Jump to content


Photo

The Aim Virus\Browser Hijacks


  • Please log in to reply
37 replies to this topic

#1 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 02 June 2006 - 07:35 PM

Alright well about 2 days ago one of my friends (who has a myspace) sent me the stupid old virus. It said something like "Can I use this pic of us in my face picture? link.zip" I unzipped the link and what do you know? A virus popped out. The filename was first called picture01.zip. (there goes another browser redirect)

Immediately my AVG Free Edition (a virus scanner) started going off with "Virus Detected!" I kept moving the file " C:\WINDOWS\system32ssec.exe" to the virus vault, but it just kept coming up. It kept coming up with "Virus Detected" with all these different virus names like SnowBall.exe, and Trojan.Horse.Installer, all kinds of stuff. I know all these are from the aim virus, or from the pages it redirected me to.

I ran ad-aware se personal and it found like 100 and something entries. I had just scanned the previous day before the virus and I got 0. (another browser redirect) I scan with all that stuff about every 3 days so I know I was clean before this started. Some of the files it couldn't delete however were tfthot.exe and something like ssec.exe I think. I renamed those files virus and virus2 just so I could keep up with them. Everytime I went in through my system32 files and I deleted tfthot.exe, it would just appear again about 5 seconds later. I figured the ssec.exe (or whatever it was called) was causing it. I tried to delete it, but it said it was being used by another person or program (which was probably the trojan horse.) I exited out of all programs and tried it again, but the same thing happened.

The stupid thing keeps putting all these shortcuts on my desktop (to other pages) to "Spyware Fixes" which are just viruses.

I used the (browser redirect again, I think you get the point) brutalforce uninstaller with the special .bfu file just for this virus and that stopped the constant messages of "Virus Detected!."

Here is a hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:37 PM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wmiapsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\tfthot.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Morpheus\Morpheus.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\AIM Toolbar\toolbar.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo...asp?si=20063&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo...asp?si=20063&k=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 12.199.228.40
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [{87-70-0F-F3-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/...pGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {E507B1D8-685A-420C-9099-90F3F27971B2} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\ir42l5ho1.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe

Since pasting this 2 more viruses popped up the System32ssec.exe and Visfx500.exe.

Can anyone please help me.... this is crazy.

I also found these application files that were created when I downloaded the zip file:

drsmartload45a
drsmartload46a
drsmartload849a

#2 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 02 June 2006 - 10:48 PM

Hello,

That is a nasty log. :)

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

*Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\wmiapsv.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\tfthot.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\system32\ssec.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to next page and submit the cab archive there:
http://www.lavasofts...0&st=0

Also send me that cab archive:
email the file to:

miekiemoesATmalware-research.co.uk

remember to replace the AT in the above line with an @
(the reason to not post a complete valid e-mail address in a post is so spammers can't harvest the addresses)

Please perform this first before performing the rest of the steps.

* Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

After reboot,
* Go to start > controlpanel > software > add/remove programs and uninstall next if present:

NewDotNet or New.Net

Reboot afterwards.. important!

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Don't use it yet.

In case you notice the loss of your internet connection, go to start > run and copy and paste next command in the field:

netsh winsock reset hit enter.

Only perform this when you don't have an internet connection anymore!

* Reboot into Safe Mode`: ( without networking support !)
┬░To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalo...asp?si=20063&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalo...asp?si=20063&k=
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [{87-70-0F-F3-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O18 - Filter: text/html - {E507B1D8-685A-420C-9099-90F3F27971B2} - C:\WINDOWS\system32\x3cqp0.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\ir42l5ho1.dll
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\wmiapsv.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\tfthot.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\drsmartload45a.exe
C:\WINDOWS\drsmartload46a.exe
C:\WINDOWS\drsmartload849a.exe
C:\WINDOWS\system32\ssec.exe

Visfx500.exe <== guess that one will be in your Windows-folder

Also look if next are present and delete them:

C:\NNSCAA638.EXE
C:\comscore.exe
C:\numbsoft.exe
C:\warebundle.exe
C:\ZIGID003.exe
C:\VSL02.exe
C:\Trelew.exe

C:\WINDOWS\icont.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\pf78.exe
C:\WINDOWS\pf79.exe

C:\WINDOWS\SYSTEM32\VSL03.exe
C:\WINDOWS\SYSTEM32\VSL05.exe
C:\WINDOWS\SYSTEM32\ZICORN003.exe
C:\WINDOWS\SYSTEM32\wtssvtr.exe
C:\WINDOWS\SYSTEM32\rwinkqez.exe

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer back to normal mode!!
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#3 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 03 June 2006 - 03:02 AM

