Another Hijackthis to bore you

[Darren]

Hi
Thanks for sticking in there

Download the attached text (badfiles.txt) file to the c:\findl2m folder
replacing the one already there.
run batch.bat and fallow the prompt to restart the pc.
once windows has completly loaded
Run cleanup then post back with the logit.txt please

i added the text and then repeated and when i did the clean up i got this

File not found - C:\WINDOWS\system32\hrr6059se.dll
File not found - C:\WINDOWS\system32\LSPCX80N.DLL
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
finished
Press any key to continue . . .

this is the logit.text

Locked files
ECHO is off.
ERROR: The system cannot find the file specified.

processed file: C:\WINDOWS\system32\WXDRMNet.dll
ERROR: The system cannot find the file specified.

processed file: C:\WINDOWS\system32\pIqsp.dll
processed file: C:\WINDOWS\system32\ir8ql5l51.dll
processed file: C:\WINDOWS\system32\en6ul1j91.dll
processed file: C:\WINDOWS\system32\enpol1731.dll
processed file: C:\WINDOWS\system32\enpul1791.dll
processed file: C:\WINDOWS\system32\dn6801jue.dll
processed file: C:\WINDOWS\system32\hr2m05f1e.dll
processed file: C:\WINDOWS\system32\iwnathlp.dll
processed file: C:\WINDOWS\system32\iynathlp.dll
processed file: C:\WINDOWS\system32\ktr4l79q1.dll
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll
processed file: C:\WINDOWS\system32\p24ulch91f4.dll
processed file: C:\WINDOWS\system32\sibcsp.dll
processed file: C:\WINDOWS\system32\sqtupdll.dll
processed file: C:\WINDOWS\system32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\iretmib1.dll
processed file: C:\WINDOWS\SYSTEM32\kqdno1.dll
processed file: C:\WINDOWS\SYSTEM32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\j62qlgf5162.dll
processed file: C:\WINDOWS\SYSTEM32\LMMLMVid.dll
processed file: C:\WINDOWS\SYSTEM32\SPKIT432.DLL
processed file: C:\WINDOWS\SYSTEM32\o4pqle751h.dll


Files moved to C:\FindL2M\!backups
ECHO is off.
processed file: C:\WINDOWS\system32\WXDRMNet.dll
processed file: C:\WINDOWS\system32\pIqsp.dll
processed file: C:\WINDOWS\system32\ir8ql5l51.dll
processed file: C:\WINDOWS\system32\en6ul1j91.dll
processed file: C:\WINDOWS\system32\enpol1731.dll
processed file: C:\WINDOWS\system32\enpul1791.dll
processed file: C:\WINDOWS\system32\dn6801jue.dll
processed file: C:\WINDOWS\system32\hr2m05f1e.dll
processed file: C:\WINDOWS\system32\iwnathlp.dll
processed file: C:\WINDOWS\system32\iynathlp.dll
processed file: C:\WINDOWS\system32\ktr4l79q1.dll
processed file: C:\WINDOWS\system32\l0n4la5q1d.dll
processed file: C:\WINDOWS\system32\p24ulch91f4.dll
processed file: C:\WINDOWS\system32\sibcsp.dll
processed file: C:\WINDOWS\system32\sqtupdll.dll
processed file: C:\WINDOWS\system32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\iretmib1.dll
processed file: C:\WINDOWS\SYSTEM32\kqdno1.dll
processed file: C:\WINDOWS\SYSTEM32\guard.tmp
processed file: C:\WINDOWS\SYSTEM32\j62qlgf5162.dll
processed file: C:\WINDOWS\SYSTEM32\LMMLMVid.dll
processed file: C:\WINDOWS\SYSTEM32\SPKIT432.DLL
processed file: C:\WINDOWS\SYSTEM32\o4pqle751h.dll

 

[Darren]

Lonny i know it has not been on long enough to be sure but the pop ups have so far stopped, i did a quick surf around my stored sites and still nothing:bigthumb:

If so, now what, should i move to firefox instead of internet explorer, do i need to add anything to keep the malware at bay?

Am i safe to run Skybot now?

 

[LonnyRJones]

Hi

Scan with hiajckthis and fix the L2m 020
O20 - Winlogon Notify:
rescan and see if it comes back ?

Replace your hosts file with winhelp2002's
Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?

 

[Darren]

There were two 020 - Winogon and both have now gone

 

[LonnyRJones]

Great

Some Cleanup:
save http://skads.org/special/shellfilter.vbs to your desktop and run it post the new text that will be created also on the desktop

also run findl2m again please

 

[Darren]

Great

Some Cleanup:
save http://skads.org/special/shellfilter.vbs to your desktop and run it post the new text that will be created also on the desktop

also run findl2m again please

Lonny Noton Anti virus comes up saying a malicious script detected
Object FileSystem Object

Shall i still allow it, why did it come up?

 

[LonnyRJones]

Yes allow it please, its safe.

 

[Darren]

Shell Extensions-Approved SUSPECT list
------------------------------------

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{7106CF04-42F8-4314-81C4-2EE07F61962D}=""
CLSID Points to -> C:\WINDOWS\system32\kqdno1.dll

----------------------------------------

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}=""
CLSID Points to -> C:\WINDOWS\system32\LSPCX80N.DLL

----------------------------------------

 

[Darren]

The FindL2M report

The type of the file system is NTFS.
C: is not dirty.
C:\WINDOWS\SYSTEM32\GUARD.TMP

 

[LonnyRJones]

Hi

Can you delete guard.tmp ?

Launch Notepad (not wordpad), and copy and paste the Bolded below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{7106CF04-42F8-4314-81C4-2EE07F61962D}=-
{5AB035BB-A13F-4045-BDC3-FF4EE13FBF90}=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Run SpyBot check for and fix any problems found then update and run your antivirus program

 

[Darren]

done the first bit, then onto spybot which found nothing, now onto the antivirus which will take some time.

Lonny you are a star, i can not express my gratitude enough, thanks for sticking with me and i apologise if i made mistakes and was a little slow on the uptake, we got there though.

I don't know what more to say, it seems a hollow response after all the help you have given.

 

[Darren]

The type of the file system is NTFS.
C: is not dirty.
C:\WINDOWS\SYSTEM32\GUARD.TMP

You said can i delete this? How? Do you mean go into the c drive find it and remove?

If so the answer is no i can not, it reappears

 

[LonnyRJones]

Thats odd
edit badfiles.txt to only include
C:\WINDOWS\SYSTEM32\GUARD.TMP
then run cleanup.bat, it should proccess and move it to the backups folder

Can we see on final hijackthis log please

 

[Darren]

Logfile of HijackThis v1.99.1
Scan saved at 6:53:37 PM, on 25/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darren Clarke\My Documents\Copy of HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/sport1/hi/football/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.thesun.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A66DD76-283E-4CE9-A795-F473D8C6AC50}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

 

[Darren]

Thats odd
edit badfiles.txt to only include
C:\WINDOWS\SYSTEM32\GUARD.TMP
then run cleanup.bat, it should proccess and move it to the backups folder

Can we see on final hijackthis log please

did as you said and it will not disappear

 

[LonnyRJones]

Hi

Check the files name , open a folder and navigate to the system 32 folder
GUARD.TMP or gaurd.tmp ?
you ran cleanup.bat not batch bat correct ?
delete logit,txt and run cleanup.bat again, post the logit txt please
Im not to concerned about it though

I suggest you turn off nortons script blocking in its options then uninstall nortons antivirus program since you use avg

Are there any current problems ?

 

[Darren]

Yes i used the clean up

Files moved to C:\FindL2M\!backups
ECHO is off.
processed file: C:\WINDOWS\SYSTEM32\guard.tmp

Everything seems fine, no spyware on Spybot, one virus in vault, no pop ups

Is there much difference between internet explorer and firefox?

 

[LonnyRJones]

Firefox is a great idea. less likely to get hijacked, But do keep Internet explorer up to date, windows to for that matter

If everything is ok after a week or so delete the l2mfix and findl2m folders
and delete/purge the old system restore points.

Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Regards

 

[Darren]

nice one Lonny, thanks for your help again

 

[tashi]

As the malware problem appears to be resolved this topic will be archived.
If you need the topic reopened please pm me. Glad we could help.