PDA

View Full Version : look2me and spywareno


elkpp
2006-02-20, 03:59
hi thanks for your help.
my machione is really bad...
any way here is my log and one popup page is opening all the time ad_w-a-r-e
pc cillin is bloking it but steel popup al the time

http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={94BF011D-9003-3025-1534-8BD6748167E5}&type=normal&mSkip=1&rnd=16492

--- Search result list ---
Look2Me.Topconverting: Configuración (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP

SpywareNo: Clase raíz (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\winapi32.Intelinks

SpywareNo: ID de clase (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C619394D-AE6F-4497-B49D-78FD76F9C986}

SpywareNo: Clase raíz (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\winapi32.MyBaner

SpywareNo: ID de clase (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9320EFC-C75C-432C-8C51-86618C6F3952}

--- Process list ---
PID: 1564 ( 208) C:\WINDOWS\system32\rundll32.exe
size: 10000
MD5: CA6468AE463FCE9C434BF9B29352B7E0
PID: 1640 (1376) C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
size: 94208
MD5: CBF9C089B3BE2C4054A2EBBE7A5C1AC4
PID: 1652 (1376) C:\Archivos de programa\D-Tools\daemon.exe
size: 73728
MD5: 05F19EE0628A18BF79C377BF7EE9403D
PID: 412 (1376) C:\Archivos de programa\QuickTime\qttask.exe
size: 77824
MD5: 5D22B4258489575412F6D18AFFC847A2
PID: 1656 (1376) C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe
size: 897089
MD5: 5FB38700D1317134DBB9D0CD626A8EF6
PID: 1228 (1376) C:\Archivos de programa\MSN Messenger\msnmsgr.exe
size: 6856704
MD5: 79AC63592F9B6750F2026A2520C11BEE
PID: 1916 (1376) C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 700 (1644) C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
size: 90112
MD5: BED117A8BAB5D2C85D50E44F8E90705C
PID: 356 (1376) C:\Archivos de programa\LPerri\CiberControl 4.0 PRO\Control.exe
size: 4294656
MD5: 865093544290F16BED9AEE88B013AB5D
PID: 2800 ( 208) C:\WINDOWS\explorer.exe
size: 244496
MD5: 14586805C83DDB7DB7C25A57DD40CD67
PID: 3048 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 3160 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 1588 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 3024 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 2900 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 3272 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 2756 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 1904 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 1836 (2800) C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 0 ( 0) [System Process]
PID: 8 ( 0) System
PID: 164 ( 8) smss.exe
PID: 188 ( 164) csrss.exe
PID: 208 ( 164) winlogon.exe
PID: 236 ( 208) services.exe
PID: 248 ( 208) lsass.exe
PID: 428 ( 236) svchost.exe
PID: 460 ( 236) spoolsv.exe
PID: 488 ( 236) ccEvtMgr.exe
PID: 608 ( 236) svchost.exe
PID: 620 ( 236) GHOSTS~2.EXE
PID: 660 ( 236) navapsvc.exe
PID: 696 ( 236) NPROTECT.EXE
PID: 776 ( 236) PcCtlCom.exe
PID: 892 ( 236) MSTask.exe
PID: 920 ( 236) nopdb.exe
PID: 992 ( 236) stisvc.exe
PID: 1020 ( 236) Tmntsrv.exe
PID: 1036 ( 236) tmproxy.exe
PID: 1100 ( 236) WinMgmt.exe
PID: 1112 ( 236) svchost.exe
PID: 1132 ( 236) TmPfw.exe
PID: 272 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 2788 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 2348 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A
PID: 2712 ( 208) C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
size: 91136
MD5: 0A80D631A93A52F82B799AC67135EB0A

SpywareNo: Clase raíz (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\winapi32.MyBHO

