O4 - HKCU\..\Run: [kbdbene] C:\WINDOWS\System32\kbdbene.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - C:\Program Files\ClientMan\run\searchrep8181a0e2.dll
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\byotvid.dll
Close HiJackThis.
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=> Control Panel=> Folder Options=> View tab.
2. Select " Show hidden files and folders"
3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm.
4. Click Apply=> OK.
5. Close Control Panel.
folders...
C:\Program Files\ClientMan
files...
C:\WINDOWS\system32\msjcf.exe
C:\WINDOWS\system32\mstool.exe
C:\WINDOWS\System32\kbdpl.exe
C:\WINDOWS\System32\kbdbene.exe
C:\WINDOWS\system32\byotvid.dll
Note that some of these file(s) may not be present.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds. At this time, also run the VX2 Cleaner tool.
Run Ewido:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoNext go to Control Panel click Display => Desktop => Customize Desktop => Web => Uncheck " Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Reply.
Let me know if any problems persist. :smileyhappy:
George a.k.a. SpotCheckBilly
bobweasel
9 Posts
0
December 15th, 2005 10:00
Logfile of HijackThis v1.99.1
Scan saved at 23:08:50, on 14/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
O1 - Hosts: 158.234.3.63 ukp-axn8uxga82u
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe
O4 - HKLM\..\Run: [Microsoft tool] C:\WINDOWS\system32\mstool.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kbdpl] C:\WINDOWS\System32\kbdpl.exe
O4 - HKCU\..\Run: [kbdbene] C:\WINDOWS\System32\kbdbene.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Freeserve - {4B39B640-0BD5-11D4-B093-20604EC10000} - http://www.freeserve.net/ (file missing) (HKCU)
O9 - Extra button: Dell Home - {7A9E4AA0-D515-11D3-B093-40664EC10000} - http://www.dell.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.uk/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
O18 - Filter: text/html - {2DE94081-9FE6-4227-BC59-B7A80CC8308C} - C:\Program Files\ClientMan\run\searchrep8181a0e2.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\r0r6la9s1d.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
smitRem:
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 14/12/2005
The current time is: 23:22:37.64
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
SpySheriff
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
logfiles
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 09:02:11, 15/12/2005
+ Report-Checksum: 9C0A747E
+ Scan result:
HKLM\SOFTWARE\Classes\.s3d -> Spyware.BrilliantDigital : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{166348F1-2C41-4C9F-86BB-EB2B8ADE030C} -> Spyware.ClientMan : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CC4C98F3-E8CA-4321-B1F6-24793B3698BA} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-527237240-1060284298-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
[652] C:\WINDOWS\system32\bjdispl.dll -> Spyware.Look2Me : Error during cleaning
[1844] C:\WINDOWS\system32\bjdispl.dll -> Spyware.Look2Me : Error during cleaning
C:\Program Files\KaZaA\TopSearch.dll -> Spyware.TopSearch : Cleaned with backup
C:\install.exe -> Dropper.Agent.aed : Cleaned with backup
C:\Windows\SYSTEM\BHO.DLL -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM\NLNP29.exe -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM\WinStart001.EXE -> Spyware.IGetNet : Cleaned with backup
C:\Windows\SYSTEM32\AdCache -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_519100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_547200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_518500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_753300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_525300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_548400.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_635300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_786700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_516700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_537600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_549600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_557900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_566100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_566300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_588300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_595900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_550500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_676800.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_551600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_623000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_633000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_648700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_729000.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_748700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_644200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_596100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_662100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_612200.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_568700.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_578400.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_578600.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_699200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_749800.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_630700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_560200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_560800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_584300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_584400.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_603100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_678500.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_528700.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_529200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_601300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_603600.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_3_603800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_632900.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_644100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_661600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_677300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_697300.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_699500.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_758600.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_783100.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_785700.HTM -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_578500.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_674800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_689300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_1_693100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_529800.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_532100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_564100.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_564300.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\AdCache\B_291_0_2_733200.GIF -> Adware.Cydoor : Cleaned with backup
C:\Windows\SYSTEM32\ctbv2.dll -> Adware.SAHA : Cleaned with backup
C:\Windows\SYSTEM32\cm1.dll -> Spyware.ClientMan : Cleaned with backup
C:\Windows\SYSTEM32\abycfilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\Windows\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
C:\Windows\tool1.exe -> Proxy.Xorpix.e : Cleaned with backup
C:\Installer.exe -> Spyware.Look2Me : Cleaned with backup
:mozilla.11:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.36:C:\Documents and Settings\jon\Application Data\Mozilla\Firefox\Profiles\9nv6avb2.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP851\A0067728.exe -> Downloader.PassAlert.d : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP851\A0067733.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0067745.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0067753.exe -> Hijacker.Spywad.l : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068974.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068748.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068766.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068769.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068773.exe -> Proxy.Xorpix.e : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP852\A0068975.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5E9CAB4D-1E35-450F-8FB2-A70066491478}\RP850\A0067466.exe -> Downloader.Qoologic.at : Cleaned with backup
::Report End
I hope that helps!!!!
