Got the windowsantiviruspro 2006 problem - Sigh. Logfile of HijackThis v1.99.1 Scan saved at 13:58:13, on 11/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe D:\WINDOWS\RG91ZyBIYXl3YXJk\command.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe D:\Program Files\Network Monitor\netmon.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\system32\wscntfy.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\windows\mousepad10.exe D:\Program Files\webHancer\Programs\whagent.exe C:\Program Files\paytime.exe D:\WINDOWS\system32\syshost.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe D:\DOCUME~1\Doug\MYDOCU~1\APPATC~1\mshta.exe D:\WINDOWS\system32\??mantec\r?ndll.exe C:\winstall.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\WINDOWS\TEMP\NI.UWFX6_0001_N69M1503\setup.exe D:\WINDOWS\TEMP\NI.UWA6P_0001_N73M0604\setup.exe D:\WINDOWS\explorer.exe D:\WINDOWS\TEMP\ytb2.exe D:\Documents and Settings\Doug\Desktop\ccsetup128.exe D:\WINDOWS\TEMP\ytb2.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - D:\Program Files\SurfSideKick 3\SskBho.dll F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe O4 - HKLM\..\Run: [newname] C:\windows\newname10.exe O4 - HKLM\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKLM\..\Run: [webHancer Agent] D:\Program Files\webHancer\Programs\whagent.exe O4 - HKLM\..\Run: [webHancer Survey Companion] D:\Program Files\webHancer\Programs\whsurvey.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe O4 - HKLM\..\Run: [WinAntiVirusPro2006] "D:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe O4 - HKCU\..\Run: [SurfSideKick 3] D:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKCU\..\Run: [Ctcr] "D:\DOCUME~1\Doug\MYDOCU~1\APPATC~1\mshta.exe" -vt yazr O4 - HKCU\..\Run: [Lvscc] D:\WINDOWS\system32\??mantec\r?ndll.exe O4 - HKCU\..\Run: [Shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe O4 - HKCU\..\Run: [Key] D:\DOCUME~1\Doug\LOCALS~1\Temp\1C7.tmp O4 - HKCU\..\Run: [Win_Fixer_Free] D:\Program Files\WinFixerFree\uwinfx6.exe /scan O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll O20 - Winlogon Notify: SensSrv - D:\WINDOWS\SYSTEM32\senssrv.dll O20 - Winlogon Notify: Syncmgr - D:\WINDOWS\system32\j46m0ej1eho.dll O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\RG91ZyBIYXl3YXJk\command.exe O23 - Service: Network Monitor - Unknown owner - D:\Program Files\Network Monitor\netmon.exe
Ok, you got a massive collection of infections! But don't worry, we'll get you cleaned =) Cleaning Instructions Go to Control Panel -> Add or remove programs -> Remove webHancer, WinAntiVirus if found Download Look2Me-Destroyer -> http://www.atribune.org/ccount/click.php?id=7 and save it on desktop IMPORTANT: Before continuing, you MUST do the following: ->Print this or save as a textfile ->Click start -> run -> services.msc -> ok ->Check that this service is running or its startuptype is automatic Secondary logon ->Disconnect from internet (unplug your network cable) ->Close ALL antivirus programs (this is essential!) ->Close all windows before continuing. ->Double-click Look2Me-Destroyer.exe to run it. ->Put a check next to Run this program as a task. ->You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK ->When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal. ->Once it's done scanning, click the Remove L2M button. ->You will receive a Done Scanning message, click OK. ->When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK. ->Your computer will then shutdown. ->Turn your computer back on. If you receive a message from your firewall about this program accessing the internet please allow it. If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory. http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX THEN: Download BFU.zip -> http://www.merijn.org/files/bfu.zip Unzip it to folder C:\BFU Run bfu.exe ja click the web button (bluegreen button in the up-rigth corner) Copy the following line to the Download script-window : http://metallica.geekstogo.com/alcanshorty.bfu Press Execute-button. THEN: Download SideKickFix.bat -> http://downloads.subratam.org/Lon/sidekickFix.bat and save it to the folder C:\BFU. Close all other windows. Doubleclick the file sidekickFix.bat Click YES and follow the instructions, when it asks about restarting the pc, restart it. Post a new HijackThis log to here and a the contents of C:\Look2Me-Destroyer.txt too. YOU ARE NOT CLEAN YET! We'll continue the cleaning process when you post the logs =)
Ok worked through all that, thanks bythe way Any suggestions of what else to do ? Logfile of HijackThis v1.99.1 Scan saved at 15:09:49, on 11/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\Program Files\ewido anti-malware\ewidoguard.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\WINDOWS\system32\wuauclt.exe D:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing) O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
