0

Hello. I found this forum through google and I hope any of you are able to help me.

When my computer boots up it automatically opens up IE but to a dead website. Immediately after that, it will open up Mozilla Firefox with a new tab every 5 minutes.

I have scanned my computer using Norton Anti-Virus, Ad-Aware SE, and Yahoo! Toolbar and none of those programs found a virus or spyware/adware.

Any help will be greatly appreciated. Thank you!

4
Contributors
8
Replies
9
Views
11 Years
Discussion Span
Last Post by crunchie
0

Hi raidertrk, welcome to DaniWeb :)

Please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Once we analyse the log we can tell you what to do from there.

0

Hi DMR. Thank you for replying. We're both in CA! The following is the information you requested.

Logfile of HijackThis v1.99.1
Scan saved at 3:10:23 PM, on 1/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\csrss.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\WinXP32.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\msctupd.exe
C:\WINDOWS\System32\usbhub.exe
C:\WINDOWS\System32\??stem\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\rarc\hnrh.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\ic0tf67q.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\ic0tf67q.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [artcom] C:\WINDOWS\System32\msctupd.exe
O4 - HKLM\..\Run: [Windows USB Hub Manager] usbhub.exe
O4 - HKLM\..\RunServices: [Windows USB Hub Manager] usbhub.exe
O4 - HKLM\..\RunServices: [mirasofts updotee] lol.exe
O4 - HKCU\..\Run: [Azook] C:\WINDOWS\System32\??stem\msiexec.exe
O4 - HKCU\..\Run: [Windows USB Hub Manager] usbhub.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Daoa] "C:\Program Files\rarc\hnrh.exe" -vt ndrv
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\n2p4lc7q1f.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Csrs - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: W32 - Unknown owner - C:\WINDOWS\WinXP32.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe

0

Congratulations, raidertrk- you are the proud owner of a virus farm... :(

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

1. Open the Services utility in your Administrative Tools control panel.
- In the list of services, locate the service named Csrs and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK.
- Repeat the above steps for the following services:
W32
Win32Sr
wkssvc

- Close the Services utility.

- Click on the "Run..." option in your Start menu. In the "Open:" box of the resulting window, type "cmd" (omit the quotes) and hit Enter. This will bring up a DOS window. At the DOS prompt, type the following commands, hitting Enter after each:

sc delete Csrs
sc delete W32
sc delete Win32Sr
sc delete wkssvc


2. Download and install the following utilities:

CCleaner - www.ccleaner.com
Webroot Spy Sweeper (14 day free trial) - http://www.webroot.com/shoppingcart...4011&vcode=DT02
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en
ewido Anti-malware - http://www.ewido.net/en/download/

- Open Spy Sweeper, click on "Options", and then click on "Update Definitions" under the Program Options tab. Do not run a scan yet; just close the program once the update completes.

- Open ewido. In the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open Norton antivirus and make sure that it has the most current virus definitions installed. Again- don't scan yet, just close the program once it's updated.


3. Run HijackTHis again, put a check mark next to the following entries, and then click the "Fix checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\Run: [artcom] C:\WINDOWS\System32\msctupd.exe
O4 - HKLM\..\Run: [Windows USB Hub Manager] usbhub.exe
O4 - HKLM\..\RunServices: [Windows USB Hub Manager] usbhub.exe
O4 - HKLM\..\RunServices: [mirasofts updotee] lol.exe
O4 - HKCU\..\Run: [Azook] C:\WINDOWS\System32\??stem\msiexec.exe
O4 - HKCU\..\Run: [Windows USB Hub Manager] usbhub.exe
O4 - HKCU\..\Run: [Daoa] "C:\Program Files\rarc\hnrh.exe" -vt ndrv
O15 - Trusted Zone: *.elitemediagroup.net
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\n2p4lc7q1f.dll
O23 - Service: Csrs - Unknown owner - C:\WINDOWS\csrss.exe
O23 - Service: W32 - Unknown owner - C:\WINDOWS\WinXP32.exe
O23 - Service: Win32Sr - Unknown owner - C:\WINDOWS\win32ssr.exe (file missing)
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\wkssvc.exe

4. Reboot into Safe Mode and:

Open CCleaner.
- Go to Options-> Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours"
- Go to Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp
* C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files
* C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp
* C:\Documents and Settings\<Your Profile>\Cookies
* C:\Documents and Settings\<Any other users Profile>\Cookies
Hit OK

- In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders

- Click on Run Cleaner

It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.