SpotCheckBilly
932 Posts
0
December 16th, 2005 00:00
OK, it looks like we have got rid of smitfraud. Now onto the next step
You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save L2MFix to your desktop Double-click l2mfix.exe.
- Click the
- Install button to extract the files
- Follow the prompts
- Open the l2mfix folder on your desktop.
- Double-click l2mfix.bat and select option
- #1 for " Run Find Log" by typing " 1". (without the quotes)
- Press enter.
- This will start the scan.
- Note: it may appear nothing is happening. Please be patient until scan finishes.
- When scan is complete, Notepad will open
- with a log.
- Copy the contents of that log and paste
- it into your reply to this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.Please note: While running option #1, you may receive an error similar to this:
''C:\windows\system32\cmd.exeC:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications."
Choose "close" to terminate the application. Please use option #5 or the web page link in the l2mfix folder to correct this error. Do NOT run the "fix" portion without resolving this first. :smileyhappy:
George a.k.a. SpotCheckBilly
bobweasel
9 Posts
0
December 16th, 2005 21:00
L2MFix Find Log part 2:
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\InprocServer32]
@="C:\\WINDOWS\\system32\\kxdca.dll"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
spmsg.dll Wed 12 Oct 2005 23:12:26 ..... 14,048 13.72 K
shell32.dll Fri 23 Sep 2005 4:05:30 A.... 8,450,560 8.06 M
gdi32.dll Thu 6 Oct 2005 3:09:36 A.... 280,064 273.50 K
wininet.dll Fri 21 Oct 2005 3:39:30 A.... 658,432 643.00 K
kxdca.dll Fri 16 Dec 2005 10:10:22 ..S.R 233,903 228.42 K
lvru09~1.dll Fri 16 Dec 2005 10:08:20 ..S.R 235,578 230.05 K
mstime.dll Fri 21 Oct 2005 3:39:30 A.... 530,944 518.50 K
msrating.dll Fri 21 Oct 2005 3:39:30 A.... 146,432 143.00 K
mshtmled.dll Fri 21 Oct 2005 3:39:30 A.... 448,512 438.00 K
urlmon.dll Sat 5 Nov 2005 3:16:28 A.... 609,280 595.00 K
mshtml.dll Thu 24 Nov 2005 1:06:34 A.... 3,015,680 2.88 M
iepeers.dll Fri 21 Oct 2005 3:39:28 A.... 251,392 245.50 K
dxtrans.dll Fri 21 Oct 2005 3:39:28 A.... 205,312 200.50 K
danim.dll Sat 5 Nov 2005 3:16:24 A.... 1,054,208 1.00 M
cdfview.dll Fri 21 Oct 2005 3:39:26 A.... 151,040 147.50 K
browseui.dll Thu 24 Nov 2005 1:06:34 A.... 1,022,464 998.50 K
esent.dll Thu 20 Oct 2005 22:20:04 A.... 1,082,368 1.03 M
shlwapi.dll Fri 21 Oct 2005 3:39:30 A.... 473,600 462.50 K
shdocvw.dll Thu 1 Dec 2005 3:59:30 A.... 1,492,480 1.42 M
pngfilt.dll Fri 21 Oct 2005 3:39:30 A.... 39,424 38.50 K
inseng.dll Fri 21 Oct 2005 3:39:28 A.... 96,256 94.00 K
extmgr.dll Fri 21 Oct 2005 3:39:28 ..... 55,808 54.50 K
f82m0i~1.dll Thu 15 Dec 2005 17:49:18 ..S.R 233,903 228.42 K
23 items found: 23 files (3 H/S), 0 directories.
Total of file sizes: 20,781,688 bytes 19.82 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is CHICKIE
Volume Serial Number is 07D0-011B
Directory of C:\WINDOWS\System32
16/12/2005 10:10 233,903 kxdca.dll
16/12/2005 10:08 235,578 lvru0999e.dll
15/12/2005 17:49 233,903 f82m0if1e82.dll
31/08/2003 18:43 8,192 Thumbs.db
03/08/2002 10:02
Microsoft03/08/2002 09:09
dllcache4 File(s) 711,576 bytes
2 Dir(s) 3,453,026,304 bytes free
bobweasel
9 Posts
0
December 16th, 2005 21:00
OK George, here is the L2MFix Find Log. I've split it into 2 posts as it would not all fit on 1. Thanks for your continued support!
