I am having a really hard time trying to get URL logic off of my computer. It keeps poping up ads as I surf the web. I have sweeped my system with Spy Sweeper but it cannot find and remove the spyware. I have tried also tried to use hijack this to try and remove stuff myself but have gotten really confused as to what is good and what isn't. I've pasted the hijackthis log below. I'd really appreciate anyone's help:


I have downloaded the FindIt utility and resulted in the following log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Hussain\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5070-CD8D

Directory of C:\WINDOWS\System32

25/11/2005 13:49 234,654 irfosoft.dll
25/11/2005 13:39 236,661 o248lchu1f48.dll
25/11/2005 13:36 236,661 LAIMG12n.DLL
25/11/2005 13:34 234,654 gp84l3lq1.dll
13/11/2005 00:44 <DIR> dllcache
28/10/2005 14:24 <DIR> Microsoft
20/09/2001 14:33 36,864 niini32.dll
05/04/2001 17:43 94,208 msstkprp.dll
30/09/1999 18:21 166,672 mstext35.dll
28/09/1999 20:42 1,050,896 msjet35.dll
09/09/1999 21:06 168,720 msltus35.dll
09/09/1999 21:06 252,688 msexcl35.dll
25/08/1999 13:57 415,504 msrepl35.dll
10/06/1999 08:34 24,848 msjter35.dll
10/06/1999 08:34 123,664 msjint35.dll
07/06/1999 17:59 250,128 mspdox35.dll
25/04/1999 16:00 287,504 Msxbse35.dll
25/04/1999 16:00 368,912 Vbar332.dll
25/04/1999 16:00 252,176 Msrd2x35.dll
17 File(s) 4,435,414 bytes
2 Dir(s) 14,676,389,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5070-CD8D

Directory of C:\WINDOWS\System32

13/11/2005 00:44 <DIR> dllcache
28/10/2005 14:18 488 logonui.exe.manifest
28/10/2005 14:18 488 WindowsLogon.manifest
28/10/2005 14:18 749 nwc.cpl.manifest
28/10/2005 14:18 749 sapi.cpl.manifest
28/10/2005 14:18 749 wuaucpl.cpl.manifest
28/10/2005 14:18 749 cdplayer.exe.manifest
28/10/2005 14:18 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 14,676,389,888 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5070-CD8D

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5070-CD8D

Directory of C:\WINDOWS\System32

04/08/2004 12:00 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 14,676,389,888 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2FEE38D9-E394-9924-BA83-DBFE39485135}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp84l3lq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri 28 Oct 2005 14:18:48 A..HR 749 0.73 K
gp84l3~1.dll Fri 25 Nov 2005 13:34:52 ..S.R 234,654 229.15 K
irfosoft.dll Fri 25 Nov 2005 13:49:10 ..S.R 234,654 229.15 K
laimg12n.dll Fri 25 Nov 2005 13:36:20 ..S.R 236,661 231.11 K
logonu~1.man Fri 28 Oct 2005 14:18:56 A..HR 488 0.48 K
ncpacp~1.man Fri 28 Oct 2005 14:18:48 A..HR 749 0.73 K
nwccpl~1.man Fri 28 Oct 2005 14:18:48 A..HR 749 0.73 K
o248lc~1.dll Fri 25 Nov 2005 13:39:20 ..S.R 236,661 231.11 K
sapicp~1.man Fri 28 Oct 2005 14:18:48 A..HR 749 0.73 K
window~1.man Fri 28 Oct 2005 14:18:56 A..HR 488 0.48 K
wuaucp~1.man Fri 28 Oct 2005 14:18:48 A..HR 749 0.73 K

11 items found: 11 files, 0 directories.
Total of file sizes: 947,351 bytes 925.14 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\MRT.exe: (ASPack)
C:\WINDOWS\system32\MRT.exe: (AsPack2k)
C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
C:\WINDOWS\system32\MRT.exe: ASPack2000
C:\WINDOWS\system32\MRT.exe: ASPack 1.61
C:\WINDOWS\system32\MRT.exe: ASPack 1.084
C:\WINDOWS\system32\MRT.exe: ASPack 1.083
C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\system32\MRT.exe: ASPack 1.07b
C:\WINDOWS\system32\MRT.exe: ASPack 1.05b
C:\WINDOWS\system32\MRT.exe: ASPack 1.02
C:\WINDOWS\system32\MRT.exe: ASPACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\MRT.exe: aspACK
C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


Any help will be appreciated

Perhaps this should be placed in the spyware section? I am sure a MOd will move it for you.

-T

I don't see a HJT log. What operating system are you using? Do you have all your windows updates installed?

Yes, and Yes. :mrgreen:

Moving now...

alsanady, please do the following:


1. Download and install these two utilities:


ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en


2. Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.


3. Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.


4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


5. Run ewido and MS Antispyware beta consecutively (the order doesn't matter), and have both programs fix whatever they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.


6. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


7. Reboot normally, run HijackThis again, and post the new log. Also post the "Scan Report" that ewido generated.

Looks like a L2M infection.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with an hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
If after the reboot the log does not open double click on it in the l2mfix folder.

Please reply to this thread only. I have merged both of your threads. Any others started for this problem will be deleted.

Thank you very much Crunchie,
I did exactly what you said, and everything seems to be alright now. Finally I am having a screen with no pop-ups.

Thanx again

I will need to see the logs I requested please