- Run Norton, MS Antispyware, and ewido; have the programs fix all malicious items they find.

When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

- Run Spy Sweeper.
* Under the Sweep Options tab, select ALL options under 'What to Sweep'.
* Click the "Sweep" icon and then "Start" to begin scanning.
*When the scan completes, click Next to automatically quarantine all detected items.
*Click the Results icon, select Session Log, and then click Save to File. Save the scan results to your desktop and close Spy Sweeper.


5. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the following files and delete them if found:

C:\WINDOWS\System32\msctupd.exe
C:\WINDOWS\System32\usbhub.exe

lol.exe
C:\WINDOWS\system32\n2p4lc7q1f.dll
C:\WINDOWS\WinXP32.exe
C:\WINDOWS\win32ssr.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\csrss.exe <-- !! There is a valid Windows file named csrss in the C:\Windows\System32 folder; do not delete the wrong file !!

- Delete the following folders entirely:

C:\Program Files\rarc
C:\WINDOWS\System32\??stem

6. Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated.

0

Thank you DMR for helping me out. Here are the logs you requested. Let me know if I can do anything else to fix my system. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 7:20:35 PM, on 1/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\viperusb.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\ic0tf67q.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Michael\Application Data\Mozilla\Profiles\default\ic0tf67q.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StrobePro] C:\Program Files\ScanSoft\PaperPort\viperusb.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\r48s0el7ehq.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           6:43:15 PM, 1/22/2006
+ Report-Checksum:      C252CF67


+ Scan result:


HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
[664] C:\WINDOWS\system32\noprovau.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\csrss.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\elitemediapop.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\installer_251.exe -> Downloader.Qoologic.al : Cleaned with backup
C:\WINDOWS\justin.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\c2002cdmgf0a2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cimodem.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1KH32J8O\rp5[1].exe -> Backdoor.Rbot.aob : Cleaned with backup
C:\WINDOWS\system32\dnl8013ue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dnrq0195e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp0q03d5e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\fp8403lqe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\gnedit.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hr6005jme.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l8r0li9m18.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m0nq0a55ed.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mcitex.exe -> Logger.VB.eh : Cleaned with backup
C:\WINDOWS\system32\mfwdat10.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mghtml.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\noprovau.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\onc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\pi1_58.exe -> Downloader.Small.bue : Cleaned with backup
C:\WINDOWS\system32\q2680cjuefo80.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\WINDOWS\system32\setup_05860.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_11301.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_15244.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_21141.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_54573.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_60550.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\setup_81583.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\setup_85521.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\system32\usbhub.exe -> Backdoor.Rbot.ald : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\system32\wuauclt.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\WinXP32.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\wkssvc.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup



::Report End



********
6:46 PM: |       Start of Session, Sunday, January 22, 2006       |
6:46 PM: Spy Sweeper started
6:46 PM: Sweep initiated using definitions version 604
6:46 PM: Starting Memory Sweep
6:47 PM: Memory Sweep Complete, Elapsed Time: 00:01:07
6:47 PM: Starting Registry Sweep
6:47 PM:   Found Adware: surfsidekick
6:47 PM:   HKU\.default\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143384)
6:47 PM:   HKU\.default\software\surfsidekick3\  (2 subtraces) (ID = 143387)
6:47 PM:   Found Adware: findthewebsiteyouneed hijack
6:47 PM:   HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
6:47 PM:   Found Adware: visfx
6:47 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\  (2 subtraces) (ID = 712951)
6:47 PM:   Found Adware: dollarrevenue
6:47 PM:   HKLM\software\microsoft\drsmartload\  (1 subtraces) (ID = 916795)
6:47 PM:   Found Adware: elitemediagroup-pop64
6:47 PM:   HKCR\clsid\{9ac54695-69a4-46f1-be10-10c74f9520d5}\  (8 subtraces) (ID = 967504)
6:47 PM:   HKCR\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\  (8 subtraces) (ID = 967532)
6:47 PM:   HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\  (8 subtraces) (ID = 967541)
6:47 PM:   HKCR\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\  (9 subtraces) (ID = 967550)
6:47 PM:   HKLM\software\classes\clsid\{9ac54695-69a4-46f1-be10-10c74f9520d5}\  (8 subtraces) (ID = 967564)
6:47 PM:   HKLM\software\classes\interface\{b216c7fc-397c-45f0-adfc-907df3c87339}\  (8 subtraces) (ID = 967592)
6:47 PM:   HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\  (8 subtraces) (ID = 967601)
6:47 PM:   HKLM\software\classes\typelib\{5bec549d-581b-4636-ae75-28645e8cddc1}\  (9 subtraces) (ID = 967610)
6:47 PM:   Found Adware: command
6:47 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\  (6 subtraces) (ID = 1016064)
6:47 PM:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\  (8 subtraces) (ID = 1016072)
6:47 PM:   Found Trojan Horse: trojan-downloader-dh
6:47 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\dh\  (2 subtraces) (ID = 1057035)
6:47 PM:   Found Adware: purityscan
6:47 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroupoin\  (2 subtraces) (ID = 1070163)
6:47 PM:   HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\  (7 subtraces) (ID = 1110756)
6:47 PM:   HKU\S-1-5-21-515967899-1844237615-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
6:47 PM: Registry Sweep Complete, Elapsed Time:00:00:11
6:47 PM: Starting Cookie Sweep
6:47 PM:   Found Spy Cookie: yieldmanager cookie
6:47 PM:   [email]system@ad.yieldmanager[2].txt[/email] (ID = 3751)
6:47 PM:   Found Spy Cookie: adultfriendfinder cookie
6:47 PM:   [email]system@adultfriendfinder[2].txt[/email] (ID = 2165)
6:47 PM:   Found Spy Cookie: enhance cookie
6:47 PM:   [email]system@c.enhance[1].txt[/email] (ID = 2614)
6:47 PM:   Found Spy Cookie: goclick cookie
6:47 PM:   [email]system@c.goclick[2].txt[/email] (ID = 2733)
6:47 PM:   Found Spy Cookie: dealtime cookie
6:47 PM:   [email]system@dealtime[2].txt[/email] (ID = 2505)
6:47 PM:   Found Spy Cookie: starware.com cookie
6:47 PM:   [email]system@h.starware[2].txt[/email] (ID = 3442)
6:47 PM:   Found Spy Cookie: partypoker cookie
6:47 PM:   [email]system@partypoker[2].txt[/email] (ID = 3111)
6:47 PM:   [email]system@stat.dealtime[2].txt[/email] (ID = 2506)
6:47 PM:   [email]system@www.starware[1].txt[/email] (ID = 3442)
6:47 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:47 PM: Starting File Sweep
6:47 PM:   c:\program files\network monitor (1 subtraces) (ID = -2147459771)
6:48 PM:   Found Adware: e2g
6:48 PM:   ppq98.tmp (ID = 188119)
6:48 PM:   drsmartload1.exe (ID = 235307)
6:48 PM:   d1[1].htm (ID = 188119)
6:48 PM:   Found Adware: look2me
6:48 PM:   r48s0el7ehq.dll (ID = 159)
6:49 PM:   Found Adware: targetsaver
6:49 PM:   vocabulary (ID = 78283)
6:49 PM:   fppm0371e.dll (ID = 159)
6:51 PM:   413_13_op[1].exe (ID = 232747)
6:52 PM:   __delete_on_reboot__noprovau.dll (ID = 159)
6:52 PM:   installer[1].exe (ID = 230778)
6:52 PM:   00101570.dll (ID = 159)
6:52 PM:   00101628.dll (ID = 159)
6:52 PM:   00101926.dll (ID = 159)
6:53 PM:   tsupdate2[1].ini (ID = 193498)
6:53 PM:   58911a96-a3cf-46ac-b304-ad94ed.asq (ID = 187156)
6:54 PM:   Found Adware: clkoptimizer
6:54 PM:   installerus[1].exe (ID = 208542)
6:54 PM:   elitemediagroupoinuninstaller.exe (ID = 213484)
6:55 PM:   42e5aeba-f370-4ec6-8fb8-1a75fe (ID = 180542)
6:55 PM:   eliteunstall.exe (ID = 185456)
6:56 PM:   drsmartload[1].exe (ID = 235307)
6:56 PM:   Found Adware: wfgtech
6:56 PM:   ltndmain[1].dll (ID = 232757)
6:57 PM:   drsmartloadb[1].exe (ID = 216717)
6:57 PM:   00100144.dll (ID = 159)
6:58 PM:   uninstall_nmon.vbs (ID = 231442)
6:58 PM:   ltndconf[1].sys (ID = 232756)
6:59 PM:   00100438.dll (ID = 159)
6:59 PM:   00100313.dll (ID = 159)
6:59 PM:   00100484.dll (ID = 159)
7:00 PM:   yoinsi.exe (ID = 213483)
7:00 PM:   class-barrel (ID = 78229)
7:01 PM:   00101119.dll (ID = 159)
7:01 PM:   netmon.exe (ID = 231443)
7:01 PM:   00100345.dll (ID = 159)
7:01 PM:   elite.ocx (ID = 187157)
7:02 PM:   nq53u3i5vf1im21gsqy5wa6rmf1kuhk.vbs (ID = 185675)
7:02 PM:   donotdelete[1].htm (ID = 198788)
7:02 PM:   drsmartload.dat (ID = 198788)
7:02 PM: File Sweep Complete, Elapsed Time: 00:14:44
7:02 PM: Full Sweep has completed.  Elapsed time 00:16:12
7:02 PM: Traces Found: 162
********
5:37 PM: |       Start of Session, Sunday, January 22, 2006       |
5:37 PM: Spy Sweeper started
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:38 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
5:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:38 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: Updating spyware definitions
5:39 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:47 PM: Updating spyware definitions
5:47 PM: Your spyware definitions have been updated.
5:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:52 PM: Memory Shield: Found: Memory-resident threat command, version 1.0.0.0
5:52 PM: Detected running threat: command
5:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:52 PM: Ignored memory-resident threat: command
5:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
6:44 PM: Program Version 4.5.8  (Build 683)  Using Spyware Definitions 604
6:46 PM: |       End of Session, Sunday, January 22, 2006       |