Here is my drweb log:

wRvemsp.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Moved.;
syndcmsg.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Will be moved after reboot.;
zejhj.dll;C:\WINDOWS;Adware.MediaMotor;Incurable.Moved.;
mc-110-12-0000487.exe;C:\WINDOWS;Trojan.DownLoader.10320;Incurable.Moved.;
NDNuninstall7_22.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
NDNuninstall6_38.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
syndcmsg.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Will be moved after reboot.;
wRvemsp.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Deleted.;
msbb321.dll;C:\WINDOWS\system32;Adware.nCase;Incurable.Moved.;
setup_incred_9.exe;C:\WINDOWS\system32;Trojan.MulDrop.1567;Incurable.Moved.;
BO2802040113.dll;C:\WINDOWS\system32;Trojan.MulDrop.1997;Deleted.;
miniclipGameLoader.dll;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.665;Deleted.;
smart[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Adware.DollarRevenue;Incurable.Moved.;
newname25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.10206;Deleted.;
ZIGID003[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Adware.ZenoSearch;Incurable.Moved.;
wd7gi8n[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.3945;Deleted.;
maxidr[1].avi;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.9894;Incurable.Moved.;
drsmartload[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;
keyboard25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Trojan.DownLoader.10308;Deleted.;
drsmartload849a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;
NNSCAA638[1].EXE;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.NewDotNet;Incurable.Moved.;
526_620[1].exe\data001;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX\526_620[1].exe;Trojan.Popuper;;
526_620[1].exe\data002;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX\526_620[1].exe;Trojan.Popuper;;
526_620[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Archive contains infected objects;Moved.;
drsmartload45a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;
defender25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MVUDU3K3;Adware.DollarRevenue;Incurable.Moved.;
smart[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MVUDU3K3;Adware.DollarRevenue;Incurable.Moved.;
Installer[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Adware.Look2me;Incurable.Moved.;
drsmartload46a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Adware.DollarRevenue;Incurable.Moved.;
MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Trojan.DownLoader.5013;Deleted.;
28802_keyboard25.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Trojan.DownLoader.10308;Deleted.;
28802_newname25.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Trojan.DownLoader.10206;Deleted.;
28808_dwdsregt.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Adware.ZenoSearch;Incurable.Moved.;
mc-110-12-0000487.exe;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.DownLoader.10320;Incurable.Moved.;
setup_incred_9.exe;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.MulDrop.1567;Incurable.Moved.;
maxidr[1].avi;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.DownLoader.9894;Incurable.Moved.;


This is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:52 PM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Morpheus\Morpheus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/...pGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\gppul3791.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe (file missing)

My browser is still redirecting and on the last reboot into normal mode another "Virus Detected" popped up and I moved it to the vault, here is the info on it:

Torjan Horse Look2me
C:\WINDOWS\System32\r88slil781q.dll
Moved Object
Infected

That was the info avg has on it. I still can't get the last thing in hijackthis logs to go away. Also, some of the stuff you told me to remove in the hijackthis logs weren't there, I have a list if you need it (it's like 3 or 4.)

Thanks Again

#4 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 03 June 2006 - 06:16 AM

Hello,

I guess you forgot to run this:

Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX


AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#5 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 03 June 2006 - 06:57 AM

That's weird.... because I ran it... I will do it again I guess.

Edit: I just forgot to post the log:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/2/2006 7:09:34 PM

Infected! C:\WINDOWS\system32\ryaenh.dll
Infected! C:\WINDOWS\system32\pih.dll
Infected! C:\WINDOWS\system32\j4p00e7meh.dll
Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll
Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll
Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\pih.dll
C:\WINDOWS\system32\pih.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j4p00e7meh.dll
C:\WINDOWS\system32\j4p00e7meh.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll
C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll
C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll
C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AE6D26CC-626D-45A1-8508-6D0796664053}"
HKCR\Clsid\{AE6D26CC-626D-45A1-8508-6D0796664053}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D38E3AD5-647C-47DF-9888-30E5A1154D7F}"
HKCR\Clsid\{D38E3AD5-647C-47DF-9888-30E5A1154D7F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3DE6E059-DA4E-4195-9E5F-4CB0C011F99E}"
HKCR\Clsid\{3DE6E059-DA4E-4195-9E5F-4CB0C011F99E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7EBE9E2-0EE3-41ED-8445-E3E9738530D7}"
HKCR\Clsid\{F7EBE9E2-0EE3-41ED-8445-E3E9738530D7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16AF34A9-F318-47CD-8363-6E1F5469E0B8}"
HKCR\Clsid\{16AF34A9-F318-47CD-8363-6E1F5469E0B8}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#6 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 03 June 2006 - 07:02 AM

Ok, and now a new hijackthislog. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#7 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 03 June 2006 - 05:23 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:20:36 PM, on 6/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/...pGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h0l2la3o1d.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\r88slil718q.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe (file missing)

I can't get that last thing to go away. When I started my comp I keep getting the same virus detected:

Trojan Horse Look2me
C:\WINDOWS\System32\h0l2la3o1d.dll
Moved Object
Infected

#8 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 03 June 2006 - 05:27 PM

Hmm, as far I can see from your log, the Look2me infection is not active anymore, so the leftovers should get deleted fine..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h0l2la3o1d.dll (file missing)
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\r88slil718q.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste next command in the field:

sc delete WMIPervAddOn hit enter.

Reboot and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#9 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 03 June 2006 - 07:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:15:01 PM, on 6/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/...pGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\guard.tmp
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I had no viruses on log in... that might of done it...