SpywareNo: ID de clase (Clave del registro, fixing failed)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2006-02-16 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-17 Includes\Cookies.sbi (*)
2006-02-17 Includes\PUPS.sbi (*)
2006-02-17 Includes\Dialer.sbi (*)
2006-02-17 Includes\Hijackers.sbi (*)
2006-02-17 Includes\Keyloggers.sbi (*)
2006-02-17 Includes\Malware.sbi (*)
2006-02-17 Includes\Revision.sbi (*)
2006-02-17 Includes\Security.sbi (*)
2006-02-17 Includes\Spybots.sbi (*)
2006-02-17 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4


--- Startup entries list ---
Located: HK_LM:Run, ccRegVfy
command: "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
file: C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
size: 62080
MD5: 08067f001876dbbc66c3472d0338922e

Located: HK_LM:Run, DAEMON Tools-1033
command: "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
file: C:\Archivos de programa\D-Tools\daemon.exe
size: 73728
MD5: 05f19ee0628a18bf79c377bf7ee9403d

Located: HK_LM:Run, GhostStartTrayApp
command: C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
file: C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
size: 94208
MD5: cbf9c089b3be2c4054a2ebbe7a5c1ac4

Located: HK_LM:Run, pccguide.exe
command: "C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe"
file: C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe
size: 897089
MD5: 5fb38700d1317134dbb9d0cd626a8ef6

Located: HK_LM:Run, QuickTime Task
command: "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
file: C:\Archivos de programa\QuickTime\qttask.exe
size: 77824
MD5: 5d22b4258489575412f6d18affc847a2

Located: HK_LM:Run, SpybotSnD
command: "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09ca174a605b480318731e691dc98539

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINDOWS\system32\mobsync.exe
size: 111888
MD5: 869697fd0b75de3cb54c17ccfc4e4f1c

Located: HK_LM:Run, EPSON Stylus C45 Series (DISABLED)
command: C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
file: C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
size: 99840
MD5: 3a498cf69876d3e87bf82e06e7de8541

Located: HK_LM:Run, GhostStartTrayApp (DISABLED)
command: C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
file: C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
size: 94208
MD5: cbf9c089b3be2c4054a2ebbe7a5c1ac4

Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 10000
MD5: ca6468ae463fce9c434bf9b29352b7e0

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
file: C:\Archivos de programa\QuickTime\qttask.exe
size: 77824
MD5: 5d22b4258489575412f6d18affc847a2

Located: HK_LM:Run, Symantec NetDriver Monitor (DISABLED)
command: C:\ARCHIV~1\SYMNET~1\SNDMon.exe
file: C:\ARCHIV~1\SYMNET~1\SNDMon.exe
size: 95960
MD5: abba14e4513a3eb53194c472d94943d7

Located: HK_LM:Run, nwiz (DISABLED)
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 741376
MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72

Located: HK_CU:Run, msnmsgr
command: "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
file: C:\Archivos de programa\MSN Messenger\msnmsgr.exe
size: 6856704
MD5: 79ac63592f9b6750f2026a2520c11bee

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, Yahoo! Pager
command: "C:\Archivos de programa\Yahoo!\Messenger\ypager.exe" -quiet
file: C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
size: 3084288
MD5: 1374e98301bd093b60f93623c313dea2

Located: HK_CU:Run, EPSON Stylus C45 Series (DISABLED)
command: C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"
file: C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
size: 99840
MD5: 3a498cf69876d3e87bf82e06e7de8541

Located: Inicio (común), Adobe Gamma Loader.lnk (DISABLED)
command: C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
size: 110592
MD5: 5cd0cd0ec4dc5df459b3ac016764f5aa

Located: Inicio (común), CleanSweep Smart Sweep-Internet Sweep.LNK (DISABLED)
command: C:\Archivos de programa\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
file: C:\Archivos de programa\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
size: 225280
MD5: 6fb0878257593031786dda0cdede3a37

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, H323TSP
command: C:\WINDOWS\system32\dnrm0191e.dll
file: C:\WINDOWS\system32\dnrm0191e.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll

Located: WinLogon, FS Templates (DISABLED)
command: C:\WINDOWS\system32\j2p0lc7m1f.dll
file: C:\WINDOWS\system32\j2p0lc7m1f.dll

Located: WinLogon, Group Policy (DISABLED)
command: C:\WINDOWS\system32\kwdhe220.dll
file: C:\WINDOWS\system32\kwdhe220.dll

