i also have the same problem when i enter www.ultimate-guitar.com, i have no problem accessing it with firefox but when i used iexplorer things went bad, this all sort of viruses pop up and messes my pc, i have an Avast 4.8 HE antivirus and detects the viruses, so i immediately scanned my pc and found several viruses but i dont know if it really removed the virus coz my pc got awfully slow and my task manager was disabled. and i got this system error message that keeps popping up, my desktop wallpaper went blank i only see icons and i cant put my own wallpaper... i run gpedit.msc so i can enable my taskmanager and i stop the process of things that i know suppose not to run.. and every time i click my computer theres a message that says "c:\windows\explorer.exe" and then a website will pop up, i already download the necessary tools needed(i think) to remove the viruses which i think still is in my system, i have HJT, vundofix, virtumundobegone, combofix... and heres my log of HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:43:52 AM, on 5/1/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\DigitalPersona\Bin\DPWinLct.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\DigitalPersona\Bin\DpHost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\DigitalPersona\Bin\DPAgnt.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\JetAudio\JetAudio.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll O2 - BHO: (no name) - {2808C1CE-498B-4C8D-ADAF-7581D1078ED5} - C:\WINDOWS\System32\admpars.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [Caffe-Server] c:\program files\Caffe\Server.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [sysemls] C:\WINDOWS\System32\1.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'Default user') O4 - Startup: jetAudio.lnk = C:\Program Files\JetAudio\JetAudio.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.mariatv.it/SOPCORE.CAB O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sd...ie06041001.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{496EA7BD-44B3-40A9-8117-8CC1FD02AD6F}: NameServer = 58.69.254.3,58.69.254.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{E4BF95B1-7198-423E-9D62-BAAC980CE8C1}: NameServer = 58.69.254.3,58.69.254.8 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: l1 - Unknown owner - C:\WINDOWS\system32\ll1.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8343 bytes i thought i can remove the virus on my own if i just follow what you said above so i wont be disturbing anyone, but i found out that its different from my log, so to play it safe i posted my problems here... please help me... and im already saying sorry if i disturb anyone..
still need help: go to start>run and type in--> services.msc,<--in the list of services that comes up look for>> l1 (its this one in the log: O23 - Service: l1 - Unknown owner - C:\WINDOWS\system32\ll1.exe) right click on it and select properties. under the general tab: the path to the .exe should be:C:\WINDOWS\system32\ll1.exe make sure that the service status is: Stopped, if not click the Stop button and the Startup type is: disabled, if not change it to disable click apply, then ok --------------------------- start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked" O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O1 - Hosts: 124.217.252.77 www.bravesentry.com O1 - Hosts: 124.217.252.77 bravesentry.com O1 - Hosts: 124.217.252.78 secure.isoftpay.com O2 - BHO: (no name) - {2808C1CE-498B-4C8D-ADAF-7581D1078ED5} - C:\WINDOWS\System32\admpars.dll O4 - HKUS\S-1-5-18\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'SYSTEM') ----------------------- next; Please download Malwarebytes' Anti-Malware to your desktop: http://www.besttechie.net/tools/mbam-setup.exe * Double-click mbam-setup.exe and follow the prompts to install the program. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform FULL SCAN, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt post the above log and a new hjt log -------------------- when we are done you need to visit windows update. you are a service pack behind. you have many exploits that can be taken advantage of due to a unpatched OS