L2MFIX find log 121505
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f82m0if1e82.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3027090E-3F5F-7F46-345F-E73EA6C3738F}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{59850401-6664-101B-B21C-00AA004BA90B}"="Microsoft Office Binder Explode"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1E2CDF40-419B-11D2-A5A1-002018648BA7}"="AVG Shell Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{7059DA7A-7E60-11d2-A355-00C04FB9D26E}"="Maxtor Locked Drives"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}"=""
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
**********************************************************************************
SpotCheckBilly
932 Posts
0
December 16th, 2005 23:00
Here's the main reason why you sometimes have to split replies because of the character limits. (Just one of those for-future-reference things. LOL)
Ffor some reason that no one has been able to explain yet, sometimes when you copy/paste from Notepad into the message box, it will doublespace the lines. This usually ends up causing the need for splitting log files into two posts.
Usually, you can keep this from happening by unchecking the word wrap feature in Notepad before doing the select all/copy. Not sure why this works, but it seems to.
Now on to the next step. :smileyhappy:
Please close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop:
- Double-click l2mfix.bat
- Select option #2 for Run Fix by typing
- 2 and pressing enter.
- The process will start.
- Note: Your desktop and icons will disappear (this is normal).
- L2mfix will continue to scan your computer
- When it's finished, you will need to reboot.
- Press any key to reboot.
After the reboot Notepad will open with a log. Copy the contents of that log and paste it into your reply to this thread, along with a new Hijackthis log.IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Do Not run in safe mode!!If after the reboot the log does not open double click on it in the l2mfix folder. :smileyvery-happy:
George a.k.a. SpotCheckBilly
bobweasel
9 Posts
0
December 17th, 2005 11:00
Hi George, thanks for the tip. Here are the results.
L2mfix Beta 121505
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 576 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 676 'winlogon.exe'
Killing PID 676 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 380 'explorer.exe'
Killing PID 380 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1284 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332
Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332
Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332
Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332
Granting SeDebugPrivilege to Administratoren ... failed (GetAccountSid(Administratoren)=1332
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Backing Up: C:\WINDOWS\system32\f82m0if1e82.dll
Backing Up: C:\WINDOWS\system32\kxdca.dll
Backing Up: C:\WINDOWS\system32\lvru0999e.dll
moving: C:\WINDOWS\system32\f82m0if1e82.dll
Successfully Moved: C:\WINDOWS\system32\f82m0if1e82.dll
moving: C:\WINDOWS\system32\kxdca.dll
Successfully Moved: C:\WINDOWS\system32\kxdca.dll
moving: C:\WINDOWS\system32\lvru0999e.dll
Successfully Moved: C:\WINDOWS\system32\lvru0999e.dll
Desktop.ini sucessfully removed
Zipping up files for submission:
adding: Documents and Settings/jon/Desktop/l2mfix/backregs/notibac.reg (deflated 63%)
adding: Documents and Settings/jon/Desktop/l2mfix/backregs/shell.reg (deflated 74%)
Restoring Windows Update Certificates.:
deleting local copy: f82m0if1e82.dll
deleting local copy: kxdca.dll
deleting local copy: lvru0999e.dll
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\f82m0if1e82.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\f82m0if1e82.dll
C:\WINDOWS\system32\kxdca.dll
C:\WINDOWS\system32\lvru0999e.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}\InprocServer32]
@="C:\\WINDOWS\\system32\\kxdca.dll"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}"=-
[-HKEY_CLASSES_ROOT\CLSID\{357C1E44-CB75-49A9-9AE5-1832D7F7BC19}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
C:\WINDOWS\System32\357C1E44-CB75-49A9-9AE5-1832D7F7BC19.reg
Checking for L2MFix account(0=no 1=yes):
0
adding: dlls/f82m0if1e82.dll (deflated 4%)
adding: dlls/kxdca.dll (deflated 4%)
adding: dlls/lvru0999e.dll (deflated 5%)
SpotCheckBilly
932 Posts
0
December 17th, 2005 19:00
The good news is, no double spacing this time. LOL The bad news is, it looks like part of the L2Mfix log got cut off. These logs are often too long (even without the double spacing), so this is quite common. Not to worry as long as you have not deleted anything from the l2mfix folder.