Located: WinLogon, H323TSP (DISABLED)
command: C:\WINDOWS\system32\dnrm0191e.dll
file: C:\WINDOWS\system32\dnrm0191e.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: WinLogon, IPConfTSP (DISABLED)
command: C:\WINDOWS\system32\kwdhe220.dll
file: C:\WINDOWS\system32\kwdhe220.dll

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, Telephony (DISABLED)
command: C:\WINDOWS\system32\i2420choef4c0.dll
file: C:\WINDOWS\system32\i2420choef4c0.dll

Located: WinLogon, WindowsUpdate (DISABLED)
command: C:\WINDOWS\system32\jtp0077me.dll
file: C:\WINDOWS\system32\jtp0077me.dll



--- Browser helper object list ---


--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla
Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\SYSTEM\iejava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
Yahoo! Chat (Yahoo! Chat)
DPF name: Yahoo! Chat
CLSID name:
Installer:
Codebase: http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Yahoo! Checkers (Yahoo! Checkers)
DPF name: Yahoo! Checkers
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/kt4_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Yahoo! Chess (Yahoo! Chess)
DPF name: Yahoo! Chess
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/ct2_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Yahoo! Freecell Solitaire (Yahoo! Freecell Solitaire)
DPF name: Yahoo! Freecell Solitaire
CLSID name:
Installer:
Codebase: http://presence.games.yahoo.com/yog/y/fs10_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Yahoo! Literati (Yahoo! Literati)
DPF name: Yahoo! Literati
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/tt4_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
Installer:
Codebase: http://download.games.yahoo.com/games/clients/y/pote_x.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
Installer: C:\WINDOWS\Downloaded Program Files\xscan60.inf
Codebase: http://housecall60.trendmicro.com/housecall/xscan60.cab
description:
classification: Legitimate
known filename: xscan60.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan60.ocx
Short name:
Date (created): 03/05/2005 11:45:54 a.m.
Date (last access): 19/02/2006
Date (last write): 03/05/2005 11:45:54 a.m.
Filesize: 475190
Attributes: archive
MD5: 145C288D55A91D6469223136EA93A406
CRC32: A36DBA2A
Version: 6.0.0.1261
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM32\Macromed\Director\
Long name: SwDir.dll
Short name: SWDIR.DLL
Date (created): 19/04/2004 04:58:48 a.m.
Date (last access): 19/02/2006
Date (last write): 09/09/2004 02:49:12 p.m.
Filesize: 54488
Attributes: archive
MD5: 943193399C341AC34E842CB07B5F29A0
CRC32: 12DEB8F4
Version: 10.1.0.11
{6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5)
DPF name:
CLSID name: Housecall ActiveX 6.5
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 02/02/2006 04:22:42 p.m.
Date (last access): 19/02/2006
Date (last write): 02/02/2006 04:22:42 p.m.
Filesize: 357376
Attributes: archive
MD5: D91BD5AA0DA1728C1B11ECB5A7D4B3D7
CRC32: B40F7F41
Version: 6.5.2.7
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/msnmessengersetupdownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 17/03/2005 02:48:34 p.m.
Date (last access): 19/02/2006
Date (last write): 17/03/2005 02:48:34 p.m.
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27/08/2005 05:38:56 p.m.
Date (last access): 19/02/2006
Date (last write): 27/08/2005 05:38:56 p.m.
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0
tashi
2006-02-20, 10:12
Hello elkpp.
Can you post a HJT log please and a helper will assist you as soon as possible.

Instructions are here:
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)

Copy paste the log into this topic.