Edit:

Alright so I was going through my files just to make sure, I went into the system32 files just to make sure and it said "Virus Detected!" it was the win32ssec.exe thing again =( . I saw a file called system32tfthot.exe and I deleted it, it was a hidden system file. Now when I deleted it from the recycling bin and restarted my comp a run time error came up!!

It said my winlogon.exe was messed up and it shutdown my comp!! I have to run in safe mode with networking now, I think I might of deleted another file... the one right next to it... like stfunist.exe or something... I can't remember. I accidentally selected it with the system32tfthot.exe! What should I do!? Or can you give me the file in e-mail, I am really worried.

Another Edit ( :) ) :

I checked a clone computer of this one and I didn't notice any missing files while I was in safe mode so I just restarted my comp to normal mode and everything is fine... I guess I just need to make sure all of the malware is gone.

Thank you again =D

#10 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 03 June 2006 - 09:38 PM

According to your log, we're not finished yet - I see Look2me still active, so run Look2me destroyer again and post the log from it and a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#11 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 03 June 2006 - 10:24 PM

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/3/2006 5:13:48 PM

Infected! C:\WINDOWS\system32\guard.tmp
Infected! C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll

Attempting to delete infected files...

Attempting to delete: C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{96C99396-194D-4798-8D4E-9E0F12FB0E11}"
HKCR\Clsid\{96C99396-194D-4798-8D4E-9E0F12FB0E11}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{03B9D568-1011-4CAB-8042-61B609E0FC8D}"
HKCR\Clsid\{03B9D568-1011-4CAB-8042-61B609E0FC8D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{008F6541-2118-449D-B15E-82748B0C98A2}"
HKCR\Clsid\{008F6541-2118-449D-B15E-82748B0C98A2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

I was able to remove 2 of the .dll using spy spy sweeper. Spy Sweeper also found lots of other spyware and things in the same directory the look2me stuff was in.

#12 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 04 June 2006 - 08:30 AM

Hmm, according to your previous log, Look2me destroyer didn't touch the guard.tmp
Can you post a new hijackthislog please as I already asked before? Because I can't see in above log if a new Winlogon Notify key got created.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#13 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 04 June 2006 - 06:35 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:34:08 PM, on 6/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/...pGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#14 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 04 June 2006 - 06:36 PM

Ok, it's gone there. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#15 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 04 June 2006 - 07:56 PM

They seem fine, thank you so much!! You guys over here are soo helpful! (and I do hope you get paid a lot =D) I would of never been able to fix this by myself if it wasn't for you. I was thinking about reformatting my hard drive it was so bad. I just can't think you enough. The things you do are just great!! My computer is just like it used to be in the good old days now! (and even better!) I will come back if I have any more problems.

I only have two question, in my C:\Documents and Settings\Local Service\Local Settings\Temporary Internet Files\Content.IE5\random folder name here, there are these weird things stored there with firefox icons that are htm files, some of their names are "donotdelete2[1].htm" "get.htm" "smartload.htm" and things like that... there is also a .exe file called "mc-110-12-0000228[2].exe" Is that anything to be concerened about?

Also, ever since I got the virus, randomly the Microsoft Error report would come up a say "Windows Explorer" (or windows) needs to be shutdown, sorry for the inconvienence. Everything goes away showing only my desktop picture, then about 10 sec later everything comes back.

#16 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 04 June 2006 - 08:27 PM

Yes, that was normal that you got that error about your Windows explorer while you were infected. Look2me was causing this.

Yes, you may delete everything present in your Content.IE5 folder.
To do this easily, go to start > run and copy and paste:
shell:cache\content.ie5

This should open your content.ie5 folder.
Select everything in there and click delete.

Perform a full scan with an updated Adaware SE to get rid of some leftovers if still present.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castleco...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :D
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#17 bers55

bers55

    Member

  • Members
  • PipPip
  • 16 posts

Posted 05 June 2006 - 01:28 AM

I got this to please respond to my email about this.

#18 bers55

bers55

    Member

  • Members
  • PipPip
  • 16 posts

Posted 05 June 2006 - 01:30 AM

sorry about the double post.

#19 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 05 June 2006 - 02:33 AM

Thank you once again... I have spyware blaster and all that, I got it like 2 years ago with avg and ad-aware and spyware search and destroy. I still get the windows explorer errors though... spyware doctor always shows me these "High" infections that should "immediately" be deleted, but won't because I need to purchase it. I don't have any problem with those though.

Thank you so much for your time, you do not know how much it has helped. Like I said before, I was thinking about reformatting. Is there anything I can do about the Windows Explorer errors though?

#20 wrolyat

wrolyat

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 05 June 2006 - 03:20 AM

Sorry for the double post, but here is part of a spyware doctor scan log of the look2me (it was still there) :

VX2.Look2Me C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0128720.dll High
TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\class-barrel High
TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\vocabulary High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128782.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128783.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128791.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129808.DLL High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129814.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129882.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129883.DLL High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129896.dll High
VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129897.dll High

All of those files were deleted. It was scary all of the other things that were removed....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users