Depending on how much of it got cut off, it may take two separate posts just for that log file. Would you please also include a fresh HijackThis log?
I know it's kind of a pain having to post all of this, but if we don't get all of this particular infection removed, it will just happen over again. Look2Me is often very tenacious and doesn't like to give up easily. Fortunately we have enough weapons in our arsenal to get rid of it. :smileyhappy:
George a.k.a. SpotCheckBilly
bobweasel
9 Posts
0
December 18th, 2005 11:00
I've been back into the L2MFix Folder and looked at the log again. It is exactly as I posted and cuts off at the same point! Not sure what happened there. I'm gonna run the fix again to get a fresh log and will post it here later.
Thanks,
Jon
bobweasel
9 Posts
0
December 18th, 2005 11:00
Logfile of HijackThis v1.99.1
Scan saved at 13:15:21, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.uk/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\f82m0if1e82.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
SpotCheckBilly
932 Posts
0
December 18th, 2005 21:00
OK, running the fix again, I'm sure, produced a completely different log. No problem. Let's continue on, looks like we are almost there.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\f82m0if1e82.dll (file missing)
With all windows closed except HiJackThis, click " Fix checked".
Post back a new log. Let me know how things are running. :smileyhappy:
George a.k.a. SpotCheckBilly
bobweasel
9 Posts
0
December 20th, 2005 08:00
The system seems much better now, thanks! I've no longer got my browser hijacked and everything's running smoothly. My only concern is AVG occasionaly pops up with a Trojan Horse alert. The latest was C:/drsmartdownload.exe which I've not installed or downloaded. How can I be sure I'm virus free?
Anyway, here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:30:00, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\PROGRA~1\Grisoft\AVGFRE~1\avgvv.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.7\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yahoo.com/v43/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.co.uk/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify214.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
bobweasel
9 Posts
0
December 20th, 2005 20:00
Regards,
Jon
SpotCheckBilly
932 Posts
0
December 20th, 2005 20:00
Congratulations! Your log looks clean - good work!
If AVG reports that this file is on your machine, you can do a search for it using either Windows Explorer or Start=>Search. If you find it, just delete it. You can also do either one, or both of these free online Trojan scans:
Sygate Trojan Scan or Trojan Scan.
If you are unsure about your onboard protection, there are always the free scans at Trend Micro and Panda. What you feel comfortable that your machine is malware free (which according to your latest HijackThis scan it is), follow the recommendations below to keep it that way. :smileyhappy:
Reboot your computer, and try using different programs and make sure everything is running ok. If you're still experiencing problems, post back a description and wait for advice before continuing with the cleanup.
Download, install and run Cleanup! from Steven Gould, then:
1. Click " Cleanup!"
( wait for the program to finish scanning your system, and selecting files to be removed.)
2. Exit the program and reboot the computer, if necessary.
For more information about using Cleanup! see here.
If everything is running ok, let's do the final cleanup...
1. Run " Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded MicroWorld AV ( MWAV), run it again - but don't scan, just click " Clear Log" and exit the program.
3. Go to www.trendmicro.com and click " Free Online Scan", then " Scan now, it's free!". Follow on-screen prompts.
4. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system restore point manually.
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster => SpywareBlaster will prevent spyware from being installed.
- Spywareguard => SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware = If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware => If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware
To protect yourself further:
- IE/Spyad => IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file => The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
- Google Toolbar => Get the free google toolbar to help stop pop up windows.
I also suggest that you delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself), for example:
- C:\WINDOWS\Temp\---Everything After the \.
- C:\Temp\---Everything After the \.
- C:\Documents and Settings\username\Local Settings\Temp\---Everything After the \.
- Repeat for all users.
Also delete your Temporary Internet Files:
- Click Start=>Control Panel=>Internet options.
- Under the Generaltab.
- Click Delete Files button.
- Place a check-mark in Delete all off-line content.
- Click OK=>OK
- Exit Control Panel
- Repeat for all users.
Empty the recycle bin:
- Right-click the Recycle Bin icon on your desktop.
- Select "Empty Recycle Bin".
- Repeat forall users.
Note: you can also do the above steps using a program such as Cleanup! from Steven Gould or CCleaner.These steps should be done on a regular basis.
Also, please see
So how did I get infected in the first place?
If you are having any more problems, post back the description along with a fresh HijackThis log.:smileyhappy:
George a.k.a. SpotCheckBilly
SpotCheckBilly
932 Posts
0
December 21st, 2005 05:00
You're very welcome. Glad that I could help.
Safe surfing:smileyvery-happy:
George a.k.a. SpotCheckBilly