• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
wrolyat

The Aim Virus\Browser Hijacks

Recommended Posts

Alright well about 2 days ago one of my friends (who has a myspace) sent me the stupid old virus. It said something like "Can I use this pic of us in my face picture? link.zip" I unzipped the link and what do you know? A virus popped out. The filename was first called picture01.zip. (there goes another browser redirect)

 

Immediately my AVG Free Edition (a virus scanner) started going off with "Virus Detected!" I kept moving the file " C:\WINDOWS\system32ssec.exe" to the virus vault, but it just kept coming up. It kept coming up with "Virus Detected" with all these different virus names like SnowBall.exe, and Trojan.Horse.Installer, all kinds of stuff. I know all these are from the aim virus, or from the pages it redirected me to.

 

I ran ad-aware se personal and it found like 100 and something entries. I had just scanned the previous day before the virus and I got 0. (another browser redirect) I scan with all that stuff about every 3 days so I know I was clean before this started. Some of the files it couldn't delete however were tfthot.exe and something like ssec.exe I think. I renamed those files virus and virus2 just so I could keep up with them. Everytime I went in through my system32 files and I deleted tfthot.exe, it would just appear again about 5 seconds later. I figured the ssec.exe (or whatever it was called) was causing it. I tried to delete it, but it said it was being used by another person or program (which was probably the trojan horse.) I exited out of all programs and tried it again, but the same thing happened.

 

The stupid thing keeps putting all these shortcuts on my desktop (to other pages) to "Spyware Fixes" which are just viruses.

 

I used the (browser redirect again, I think you get the point) brutalforce uninstaller with the special .bfu file just for this virus and that stopped the constant messages of "Virus Detected!."

 

Here is a hijackthis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 2:26:37 PM, on 6/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wmiapsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\mptft.exe

C:\WINDOWS\system32\ssn6tuu.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\nr1rnqm8.exe

C:\WINDOWS\system32\tfthot.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Morpheus\Morpheus.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\AIM Toolbar\toolbar.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 12.199.228.40

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [{87-70-0F-F3-ZN}] c:\windows\system32\dwdsregt.exe GID003

O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion.../ICSScanner.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {E507B1D8-685A-420C-9099-90F3F27971B2} - C:\WINDOWS\system32\x3cqp0.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\ir42l5ho1.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe

 

Since pasting this 2 more viruses popped up the System32ssec.exe and Visfx500.exe.

 

Can anyone please help me.... this is crazy.

 

I also found these application files that were created when I downloaded the zip file:

 

drsmartload45a

drsmartload46a

drsmartload849a

Share this post


Link to post
Share on other sites

Hello,

 

That is a nasty log. :)

 

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.

It is also important you don't miss a step and perform everything in the right order!!

 

*Please download the Suspicious File Packer from here:

http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.

 

Paste the following bold part into the Suspicious File Packer window:

 

C:\WINDOWS\wmiapsv.exe

C:\WINDOWS\system32\mptft.exe

C:\WINDOWS\system32\ssn6tuu.exe

C:\WINDOWS\system32\nr1rnqm8.exe

C:\WINDOWS\system32\tfthot.exe

c:\windows\system32\dwdsregt.exe

C:\WINDOWS\system32\x3cqp0.dll

C:\WINDOWS\system32\ssec.exe

 

Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Go to next page and submit the cab archive there:

http://www.lavasoftsupport.com/index.php?s...0&st=0entry50

 

Also send me that cab archive:

email the file to:

 

miekiemoesATmalware-research.co.uk

 

remember to replace the AT in the above line with an @

(the reason to not post a complete valid e-mail address in a post is so spammers can't harvest the addresses)

 

Please perform this first before performing the rest of the steps.

 

* Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

 

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

 

After reboot,

* Go to start > controlpanel > software > add/remove programs and uninstall next if present:

 

NewDotNet or New.Net

 

Reboot afterwards.. important!

 

* Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Don't use it yet.

 

In case you notice the loss of your internet connection, go to start > run and copy and paste next command in the field:

 

netsh winsock reset hit enter.

 

Only perform this when you don't have an internet connection anymore!

 

* Reboot into Safe Mode`: ( without networking support !)

°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20063&k=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20063&k=

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)

O4 - HKLM\..\Run: [{87-70-0F-F3-ZN}] c:\windows\system32\dwdsregt.exe GID003

O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O18 - Filter: text/html - {E507B1D8-685A-420C-9099-90F3F27971B2} - C:\WINDOWS\system32\x3cqp0.dll

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\ir42l5ho1.dll

O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

* Please set your system to show all files.

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

 

C:\WINDOWS\wmiapsv.exe

C:\WINDOWS\system32\mptft.exe

C:\WINDOWS\system32\ssn6tuu.exe

C:\WINDOWS\system32\nr1rnqm8.exe

C:\WINDOWS\system32\tfthot.exe

c:\windows\system32\dwdsregt.exe

C:\WINDOWS\system32\x3cqp0.dll

C:\WINDOWS\drsmartload45a.exe

C:\WINDOWS\drsmartload46a.exe

C:\WINDOWS\drsmartload849a.exe

C:\WINDOWS\system32\ssec.exe

 

Visfx500.exe <== guess that one will be in your Windows-folder

 

Also look if next are present and delete them:

 

C:\NNSCAA638.EXE

C:\comscore.exe

C:\numbsoft.exe

C:\warebundle.exe

C:\ZIGID003.exe

C:\VSL02.exe

C:\Trelew.exe

 

C:\WINDOWS\icont.exe

C:\WINDOWS\nem220.dll

C:\WINDOWS\pf78.exe

C:\WINDOWS\pf79.exe

 

C:\WINDOWS\SYSTEM32\VSL03.exe

C:\WINDOWS\SYSTEM32\VSL05.exe

C:\WINDOWS\SYSTEM32\ZICORN003.exe

C:\WINDOWS\SYSTEM32\wtssvtr.exe

C:\WINDOWS\SYSTEM32\rwinkqez.exe

 

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.

And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

 

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer back to normal mode!!
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.

Share this post


Link to post
Share on other sites

Here is my drweb log:

 

wRvemsp.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Moved.;

syndcmsg.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Will be moved after reboot.;

zejhj.dll;C:\WINDOWS;Adware.MediaMotor;Incurable.Moved.;

mc-110-12-0000487.exe;C:\WINDOWS;Trojan.DownLoader.10320;Incurable.Moved.;

NDNuninstall7_22.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;

NDNuninstall6_38.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;

syndcmsg.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Will be moved after reboot.;

wRvemsp.dll;C:\WINDOWS\system32;Adware.Look2me;Incurable.Deleted.;

msbb321.dll;C:\WINDOWS\system32;Adware.nCase;Incurable.Moved.;

setup_incred_9.exe;C:\WINDOWS\system32;Trojan.MulDrop.1567;Incurable.Moved.;

BO2802040113.dll;C:\WINDOWS\system32;Trojan.MulDrop.1997;Deleted.;

miniclipGameLoader.dll;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.665;Deleted.;

smart[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Adware.DollarRevenue;Incurable.Moved.;

newname25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.10206;Deleted.;

ZIGID003[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Adware.ZenoSearch;Incurable.Moved.;

wd7gi8n[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.3945;Deleted.;

maxidr[1].avi;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MR0LGZMP;Trojan.DownLoader.9894;Incurable.Moved.;

drsmartload[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;

keyboard25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Trojan.DownLoader.10308;Deleted.;

drsmartload849a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;

NNSCAA638[1].EXE;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.NewDotNet;Incurable.Moved.;

526_620[1].exe\data001;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX\526_620[1].exe;Trojan.Popuper;;

526_620[1].exe\data002;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX\526_620[1].exe;Trojan.Popuper;;

526_620[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Archive contains infected objects;Moved.;

drsmartload45a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ATUVEX;Adware.DollarRevenue;Incurable.Moved.;

defender25[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MVUDU3K3;Adware.DollarRevenue;Incurable.Moved.;

smart[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MVUDU3K3;Adware.DollarRevenue;Incurable.Moved.;

Installer[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Adware.Look2me;Incurable.Moved.;

drsmartload46a[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Adware.DollarRevenue;Incurable.Moved.;

MTE3NDI6ODoxNg[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0T47K3G9;Trojan.DownLoader.5013;Deleted.;

28802_keyboard25.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Trojan.DownLoader.10308;Deleted.;

28802_newname25.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Trojan.DownLoader.10206;Deleted.;

28808_dwdsregt.exe.bak;C:\Documents and Settings\Taylor\Desktop\aimfix_quarantine;Adware.ZenoSearch;Incurable.Moved.;

mc-110-12-0000487.exe;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.DownLoader.10320;Incurable.Moved.;

setup_incred_9.exe;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.MulDrop.1567;Incurable.Moved.;

maxidr[1].avi;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.DownLoader.9894;Incurable.Moved.;

 

 

This is my HijackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:51:52 PM, on 6/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Morpheus\Morpheus.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion.../ICSScanner.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\gppul3791.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe (file missing)

 

My browser is still redirecting and on the last reboot into normal mode another "Virus Detected" popped up and I moved it to the vault, here is the info on it:

 

Torjan Horse Look2me

C:\WINDOWS\System32\r88slil781q.dll

Moved Object

Infected

 

That was the info avg has on it. I still can't get the last thing in hijackthis logs to go away. Also, some of the stuff you told me to remove in the hijackthis logs weren't there, I have a list if you need it (it's like 3 or 4.)

 

Thanks Again

Share this post


Link to post
Share on other sites

Hello,

 

I guess you forgot to run this:

 

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    (If Look2Me-Destroyer does not reopen automatically, reboot and try again.)
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

 

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Share this post


Link to post
Share on other sites

That's weird.... because I ran it... I will do it again I guess.

 

Edit: I just forgot to post the log:

 

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 6/2/2006 7:09:34 PM

 

Infected! C:\WINDOWS\system32\ryaenh.dll

Infected! C:\WINDOWS\system32\pih.dll

Infected! C:\WINDOWS\system32\j4p00e7meh.dll

Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll

Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll

Infected! C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll

 

Attempting to delete infected files...

 

Attempting to delete: C:\WINDOWS\system32\pih.dll

C:\WINDOWS\system32\pih.dll Deleted successfully!

 

Attempting to delete: C:\WINDOWS\system32\j4p00e7meh.dll

C:\WINDOWS\system32\j4p00e7meh.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll

C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128555.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll

C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP665\A0128632.dll Deleted successfully!

 

Attempting to delete: C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll

C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128697.dll Deleted successfully!

 

Making registry repairs.

 

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AE6D26CC-626D-45A1-8508-6D0796664053}"

HKCR\Clsid\{AE6D26CC-626D-45A1-8508-6D0796664053}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D38E3AD5-647C-47DF-9888-30E5A1154D7F}"

HKCR\Clsid\{D38E3AD5-647C-47DF-9888-30E5A1154D7F}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3DE6E059-DA4E-4195-9E5F-4CB0C011F99E}"

HKCR\Clsid\{3DE6E059-DA4E-4195-9E5F-4CB0C011F99E}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7EBE9E2-0EE3-41ED-8445-E3E9738530D7}"

HKCR\Clsid\{F7EBE9E2-0EE3-41ED-8445-E3E9738530D7}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16AF34A9-F318-47CD-8363-6E1F5469E0B8}"

HKCR\Clsid\{16AF34A9-F318-47CD-8363-6E1F5469E0B8}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

 

Restoring SeDebugPrivilege for Administrators - Succeeded

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 12:20:36 PM, on 6/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion.../ICSScanner.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h0l2la3o1d.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\r88slil718q.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Microsoft Performance WMI Adapter AddOn (WMIPervAddOn) - Unknown owner - C:\WINDOWS\wmiapsv.exe (file missing)

 

I can't get that last thing to go away. When I started my comp I keep getting the same virus detected:

 

Trojan Horse Look2me

C:\WINDOWS\System32\h0l2la3o1d.dll

Moved Object

Infected

Share this post


Link to post
Share on other sites

Hmm, as far I can see from your log, the Look2me infection is not active anymore, so the leftovers should get deleted fine..

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\h0l2la3o1d.dll (file missing)

O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\r88slil718q.dll (file missing)

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

* Go to start > run and copy and paste next command in the field:

 

sc delete WMIPervAddOn hit enter.

 

Reboot and post a new hijackthislog.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 2:15:01 PM, on 6/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion.../ICSScanner.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\guard.tmp

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

 

I had no viruses on log in... that might of done it...

 

Edit:

 

Alright so I was going through my files just to make sure, I went into the system32 files just to make sure and it said "Virus Detected!" it was the win32ssec.exe thing again =( . I saw a file called system32tfthot.exe and I deleted it, it was a hidden system file. Now when I deleted it from the recycling bin and restarted my comp a run time error came up!!

 

It said my winlogon.exe was messed up and it shutdown my comp!! I have to run in safe mode with networking now, I think I might of deleted another file... the one right next to it... like stfunist.exe or something... I can't remember. I accidentally selected it with the system32tfthot.exe! What should I do!? Or can you give me the file in e-mail, I am really worried.

 

Another Edit ( :) ) :

 

I checked a clone computer of this one and I didn't notice any missing files while I was in safe mode so I just restarted my comp to normal mode and everything is fine... I guess I just need to make sure all of the malware is gone.

 

Thank you again =D

Share this post


Link to post
Share on other sites

According to your log, we're not finished yet - I see Look2me still active, so run Look2me destroyer again and post the log from it and a new hijackthislog.

Share this post


Link to post
Share on other sites

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 6/3/2006 5:13:48 PM

 

Infected! C:\WINDOWS\system32\guard.tmp

Infected! C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll

 

Attempting to delete infected files...

 

Attempting to delete: C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\wRvemsp.dll Deleted successfully!

 

Making registry repairs.

 

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{96C99396-194D-4798-8D4E-9E0F12FB0E11}"

HKCR\Clsid\{96C99396-194D-4798-8D4E-9E0F12FB0E11}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{03B9D568-1011-4CAB-8042-61B609E0FC8D}"

HKCR\Clsid\{03B9D568-1011-4CAB-8042-61B609E0FC8D}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{008F6541-2118-449D-B15E-82748B0C98A2}"

HKCR\Clsid\{008F6541-2118-449D-B15E-82748B0C98A2}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

 

Restoring SeDebugPrivilege for Administrators - Succeeded

 

I was able to remove 2 of the .dll using spy spy sweeper. Spy Sweeper also found lots of other spyware and things in the same directory the look2me stuff was in.

Share this post


Link to post
Share on other sites

Hmm, according to your previous log, Look2me destroyer didn't touch the guard.tmp

Can you post a new hijackthislog please as I already asked before? Because I can't see in above log if a new Winlogon Notify key got created.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 1:34:08 PM, on 6/4/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Taylor\Desktop\HijackThis.exe

 

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe

O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion.../ICSScanner.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Share this post


Link to post
Share on other sites

They seem fine, thank you so much!! You guys over here are soo helpful! (and I do hope you get paid a lot =D) I would of never been able to fix this by myself if it wasn't for you. I was thinking about reformatting my hard drive it was so bad. I just can't think you enough. The things you do are just great!! My computer is just like it used to be in the good old days now! (and even better!) I will come back if I have any more problems.

 

I only have two question, in my C:\Documents and Settings\Local Service\Local Settings\Temporary Internet Files\Content.IE5\random folder name here, there are these weird things stored there with firefox icons that are htm files, some of their names are "donotdelete2[1].htm" "get.htm" "smartload.htm" and things like that... there is also a .exe file called "mc-110-12-0000228[2].exe" Is that anything to be concerened about?

 

Also, ever since I got the virus, randomly the Microsoft Error report would come up a say "Windows Explorer" (or windows) needs to be shutdown, sorry for the inconvienence. Everything goes away showing only my desktop picture, then about 10 sec later everything comes back.

Share this post


Link to post
Share on other sites

Yes, that was normal that you got that error about your Windows explorer while you were infected. Look2me was causing this.

 

Yes, you may delete everything present in your Content.IE5 folder.

To do this easily, go to start > run and copy and paste:

shell:cache\content.ie5

 

This should open your content.ie5 folder.

Select everything in there and click delete.

 

Perform a full scan with an updated Adaware SE to get rid of some leftovers if still present.

 

To keep this clean in the future, I would suggest the following things:

 

Install Spywareblaster

SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

 

* Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.

* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.

* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

 

Let your antispywarescanner(s) scan frequently and don't forget to update before.

 

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.

Also make sure that your virusscanner, the one that is installed on your system is always up to date!

 

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

 

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

 

More info on how to prevent malware you can also find here (By Tony Klein)

and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

 

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

 

Happy surfing again! :D

Share this post


Link to post
Share on other sites

Thank you once again... I have spyware blaster and all that, I got it like 2 years ago with avg and ad-aware and spyware search and destroy. I still get the windows explorer errors though... spyware doctor always shows me these "High" infections that should "immediately" be deleted, but won't because I need to purchase it. I don't have any problem with those though.

 

Thank you so much for your time, you do not know how much it has helped. Like I said before, I was thinking about reformatting. Is there anything I can do about the Windows Explorer errors though?

Share this post


Link to post
Share on other sites

Sorry for the double post, but here is part of a spyware doctor scan log of the look2me (it was still there) :

 

VX2.Look2Me C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0128720.dll High

TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\class-barrel High

TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\vocabulary High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128782.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128783.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0128791.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129808.DLL High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129814.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129882.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129883.DLL High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129896.dll High

VX2.Look2Me C:\System Volume Information\_restore{88CD16C9-7037-47B3-92C6-C23898D65721}\RP666\A0129897.dll High

 

All of those files were deleted. It was scary all of the other things that were removed....

Share this post


Link to post
Share on other sites

Sorry for butting in, but I don't want you to be worried overnight. These finds do not appear to be a threat.

 

Miekiemoes is in Europe and at this hour is probably asleep, but those items in System Volume information directory cannot run (unless you chose to restore your computer to a prior time), however, we do need to clean that out (Your System Restore points) so you can't accidentally get reinfected.

 

You'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

..................................

The other item is in your Dr.Web (cure-it) quarantine. Again it has been neutered and cannot run

 

Delete the items in Dr. Web Cure-it quaraintine.

.................................

I'm not sure what these are:

TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\class-barrel High

TargetSavers C:\Program Files\Common Files\wkmw\wkmwd\vocabulary High

 

But they don't look like an active threat. I'll let Miekie guide you on those in the morning :D

Share this post


Link to post
Share on other sites

Hi Janie, thanks for popping in :(

 

wrolyat, yes, next ones have to go:

 

TargetSavers C:\Program Files\Common Files\wkmw <== folder

 

It's also known as TSA.

 

bers55, please start with a new thread with your Hijackthislog. Don't mail me, but post it in the forums. Thanks

Share this post


Link to post
Share on other sites

Alright I got that folder deleted, while I was there I clicked the option to view hidden/system files and I found yazzleuninstall, that was part of the snowballwars.exe and all the other spam/viruses I got so I deleted that as well. A virus keeps coming up for me... it's called "Trojan_backdoor_retro64" I think I got it now... but it kept popping up before for some reason. I'll post here again if something else pops up, but for now thank you so much. You saved my computer from "impending doom" ;)

Share this post


Link to post
Share on other sites

Just let your scanners delete anything they popup with - because a lot of leftovers may be still present (hijackthis doesn't show all, it only shows the main startupkeys) ;)

Share this post


Link to post
Share on other sites

Yes, it's me again :) . I thought everything was removed... and it appears that it is, but I still get the windows explorer errors... anything I can do about those? They are very annoying and happen about twice a day.

Share this post


Link to post
Share on other sites
Sign in to follow this