Page 1 of 5 12345 LastLast
Results 1 to 10 of 50

Thread: Can't Remove Look2Me

  1. 2006-03-31, 00:56 #1
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default Can't Remove Look2Me

    I've run AdAware, Spybot, Look2Me Destroyer, and ewido (in safe mode) -- none of them are 100% successful. I'll post my hijackthis log in this message and my ewido in a reply to it. Thanks in advance!

    Logfile of HijackThis v1.99.1
    Scan saved at 2:51:18 PM, on 3/30/2006
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINNT\System32\smss.exe
    F:\WINNT\system32\winlogon.exe
    F:\WINNT\system32\services.exe
    F:\WINNT\system32\lsass.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\system32\spoolsv.exe
    F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
    D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
    F:\WINNT\System32\cusrvc.exe
    d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    F:\WINNT\System32\svchost.exe
    d:\Program Files\ewido anti-malware\ewidoctrl.exe
    d:\Program Files\ewido anti-malware\ewidoguard.exe
    D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    F:\WINNT\LogWatNT.exe
    F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    F:\WINNT\system32\regsvc.exe
    D:\Program Files\Remote Task Manager\RTMService.exe
    F:\WINNT\system32\MSTask.exe
    D:\Program Files\TapeWare\TWWINSDR.EXE
    D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
    F:\WINNT\system32\vmnat.exe
    F:\WINNT\System32\WBEM\WinMgmt.exe
    D:\Program Files\UltraVNC\WinVNC.exe
    F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
    F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
    F:\WINNT\Explorer.EXE
    F:\WINNT\system32\cmd.exe
    F:\WINNT\system32\net.exe
    F:\Program Files\Common Files\Real\Update_OB\realsched.exe
    F:\WINNT\System32\NWTRAY.EXE
    F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    D:\Program Files\MWSnap\MWSnap.exe
    F:\PROGRA~1\INSTAN~1\aim.exe
    F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
    D:\Program Files\Novell\iFolder\trayapp.exe
    C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
    F:\WINNT\system32\rundll32.exe
    F:\WINNT\system32\cmd.exe
    D:\Ad-Spy-Ware killers\HijackThis.exe
    F:\WINNT\System32\brsags.exe
    F:\WINNT\System32\brsags.exe
    F:\WINNT\System32\brsags.exe
    F:\WINNT\System32\brsags.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
    F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
    F2 - REG:system.ini: UserInit=F:\WINNT\system32\userinit.exe,dvqiqyw.exe
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] F:\Program Files\webHancer\Programs\whsurvey.exe
    O4 - HKLM\..\Run: [biwrfq] F:\WINNT\System32\brsags.exe reg_run
    O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
    O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKCU\..\Run: [wfesh] F:\WINNT\System32\brsags.exe reg_run
    O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
    O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
    O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
    O4 - HKCU\..\Run: [CU2] F:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
    O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
    O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
    O4 - Global Startup: tyebm.exe
    O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
    O20 - Winlogon Notify: Setup - F:\WINNT\system32\en04l1dq1.dll
    O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
    O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
    O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
    O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
    O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
    O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
    O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
    O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
    O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
    O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
  2. 2006-03-31, 02:23 #2
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default

    Immediately after posting the hijackthis log in the previous message, I rebooted to Safe Mode and ran the ewido scanner. Here is its report:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 4:13:54 PM, 3/30/2006
    + Report-Checksum: D79156C3

    + Scan result:

    [420] F:\WINNT\system32\skrobj.dll -> Adware.Look2Me : Error during cleaning
    [464] F:\WINNT\System32\hysawbh.dll -> Downloader.Qoologic.bj : Error during cleaning
    [696] F:\WINNT\System32\hysawbh.dll -> Downloader.Qoologic.bj : Error during cleaning
    :mozilla.10:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.17:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.19:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.21:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
    :mozilla.25:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    :mozilla.28:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.30:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.31:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.32:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.33:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.34:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.35:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.36:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.37:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.38:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.39:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.40:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.41:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.42:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.43:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.44:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.45:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.46:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.47:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.48:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    :mozilla.49:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.50:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
    :mozilla.52:F:\Documents and Settings\bithead.001\Application Data\Mozilla\Firefox\Profiles\06dppvae.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    F:\Documents and Settings\bithead.001\Cookies\bithead@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
    F:\WINNT\icont.exe -> Adware.AdURL : Cleaned with backup
    F:\WINNT\iconu.exe -> Adware.Zestyfind : Cleaned with backup
    F:\WINNT\system32\hohdr.dat -> Downloader.Qoologic.bj : Cleaned with backup
    F:\WINNT\system32\__delete_on_reboot__hysawbh.dll -> Downloader.Qoologic.bj : Cleaned with backup
    F:\WINNT\system32\__delete_on_reboot__skrobj.dll -> Adware.Look2Me : Cleaned with backup
    F:\WINNT\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup


    ::Report End
  3. 2006-03-31, 20:05 #3
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Hello and welcome aboard.. Lets get started then, shall we?

