Jump to content


Photo

Ran Spybot & Adaware and still have a problem


  • Please log in to reply
12 replies to this topic

#1 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 May 2004 - 11:55 PM

Two weeks ago an adware program hit my computer. I have ran Spybot & AdAware, but it seemed like it wasn't catching the main program because I'm still having lots of problems. When I found what I thought was the main bugger of a file I couldn't delete or uninstall it. It gave me an error message saying access denied because it was write-protected, or something to that affect. I could get the exact wording if necessary.

Also, I have to reboot constantly because my IE isn't working consistently and re-booting is the only thing that "gets it back on track."

Here is my log file:

Logfile of HijackThis v1.97.7
Scan saved at 9:23:20 PM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.fresno.com"); (C:\Program Files\Netscape\Users\cvip\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Joy Platform Dash - {CBA8A8BC-1FAB-7AB9-38ED-31AE0B6B142A} - C:\PROGRA~1\Hide2\oncemfcd.dll (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eggs global] C:\PROGRA~1\TOOLWM~2\Ref poke ping.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4671F05-8F80-4FEC-90F7-B0E12FF83D8F}: NameServer = 129.8.50.105 129.8.52.2

Thank you so much for your help! I'm not great at this kind of thing so I'm just trying to figure it out as I go along.

#2 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 May 2004 - 11:11 AM

Bump

#3 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 May 2004 - 08:14 PM

bump

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 23 May 2004 - 07:03 AM

Could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done.

If not listed there, click here, download and run this uninstaller.

Reboot when done. Post a new HJT log.
Posted Image

#5 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 31 May 2004 - 09:30 PM

We've done a few deletions and we've ran a couple more programs (spysweeper & pest patrol) and this is what I have left. I am still have problems with hijackers but none of the programs I'm using can find them. Sportsresults.com and Zestyfind.com are two of them.

Here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 7:25:51 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.fresno.com"); (C:\Program Files\Netscape\Users\cvip\prefs.js)
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4671F05-8F80-4FEC-90F7-B0E12FF83D8F}: NameServer = 129.8.50.105 129.8.52.2



Thank you for any help.

#6 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 08:33 AM

bump

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 01 June 2004 - 02:06 PM

Let's check to see if you have been infected by the L2M parasite. Please do this:

Click here to download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
Posted Image

#8 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 01 June 2004 - 09:48 PM

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6aO4SVC.DLL
C:\WINDOWS\System32\6bO4SVC.DLL
C:\WINDOWS\System32\6dO4SVC.DLL
C:\WINDOWS\System32\6eO4SVC.DLL
C:\WINDOWS\System32\6fO4SVC.DLL
C:\WINDOWS\System32\6gO4SVC.DLL
C:\WINDOWS\System32\6hO4SVC.DLL
C:\WINDOWS\System32\6jO4SVC.DLL
C:\WINDOWS\System32\6kO4SVC.DLL
C:\WINDOWS\System32\6lO4SVC.DLL
C:\WINDOWS\System32\6mO4SVC.DLL
C:\WINDOWS\System32\6nO4SVC.DLL
C:\WINDOWS\System32\6oO4SVC.DLL
C:\WINDOWS\System32\6pO4SVC.DLL
C:\WINDOWS\System32\6qO4SVC.DLL
C:\WINDOWS\System32\6rO4SVC.DLL
C:\WINDOWS\System32\6sO4SVC.DLL
C:\WINDOWS\System32\6uO4SVC.DLL
C:\WINDOWS\System32\6vO4SVC.DLL
C:\WINDOWS\System32\6wO4SVC.DLL
C:\WINDOWS\System32\6xO4SVC.DLL
C:\WINDOWS\System32\6yO4SVC.DLL
C:\WINDOWS\System32\6zO4SVC.DLL
C:\WINDOWS\System32\Ai3API.DLL
C:\WINDOWS\System32\AoCTRES.DLL
C:\WINDOWS\System32\AqLUI.DLL
C:\WINDOWS\System32\ArLEDIT.DLL
C:\WINDOWS\System32\AtLUI.DLL
C:\WINDOWS\System32\AxTODISC.DLL


Guardian Key--- is called: GuardianFWKAN
Asynchronous 000
DllName C:\WINDOWS\system32\6sO4SVC.DLL
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {6FE49DD3-4537-4FF5-81B2-D94BAAC50E2C}
IDex DS3


Thanks!

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 02:07 AM

OK do this, click on the Click to Find VX2.Betterinternet button again. This time delete all files found - you will be left with notice about one to be deleted on reboot. It will ask to reboot on deletion of the last file (do that)

After reboot, delete Guardian key & User Agent Key. Click User Agent$ to remove that entry from the registry then click Guardian.reg to delete the Guardian Key. When you click on the Click to Find VX2.Betterinternet button this time you should get a clean log of blank values.

If so click Restore Policy to restore the Debug policy altered in the look2Me installation and reboot. Rescan with HJT and post a new log here.
Posted Image

#10 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 June 2004 - 12:16 PM

When my computer began to reboot it wasn't able to fully come up. Finally I was able to get my desktop up but none of my applications would operate. I keep getting a message about virtual memory being low, not enough memory to operate application, etc. In the last few days my system began running extremely slow - especially when rebooting.

I'm posting this from my work, but my home computer is basically non-op now. I'm going to try working with it again tonight; in the meantime, do you have any thoughts on this? Is this an effect of the L2M parasite?

Thanks for your help.

#11 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 June 2004 - 07:28 PM

Bump.

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 June 2004 - 01:40 AM

I haven't heard about L2M causing this effect. How much RAM do you have on your system? Is your hard drive nearly full or have you manually set the allocation of virtual memeory?
Posted Image

#13 Stefdwe

Stefdwe

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 June 2004 - 03:52 PM

Off the top of my head I don't remember how much RAM I have, but my hard drive wasn't close to being full.

Windows was giving me a error message about something being missing or needing to be repaired so we needed to reinstall Windows. We tried that and it continued to give us the same message. At this point we can't log on to Windows at all.

It's going to the PC Doctor next week. Thanks for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button