Cheers. :)
elkpp
2006-02-21, 00:50
I think this is what you need ....
thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 08:22:20 p.m., on 20/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\ARCHIV~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\LPerri\CiberControl 4.0 PRO\Control.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.mine.nu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.8k.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch.com/?adv_id=1411&sub_id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.mine.nu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.8k.com/favorite_links.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://migxau.t.muxa.cc/h.php?aid=420 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = para uso en cyber kppo-net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\ARCHIV~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Archivos de programa\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{913F5F21-10F5-4D7B-B730-32040EA82095}: NameServer = 200.51.254.254,200.51.254.251
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\mvjsl9171.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
illukka
2006-02-21, 22:17
hi

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task .
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button , your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button .
You will receive a Done Scanning message, click OK .
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK .
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339'. please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32. Directory
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
elkpp
2006-02-22, 02:00
ok It is done, just for the record, did not run at 10 seconds so a cople of times tying I relised that may be I have to run as an admin user and it did work and spybot too, it changed those reg settings so just to have it in mind.


Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 21/02/2006 09:10:56 p.m.

Infected! C:\WINDOWS\SYSTEM32\kedhu1.dll
Infected! C:\WINDOWS\SYSTEM32\dkvoice.dll
Infected! C:\WINDOWS\SYSTEM32\gplml3311.dll
Infected! C:\WINDOWS\SYSTEM32\jweg2x32.dll
Infected! C:\WINDOWS\SYSTEM32\oyffilt.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\SYSTEM32\kedhu1.dll
C:\WINDOWS\SYSTEM32\kedhu1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dkvoice.dll
C:\WINDOWS\SYSTEM32\dkvoice.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\gplml3311.dll
C:\WINDOWS\SYSTEM32\gplml3311.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jweg2x32.dll
C:\WINDOWS\SYSTEM32\jweg2x32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\oyffilt.dll
C:\WINDOWS\SYSTEM32\oyffilt.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administradores - Succeeded

------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 09:58:28 p.m., on 21/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\LPerri\CiberControl 4.0 PRO\Control.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.mine.nu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.8k.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.mine.nu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.8k.com/favorite_links.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = para uso en cyber kppo-net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\ARCHIV~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Archivos de programa\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{913F5F21-10F5-4D7B-B730-32040EA82095}: NameServer = 200.51.254.254,200.51.254.251
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\gpr4l39q1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
illukka
2006-02-22, 07:59
Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.


then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

reboot back to normal mode, post a new hjt log and the ewido report
elkpp
2006-02-23, 15:19
Logfile of HijackThis v1.99.1
Scan saved at 11:15:06 a.m., on 23/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Tools\daemon.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\LPerri\CiberControl 4.0 PRO\Control.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kpponet.mine.nu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.mine.nu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kpponet.8k.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.kpponet.mine.nu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.mine.nu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kpponet.8k.com/favorite_links.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = para uso en cyber kppo-net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\ARCHIV~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Archivos de programa\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Archivos de programa\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O8 - Extra context menu item: &ieSpell Options - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Archivos de programa\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Archivos de programa\ieSpell\iespell.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{913F5F21-10F5-4D7B-B730-32040EA82095}: NameServer = 200.51.254.254,200.51.254.251
O20 - Winlogon Notify: SysDM - C:\WINDOWS\system32\gpj8l31u1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

-----------------------
---------------------------------------------------------
ewido anti-malware - Report de exploración
---------------------------------------------------------

+ Creado en: 10:53:29 a.m., 23/02/2006
+ Report-Checksum: 30136C1C

+ Scan result:

HKLM\SOFTWARE\Igor V. Gunko -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Modules -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C} -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Ctx -> Adware.HyperBar : Limpio sin backup
HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Limpio sin backup
[240] C:\WINDOWS\system32\kidfr.dll -> Adware.Look2Me : Error durante limpieza
[468] C:\WINDOWS\system32\kidfr.dll -> Adware.Look2Me : Error durante limpieza
C:\WINDOWS\SYSTEM32\sbb.dll -> Adware.Visua : Limpio sin backup
C:\WINDOWS\SYSTEM32\win_6.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Limpio sin backup
C:\WINDOWS\SYSTEM32\win_6hk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.i : Limpio sin backup
C:\WINDOWS\SYSTEM32\Mservice.dll -> Downloader.Wintrim.cu : Limpio sin backup
C:\WINDOWS\SYSTEM32\RMSDLG.DLL -> Adware.Look2Me : Limpio sin backup
C:\WINDOWS\SYSTEM32\azesearch4.ocx -> Adware.AzSearch : Limpio sin backup
C:\WINDOWS\SYSTEM32\msoff.exe -> Backdoor.Small.kb : Limpio sin backup
C:\WINDOWS\SYSTEM32\iasada.dll_tobedeleted -> Adware.AzSearch : Limpio sin backup
C:\WINDOWS\SYSTEM32\WRNSKES.DLL -> Adware.Look2Me : Limpio sin backup
C:\WINDOWS\SYSTEM32\dn8o01l3e.dll -> Adware.Look2Me : Limpio sin backup
C:\WINDOWS\SYSTEM32\fDxshell.dll -> Adware.Look2Me : Limpio sin backup
C:\WINDOWS\SYSTEM32\ivfosoft.dll -> Adware.Look2Me : Limpio sin backup
C:\WINDOWS\TEMP\Cookies\operador1@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpio sin backup
C:\WINDOWS\Downloaded Program Files\UERSY_0001_N56M3011NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Limpio sin backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERSY_0001_N56M3011NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Limpio sin backup
C:\WINDOWS\azesearch.bmp -> Adware.Azesearch : Limpio sin backup
C:\WINDOWS\loadadv728.exe -> Downloader.Agent.aer : Limpio sin backup
C:\WINDOWS\a3Bwb25ldA\asappsrv.dll -> Adware.CommAd : Limpio sin backup
C:\WINDOWS\a3Bwb25ldA\command.exe -> Adware.CommAd : Limpio sin backup
C:\RECYCLED\NPROTECT\00028594.TXT -> TrackingCookie.Burstnet : Limpio sin backup
C:\RECYCLED\NPROTECT\00028596.TXT -> TrackingCookie.Tacoda : Limpio sin backup
C:\RECYCLED\NPROTECT\00028597.TXT -> TrackingCookie.Tacoda : Limpio sin backup
C:\RECYCLED\NPROTECT\00028598.TXT -> TrackingCookie.Tacoda : Limpio sin backup
C:\RECYCLED\NPROTECT\00028599.TXT -> TrackingCookie.Tacoda : Limpio sin backup
C:\RECYCLED\NPROTECT\00028977.TXT -> TrackingCookie.Tacoda : Limpio sin backup
C:\RECYCLED\NPROTECT\00029589.DLL -> Adware.Look2Me : Limpio sin backup
C:\Archivos de programa\Yahoo!\Messenger\ycomp.dll -> Adware.Yahoo : Limpio sin backup
C:\Archivos de programa\Multi Theft Auto\MTAClient.exe -> Heuristic.Win32.Morphine-Crypted : Limpio sin backup
C:\Documents and Settings\kpponet\Cookies\kpponet@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpio sin backup
C:\Documents and Settings\navega8\Configuración local\Temp\ICD1.tmp\enviapostalesar.exe -> Trojan.Dialer.ag : Limpio sin backup
C:\Documents and Settings\navega8\Configuración local\Temp\ICD2.tmp\Iseult.dll -> Dialer.CDUpdater : Limpio sin backup
C:\Documents and Settings\navega8\Configuración local\Temp\RarSFX0\rinst.exe -> Logger.Perfloger.a : Limpio sin backup
C:\Documents and Settings\navega8\Configuración local\Temp\ICD4.tmp\todoesotericoar.exe -> Trojan.Dialer.ag : Limpio sin backup
C:\Documents and Settings\navega8\Configuración local\Temp\ICD5.tmp\todoesotericoar.exe -> Trojan.Dialer.ag : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@estat[1].txt -> TrackingCookie.Estat : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@ivwbox[1].txt -> TrackingCookie.Ivwbox : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@statcounter[2].txt -> TrackingCookie.Statcounter : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@serving-sys[1].txt -> TrackingCookie.Serving-sys : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@c.goclick[1].txt -> TrackingCookie.Goclick : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@com[2].txt -> TrackingCookie.Com : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@c.enhance[1].txt -> TrackingCookie.Enhance : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@casalemedia[1].txt -> TrackingCookie.Casalemedia : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@burstnet[2].txt -> TrackingCookie.Burstnet : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@stat.onestat[2].txt -> TrackingCookie.Onestat : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@revenue[1].txt -> TrackingCookie.Revenue : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@yadro[2].txt -> TrackingCookie.Yadro : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@weborama[1].txt -> TrackingCookie.Weborama : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@aavalue[1].txt -> TrackingCookie.Aavalue : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Limpio sin backup
C:\Documents and Settings\navega8\Cookies\navega8@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Limpio sin backup
C:\Documents and Settings\Administrador\Cookies\administrador@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@2o7[2].txt -> TrackingCookie.2o7 : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@h.starware[1].txt -> TrackingCookie.Starware : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@as1.falkag[2].txt -> TrackingCookie.Falkag : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@paypopup[1].txt -> TrackingCookie.Paypopup : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@planetout.122.2o7[1].txt -> TrackingCookie.2o7 : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@sel.as-eu.falkag[1].txt -> TrackingCookie.Falkag : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@burstnet[2].txt -> TrackingCookie.Burstnet : Limpio sin backup
C:\Documents and Settings\operador1\Cookies\operador1@tacoda[2].txt -> TrackingCookie.Tacoda : Limpio sin backup
D:\perfnav8\Cookies\navega8@revenue[2].txt -> TrackingCookie.Revenue : Limpio sin backup
D:\perfnav8\Cookies\navega8@statcounter[1].txt -> TrackingCookie.Statcounter : Limpio sin backup
D:\perfnav8\Cookies\navega8@casalemedia[1].txt -> TrackingCookie.Casalemedia : Limpio sin backup


::Fin Report
illukka
2006-02-23, 21:30
hi

the fix seems to have failed. i think i have a clue why..
you seem to have two antiviruses running at the same time
this is not recommended as they both will compete to scan a file, causing and extreme performance lag

lets try the l2medastroyer again:

before running it again do the following:

disconnect the network cable from the infected machine
disable both norton and trend micro, the real time protection components of them

then run l2medestroyer again,
reboot

post the destroyer log and a new hjt log

post its report and
elkpp
2006-02-24, 06:00
hi...
I have done what you sugested and seems to be better now but can´t get out norton, some regystry verfy and other process and it my been infected becouse I allready unintall it but steel there, I´v seen someware a program to uninstall all symantec and norton stuff, do you know were I can find it? any way it is too old and also on a scan pc cilling find a hack.exe and coud not fixed or clean it or even delete it so , it is steel there, do you have heard anything about it?, I hope you understeend my english :D
I hope my next log will be better and without norton there.
Last thing on spybot , sturt system I´v so many extrange entrys allmost disabled by me but one of them keeps enabled all the time and by the way they are WINLOGON, I will atach a screen picture, they seems to be hide and system attributes becouse I can´t find them on disck.. so it sturt and everthing is back you know....:D
and nathing detect them and clean them .....
tanks again...
elkpp
2006-02-25, 01:09
hi...
I have done what you sugested and seems to be better now but can´t get out norton, some regystry verfy and other process and it my been infected becouse I allready unintall it but steel there, I´v seen someware a program to uninstall all symantec and norton stuff, do you know were I can find it? any way it is too old and also on a scan pc cilling find a hack.exe and coud not fixed or clean it or even delete it so , it is steel there, do you have heard anything about it?, I hope you understeend my english :D
I hope my next log will be better and without norton there.
Last thing on spybot , sturt system I´v so many extrange entrys allmost disabled by me but one of them keeps enabled all the time and by the way they are WINLOGON, I will atach a screen picture, they seems to be hide and system attributes becouse I can´t find them on disck.. so it sturt and everthing is back you know....:D
and nathing detect them and clean them .....
tanks again...
ok here is an attach .. so what do you think, and by the way look2me seems to be gone but steel norton is there ...
illukka
2006-02-27, 10:27
hi

tell me which language version of windows you have ?

Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe,
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.
tashi
2006-03-06, 17:24
Due to lack of a response this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.