    You have few infections there, please stick to it and we'll get them.

    ==

    Please print these instructions out, or write them down, as you can't read them during the fix.

    Please download Look2Me-Destroyer to your desktop.

    Before continuing with the fix there is something you must do:
    • Click Start -> Run and type in: services.msc
    • Check that the following services are running and that their startup is set to automatic:
    • Seclogon, or Secondary logon service
    • Next your machine needs to be offline, manually disconnect the network cable if necessary.
    • Your antivirus, and every other security software MUST be disabled.


    Now continue:
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Re-launch your Anti-virus/Firewall protection.
    • Re-connect back to the internet.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
  4. 2006-03-31, 22:05 #4
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default

    Hoo boy! This is a tad embarassing... First, I found that there is no Seclogon or Secondary logon service listed. In looking further into it, I found that this PC is running W2K Pro SP2! I'm not sure if SP2 is the reason for the missing service, but it does beg the question... should I try to install SP4 and subsequent updates before we proceed, or should we try to clean up the malware, then install the updates?

    Browsing on this machine cannot be trusted... trying to go to AV web sites usually gets me redirected to someplace else. I tried running Trend's Housecall, only to have it close down shortly after starting to scan. I installed a fresh copy of Firefox the other day and it was hijacked on first launch. I haven't tried going to the Windows Update site yet.

    What should be the next step?
  5. 2006-03-31, 22:13 #5
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Hmm. That was my fault.

    The service you should be looking for is named Runas

    Sorry.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
  6. 2006-03-31, 22:33 #6
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default

    No problem. I didn't see your message until after I got into work, so I was doing what I could remotely. Since the machine in question is at home, I won't be able to proceed until this evening, so I'll post back as soon as I can. Thanks for your help!
  7. 2006-04-01, 02:28 #7
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default

    Here are the new log files. Looks like Look2Me Destroyer was successful this time! Thanks!

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 3/31/2006 4:06:09 PM

    Infected! F:\WINNT\system32\kt0ml7d11.dll
    Infected! F:\WINNT\system32\jtns0757e.dll
    Infected! F:\WINNT\System32\guard.tmp

    Attempting to delete infected files...

    Attempting to delete: F:\WINNT\system32\jtns0757e.dll
    F:\WINNT\system32\jtns0757e.dll Deleted successfully!

    Attempting to delete: F:\WINNT\System32\guard.tmp
    F:\WINNT\System32\guard.tmp Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C0AF100B-784C-4C7F-8944-F3DB301AABAC}"
    HKCR\Clsid\{C0AF100B-784C-4C7F-8944-F3DB301AABAC}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4132D6FD-732E-4AE4-9222-B061BF76CF17}"
    HKCR\Clsid\{4132D6FD-732E-4AE4-9222-B061BF76CF17}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6CEF4FBD-5C9A-4ABF-900E-46A7EEAA4E03}"
    HKCR\Clsid\{6CEF4FBD-5C9A-4ABF-900E-46A7EEAA4E03}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{726AA7D5-DE8A-4829-89F4-D791A814A0BB}"
    HKCR\Clsid\{726AA7D5-DE8A-4829-89F4-D791A814A0BB}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2151DBC1-22AD-4710-BE69-67264E0B292D}"
    HKCR\Clsid\{2151DBC1-22AD-4710-BE69-67264E0B292D}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89E91042-CCE5-4E3F-8D6D-934EF4AF8D2E}"
    HKCR\Clsid\{89E91042-CCE5-4E3F-8D6D-934EF4AF8D2E}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