Edited by happygeek: fixed formatting

0

Good job- there's only one infection (the Look2Me parasite) left to kill as far as I can tell. Please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

* Save the file to your desktop and double click l2mfix.exe.
* Click the Install button to extract the files and follow the prompts.
* Open the newly added l2mfix folder on your desktop.
* Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter.

This will scan your computer and it may appear nothing is happening. After a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

0

Hi raidertrk, welcome to DaniWeb :)

Please do the following:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move/extract HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Once we analyse the log we can tell you what to do from there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:28 AM, on 22/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\system32\isys32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
E:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vil.nai.com/vil/stinger/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O1 - Hosts: 82.98.86.176 d1zz.com
O1 - Hosts: 82.98.86.175 vikang.com
O1 - Hosts: 82.98.86.166 ubpvk.info
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MonAppli] C:\Windows\system32\isys32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\M3PLUGIN.DLL,UPF
O4 - HKCU\..\Run: [RocketDock] "E:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{401712B0-F9FF-4252-8685-EC048A62FAE7}: NameServer = 10.10.10.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{7983BDE5-E4D5-4DA1-8DA7-44DFB28F0F6C}: NameServer = 202.88.130.15,202.88.130.67,202.88.130.5
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 5777 bytes


so this is what the log file showed me....
what do i do further please help me the pop ups are too annoying?????

0

Good job- there's only one infection (the Look2Me parasite) left to kill as far as I can tell. Please do the following:

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter.

This will scan your computer and it may appear nothing is happening. After a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{929EC980-BAC9-452C-84E3-FCA6DCB3BAC6}"="System Guards Context Menu"
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}"="Eset Smart Security - Context Menu Shell Extension"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}"="PhoneBrowser"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   bassmod.dll    Thu May 15 2008  10:37:16p  A....         10,752    10.50 K
   browseui.dll   Mon Apr 21 2008  12:33:56p  A....      1,023,488   999.50 K
   cdfview.dll    Mon Apr 21 2008  12:33:56p  A....        151,040   147.50 K
   danim.dll      Mon Apr 21 2008  12:33:58p  A....      1,054,208     1.00 M
   dxtmsft.dll    Mon Apr 21 2008  12:33:58p  A....        357,888   349.50 K
   dxtrans.dll    Mon Apr 21 2008  12:33:58p  A....        205,312   200.50 K
   extmgr.dll     Mon Apr 21 2008  12:33:58p  A....         55,808    54.50 K
   iacenc.dll     Tue Jun 17 2008   6:20:48p  .....        143,872   140.50 K
   iepeers.dll    Mon Apr 21 2008  12:33:58p  A....        251,392   245.50 K
   inseng.dll     Mon Apr 21 2008  12:33:58p  A....         96,256    94.00 K
   ir41_32.dll    Tue Jun 17 2008   6:20:48p  .....        756,736   739.00 K
   iyvu9_32.dll   Tue Jun 17 2008   6:20:48p  .....         56,832    55.50 K
   jsproxy.dll    Mon Apr 21 2008  12:33:58p  A....         16,384    16.00 K
   msexch40.dll   Tue Mar 25 2008  10:20:28a  A....        518,944   506.78 K
   msexcl40.dll   Tue Mar 25 2008  10:20:30a  A....        326,432   318.78 K
   mshtml.dll     Mon Apr 21 2008  12:34:00p  A....      3,059,712     2.92 M
   mshtmled.dll   Mon Apr 21 2008  12:34:00p  A....        449,024   438.50 K
   msjet40.dll    Tue Mar 25 2008  10:20:34a  A....      1,516,568     1.45 M
   msjeto~1.dll   Tue Mar 25 2008  10:20:40a  A....        355,112   346.79 K
   msjint40.dll   Thu Mar 27 2008   1:42:54p  A....        151,583   148.03 K
   msjter40.dll   Tue Mar 25 2008  10:20:42a  A....         60,192    58.78 K
   msjtes40.dll   Tue Mar 25 2008  10:20:42a  A....        248,608   242.78 K
   msltus40.dll   Tue Mar 25 2008  10:20:44a  A....        219,936   214.78 K
   mspbde40.dll   Tue Mar 25 2008  10:20:46a  A....        355,104   346.78 K
   msrating.dll   Mon Apr 21 2008  12:34:00p  A....        146,432   143.00 K
   msrd2x40.dll   Tue Mar 25 2008  10:20:48a  A....        432,928   422.78 K
   msrd3x40.dll   Tue Mar 25 2008  10:20:50a  A....        322,336   314.78 K
   msrepl40.dll   Tue Mar 25 2008  10:20:52a  A....        559,904   546.78 K
   mstext40.dll   Tue Mar 25 2008  10:20:56a  A....        264,992   258.78 K
   mstime.dll     Mon Apr 21 2008  12:34:00p  A....        532,480   520.00 K
   mswdat10.dll   Tue Mar 25 2008  10:20:58a  A....        838,432   818.78 K
   mswstr10.dll   Tue Mar 25 2008  10:20:58a  A....        621,344   606.78 K
   msxbde40.dll   Tue Mar 25 2008  10:20:58a  A....        355,104   346.78 K
   pngfilt.dll    Mon Apr 21 2008  12:34:00p  A....         39,424    38.50 K
   quartz.dll     Wed May  7 2008  10:48:48a  A....      1,287,680     1.23 M
   shdocvw.dll    Mon Apr 21 2008  12:34:00p  A....      1,494,528     1.42 M
   shlwapi.dll    Mon Apr 21 2008  12:34:00p  A....        474,112   463.00 K
   urlmon.dll     Mon Apr 21 2008  12:34:00p  A....        615,936   601.50 K
   wininet.dll    Mon Apr 21 2008  12:34:00p  A....        659,456   644.00 K
   xpsp3res.dll   Thu Apr 17 2008   4:07:04p  A....        351,744   343.50 K

40 items found:  40 files, 0 directories.
   Total of file sizes:  20,438,015 bytes     19.49 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
 Volume in drive C has no label.
 Volume Serial Number is 4801-8A64

 Directory of C:\WINDOWS\System32

20/06/2008  01:49 PM    <DIR>          dllcache
07/09/2007  08:46 PM    <DIR>          Microsoft
               0 File(s)              0 bytes
               2 Dir(s)   7,603,843,072 bytes free

this is what the log file of the l2mfix.bat file showed me

Edited by Reverend Jim: Fixed formatting

0

Hi and welcome to the Daniweb forums :).

==========

saisrivatsan . Try starting your own thread stating your problems and you will receive the help you need.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.