Ok, lets clean the rest of infections. You don't have a firewall or an antivirus on your computer. Download and install one firewall and one antivirus. These are good (free) firewalls: ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com These are good (free) antiviruses: AVG Antivirus --> http://www.grisoft.com Avast --> http://www.avast.com UPDATE Ewido, but do NOT run a scan yet. -> Cleaning instructions: Download smitrem to your desktop -> http://noahdfear.geekstogo.com/click counter/click.php?id=1 Doubleclick it and press Start, smitrem folder appears to the desktop. Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1 Do NOT run yet. Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode) Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing) O20 - Winlogon Notify: directpt - D:\WINDOWS\SYSTEM32\directpt.dll Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. Delete these folders: (if found) D:\PROGRA~1\COMMON~1\-->ozzr D:\WINDOWS\-->RG91ZyBIYXl3YXJk D:\Program Files\-->Network Monitor D:\Program Files\-->webHancer D:\DOCUME~1\Doug\MYDOCU~1\-->APPATC~1 D:\WINDOWS\system32\-->??mantec D:\Program Files\-->SurfSideKick D:\Program Files\-->WinAntiVirus Pro 2006 D:\Program Files\-->WinFixerFree Delete these files: (if found) C:\Program Files\-->paytime.exe D:\Documents and Settings\Doug\-->order_ivaw.exe D:\WINDOWS\system32\-->lv4609hse.dll D:\WINDOWS\SYSTEM32\-->directpt.dll D:\WINDOWS\SYSTEM32\-->senssrv.dll D:\WINDOWS\system32\-->syshost.exe Then go to the smitrem folder on your desktop, run RunThis.bat file and follow the instructions. Run ATF Cleaner -> Check select all -> Press Empty selected Empty the Recycle Bin Make your hidden files invisible again: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Do not show hidden files and folders. Scan and clean your computer with Ewido and save the log file. Restart your computer normally. Post the following logs to here: -> fresh HijackThis log -> Ewido's log -> contents of C:\smitfiles.txt -> contents of C:\Look2Me-Destroyer.txt
[bold]Smit Log[/bold] smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: 12/04/2006 The current time is: 3:19:31.74 Running from D:\Documents and Settings\Doug\Desktop\smitRem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pre-run SharedTask Export (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! checking for WinHound.com key WinHound.com key not present! spyaxe uninstaller NOT present Winhound uninstaller NOT present SpywareStrike uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Remove Spyware.url Install.dat ~~~ Favorites ~~~ ~~~ system32 folder ~~~ atmtd.dll atmtd.dll._ svcp.csv winsub.xml zlbw.dll zlbw.dll ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 792 'explorer.exe' Killing PID 792 'explorer.exe' Starting registry repairs Registry repairs complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SharedTask Export after registry fix (GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler) Copyright(C) 2006 BleepingComputer.com Registry Pseudo-Format Mode (Not a valid reg file): [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32] @="%SystemRoot%\system32\browseui.dll" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deleting files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! [bold]HJT Log[/bold] Logfile of HijackThis v1.99.1 Scan saved at 12:59:41, on 12/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\Program Files\ewido anti-malware\ewidoguard.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\ctfmon.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\wuauclt.exe D:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing) O20 - Winlogon Notify: directpt - directpt.dll (file missing) O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe [bold]Look 2 Me[/bold] Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 11/04/2006 14:51:01 Infected! D:\WINDOWS\system32\czsetACL.dll Infected! D:\WINDOWS\system32\f80olid3180.dll Infected! D:\WINDOWS\system32\fplq0335e.dll Infected! D:\WINDOWS\system32\lv4609hse.dll Infected! D:\WINDOWS\system32\mgjter40.dll Infected! D:\WINDOWS\system32\rWsman.dll Attempting to delete infected files... Attempting to delete: D:\WINDOWS\system32\czsetACL.dll D:\WINDOWS\system32\czsetACL.dll Deleted successfully! Attempting to delete: D:\WINDOWS\system32\f80olid3180.dll D:\WINDOWS\system32\f80olid3180.dll Deleted successfully! Attempting to delete: D:\WINDOWS\system32\fplq0335e.dll D:\WINDOWS\system32\fplq0335e.dll Deleted successfully! Attempting to delete: D:\WINDOWS\system32\lv4609hse.dll D:\WINDOWS\system32\lv4609hse.dll Deleted successfully! Attempting to delete: D:\WINDOWS\system32\mgjter40.dll D:\WINDOWS\system32\mgjter40.dll Deleted successfully! Attempting to delete: D:\WINDOWS\system32\rWsman.dll D:\WINDOWS\system32\rWsman.dll Deleted successfully! Making registry repairs. Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C300C5FA-7357-427D-84EE-7A9DEBB0182C}" HKCR\Clsid\{C300C5FA-7357-427D-84EE-7A9DEBB0182C} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{63719493-78D9-4E04-AFC2-E1393091686B}" HKCR\Clsid\{63719493-78D9-4E04-AFC2-E1393091686B} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0B475869-0700-4B6D-9269-3FC0F630449C}" HKCR\Clsid\{0B475869-0700-4B6D-9269-3FC0F630449C} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{07F1AFAB-584A-4F66-B4A0-4137F94BDC59}" HKCR\Clsid\{07F1AFAB-584A-4F66-B4A0-4137F94BDC59} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded [bold]ewido log[/bold] --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:57:20, 12/04/2006 + Report-Checksum: AB44ABF7 + Scan result: HKU\S-1-5-21-789336058-1580436667-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup HKU\S-1-5-21-789336058-1580436667-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup [728] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning [1800] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning [1996] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning [108] D:\WINDOWS\system32\directpt.dll -> Logger.Goldun.iy : Error during cleaning C:\tool3.exe -> Downloader.Tiny.al : Cleaned with backup C:\tool4.exe -> Logger.Haxspy.w : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup D:\Documents and Settings\Cameron\Cookies\cameron@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup :mozilla.19:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.20:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.21:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.26:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.28:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup :mozilla.29:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.30:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.31:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup :mozilla.32:\Documents and Settings\Doug\Application Data\Mozilla\Firefox\Profiles\sbgp5szk.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup D:\Documents and Settings\Doug\Cookies\doug@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup D:\Documents and Settings\Doug\Cookies\doug@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup D:\WINDOWS\system32\__delete_on_reboot__directpt.dll -> Logger.Goldun.iy : Cleaned with backup ::Report End
Ok, still something that needs cleaning. You haven't installed a firewall or antivirus, install those now. Cleaning instructions Fix the following entries with HijackThis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe O4 - HKCU\..\Run: [ozzr] D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe O4 - HKCU\..\Run: [order_Shell] D:\Documents and Settings\Doug\order_ivaw.exe O20 - Winlogon Notify: DH - D:\WINDOWS\system32\lv4609hse.dll (file missing) O20 - Winlogon Notify: directpt - directpt.dll (file missing) Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip Unzip it to your desktop. Run Killbox.exe -> Choose Delete on Reboot -> Click All Files option. Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy) c:\secure32.html C:\Program Files\paytime.exe D:\PROGRA~1\COMMON~1\ozzr\ozzrm.exe D:\Documents and Settings\Doug\order_ivaw.exe Then go back to Killbox -> go to File -> choose Paste from Clipboard -> Click the red-white Delete File option. -> Click Yes to Delete on Reboot question -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!) -> Restart your computer if Killbox won't do it. (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) Post a new HijackThis log to here.
Logfile of HijackThis v1.99.1 Scan saved at 15:35:58, on 12/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe D:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe D:\Program Files\ewido anti-malware\ewidoctrl.exe D:\Program Files\ewido anti-malware\ewidoguard.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\MSN Messenger\MsnMsgr.Exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: directpt - directpt.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - D:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
Ok, still something. Cleaning instructions: Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode) Run HijackThis and fix this entry: O20 - Winlogon Notify: directpt - directpt.dll (file missing) Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. Delete this folder: D:\PROGRA~1\COMMON~1\ozzr Delete this file: D:\WINDOWS\system32\directpt.dll Empty the Recycle Bin Restart your computer normally. Download F-Secure Blacklight to your desktop -> http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe Run a scan with Blacklight, a log named fsbl**********.log will appear to your desktop. DO not rename/remove anything with blacklight yet. Post the following logs to here: 1. New HijackThis log 2. contents of fsbl**********.log (from your desktop) You also had a keylogger on your computer so you should change all you passwords. (banking, shopping etc.) And you don't have an antivirus or firewall on your pc. Install those now.