    =====

    Logfile of HijackThis v1.99.1
    Scan saved at 4:16:20 PM, on 3/31/2006
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINNT\System32\smss.exe
    F:\WINNT\system32\csrss.exe
    F:\WINNT\system32\services.exe
    F:\WINNT\system32\lsass.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\system32\spoolsv.exe
    F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
    D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
    F:\WINNT\System32\cusrvc.exe
    d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    F:\WINNT\System32\svchost.exe
    d:\Program Files\ewido anti-malware\ewidoctrl.exe
    d:\Program Files\ewido anti-malware\ewidoguard.exe
    D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    F:\WINNT\LogWatNT.exe
    F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    F:\WINNT\system32\regsvc.exe
    D:\Program Files\Remote Task Manager\RTMService.exe
    F:\WINNT\system32\MSTask.exe
    D:\Program Files\TapeWare\TWWINSDR.EXE
    D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
    F:\WINNT\system32\vmnat.exe
    F:\WINNT\System32\WBEM\WinMgmt.exe
    D:\Program Files\UltraVNC\WinVNC.exe
    F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
    F:\Program Files\ComputerAssociates\ARCserveITDS\Liccheck.exe
    F:\Program Files\Common Files\Real\Update_OB\realsched.exe
    F:\WINNT\System32\NWTRAY.EXE
    F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    D:\Program Files\MWSnap\MWSnap.exe
    F:\PROGRA~1\INSTAN~1\aim.exe
    F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
    D:\Program Files\Novell\iFolder\trayapp.exe
    C:\Program Files\OpenOffice.org1.0.1\program\soffice.exe
    D:\Ad-Spy-Ware killers\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.99.1.12:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0;<local>
    F2 - REG:system.ini: Shell=Explorer.exe, F:\WINNT\System32\rbjef.exe
    F2 - REG:system.ini: UserInit=F:\WINNT\system32\userinit.exe,dvqiqyw.exe
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\winnt\googletoolbar3.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] F:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [Client Access Service] "D:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "D:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "D:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKLM\..\RunServices: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKCU\..\Run: [MWSnap] "D:\Program Files\MWSnap\MWSnap.exe"
    O4 - HKCU\..\Run: [shellbn] F:\WINNT\System32\shellbn.exe
    O4 - HKCU\..\Run: [ScreenTaker] F:\Program Files\ScreenTaker\STaker.exe
    O4 - HKCU\..\Run: [Ramd] "F:\Program Files\rmda\haci.exe" -vt yazr
    O4 - HKCU\..\Run: [Key] F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp
    O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\INSTAN~1\aim.exe -cnetwait.odl
    O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Program Files\OpenOffice.org1.0.1\program\quickstart.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: LastQUIT v1.2.lnk = F:\Program Files\Longshot Productions\LastQUIT v1.2\LASTQUIT.EXE
    O4 - Global Startup: Novell iFolder.lnk = D:\Program Files\Novell\iFolder\trayapp.exe
    O8 - Extra context menu item: &Google Search - res://f:\winnt\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://f:\winnt\GoogleToolbar3.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://f:\winnt\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://f:\winnt\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: Similar Pages - res://f:\winnt\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://f:\winnt\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - F:\WINNT\System32\dmonwv.dll (file missing)
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = insightnetsolutions.net
    O20 - Winlogon Notify: NavLogon - F:\WINNT\System32\NavLogon.dll
    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
    O20 - Winlogon Notify: winm32 - F:\WINNT\SYSTEM32\winm32.dll
    O23 - Service: ARCserve Discovery Service (ASDiscoverySvc) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserveITDS\asdscsvc.exe
    O23 - Service: ARCserve Message Engine (ASMsgEngine) - Unknown owner - F:\Program Files\ComputerAssociates\ARCserve\msgeng.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - F:\Program Files\ComputerAssociates\ARCserve\Alert\Alert.exe
    O23 - Service: Client Agent for ARCserve - Computer Associates - F:\Program Files\ComputerAssociates\NTAgent\Ntagent.exe
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - F:\WINNT\System32\cusrvc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - d:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - F:\WINNT\CWBRXD.EXE
    O23 - Service: DefWatch - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - D:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - F:\WINNT\LogWatNT.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: Remote Task Manager service (RTM) - Unknown owner - D:\Program Files\Remote Task Manager\RTMService.exe
    O23 - Service: TapeWare - Unknown owner - D:\Program Files\TapeWare\TWWINSDR.EXE
    O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - D:\Program Files\VMware\VMware Workstation\Programs\vmware-authd.exe
    O23 - Service: VMware NAT Service - Unknown owner - F:\WINNT\system32\vmnat.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
    O23 - Service: ZipToA - Unknown owner - F:\WINNT\System32\ZipToA.exe (file missing)
    O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - F:\Program Files\Iomega\AutoDisk\ADService.exe
  8. 2006-04-01, 07:50 #8
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Hi again; lets continue.

    ==

    Please print these instructions out, or write them down, as you can't read them during the fix.

    Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Killqoo.reg to your desktop.

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="Explorer.exe"
    "Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"
    Now double-click on the Killqoo.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

    ==

    Uninstall the following entries through Control Panel -> Add/Remove programs if present:

    ScreenTaker
    rmda

    ==

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract Avenger.exe to your desktop.

    2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

    Files to delete:
    F:\WINNT\System32\rbjef.exe
    F:\WINNT\System32\shellbn.exe
    F:\DOCUME~1\bithead.001\LOCALS~1\Temp\1F.tmp

    Folders to delete:
    F:\Program Files\ScreenTaker\
    F:\Program Files\rmda\haci.exe

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to the notepad file into this window
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:
    • Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it briefly opens a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
  9. 2006-04-01, 19:25 #9
    bithead
    bithead is offline
    Member
    Join Date
    Mar 2006
    Posts
    31

    Default

    Hi,

    I have a question about the killqoo.reg file that you provided...

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="Explorer.exe"
    "Userinit"="C:\\WINDOWS\\System32\\userinit.exe,dvqiqyw.exe"

    In the last line, should dvqiqyw.exe be included? It is currently in the registry of the infected machine, but it is not present on 2 other non-infected Win2000 machines that I've looked at.

    I will proceed using your instructions, including the above, but want to be sure that it really should be included. Thanks for your help!
  10. 2006-04-01, 19:44 #10
    Rawe
    Rawe is offline
    Security Expert-Emeritus Rawe's Avatar
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    393

    Default

    Yes, it should be included. It will help us remove it.
    Hi there, stranger!

    Proud Member of ASAP since 2005.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules