Pop Unders

D

Driveboy

New Member
Hi all:
I am looking for your help.
My computer is being overloaded with popunders, pop ups, flash adware etc. I have purchased spyware doctor but it does not stop any of the actions so far.
I am studying at College at the moment and it is really holding me back every time a pop up or something else appears on my screen, even with my pop up settings set at high.

PLEASE HELP

THANX IN ADVANCE
 
as requested

Logfile of HijackThis v1.99.1
Scan saved at 19:05:20, on 18/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.7.0.58\PlaxoHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.7.0.58\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [wzzr] C:\PROGRA~1\COMMON~1\wzzr\wzzrm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://driveboy.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\j04o0ah3ed4.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\kt00l7dm1.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
 
Please download Look2Me-Destroyer.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

After doing the above:

1. Please download ewido security suite it is a trial version of the program.
* Install ewido security suite
* When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido, there should be an icon on your desktop double-click it.
* The program will prompt you to update click the OK button
* The program will now go to the main screen

2. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update
* Click on Start

3. The update will start and a progress bar will show the updates being installed.

4. Once the updates are installed do the following:
* Click on scanner
* Click on Complete System Scan and the scan will begin.

5. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report
* Save the report to your desktop

6. Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
 
Last edited:
Hi Sid:
As requested,BTW...Thankyou



Logfile of HijackThis v1.99.1
Scan saved at 19:57:24, on 18/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.7.0.58\PlaxoHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFXFER.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.7.0.58\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [wzzr] C:\PROGRA~1\COMMON~1\wzzr\wzzrm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://driveboy.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

-------------------------------------------------------------------------


Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 18/03/2006 19:48:10

Infected! C:\WINDOWS\system32\j04o0ah3ed4.dll
Infected! C:\WINDOWS\system32\knd101a.dll
Infected! C:\WINDOWS\system32\kt00l7dm1.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012658.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012659.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012660.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012661.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012662.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012663.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012664.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012665.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012666.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012667.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012668.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012669.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012670.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012671.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012696.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012736.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012741.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012750.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012754.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012764.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012771.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012780.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012785.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012799.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012804.dll
Infected! C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP28\A0012828.dll
Infected! C:\WINDOWS\system32\dwsshlex.dll
Infected! C:\WINDOWS\system32\knd101a.dll
Infected! C:\WINDOWS\system32\p6r40g9qe6.dll
Infected! C:\WINDOWS\system32\r86u0ij9e8o.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\knd101a.dll
C:\WINDOWS\system32\knd101a.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012658.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012658.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012659.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012659.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012660.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012660.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012661.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012661.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012662.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012662.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012663.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012663.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012664.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012664.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012665.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012665.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012666.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012666.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012667.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012667.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012668.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012668.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012669.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012669.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012670.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012670.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012671.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012671.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012696.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012696.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012736.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012736.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012741.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012741.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012750.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012750.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012754.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012754.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012764.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012771.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012771.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012780.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012780.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012785.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012785.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012799.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012799.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012804.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP25\A0012804.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP28\A0012828.dll
C:\System Volume Information\_restore{9CD80158-4028-4D5D-9E72-BF51B5A015D3}\RP28\A0012828.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dwsshlex.dll
C:\WINDOWS\system32\dwsshlex.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\knd101a.dll
C:\WINDOWS\system32\knd101a.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p6r40g9qe6.dll
C:\WINDOWS\system32\p6r40g9qe6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r86u0ij9e8o.dll
C:\WINDOWS\system32\r86u0ij9e8o.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8EA35372-73ED-4055-89E8-1F46A864C022}"
HKCR\Clsid\{8EA35372-73ED-4055-89E8-1F46A864C022}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EE1AF2F6-0723-46EC-9C1C-EAAB6FFF277B}"
HKCR\Clsid\{EE1AF2F6-0723-46EC-9C1C-EAAB6FFF277B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CCC36B2F-4ED2-4DF7-9876-3D9F699B76E8}"
HKCR\Clsid\{CCC36B2F-4ED2-4DF7-9876-3D9F699B76E8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{14E742E9-6C66-4795-A09A-ECB90B3A445B}"
HKCR\Clsid\{14E742E9-6C66-4795-A09A-ECB90B3A445B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
 
1. Please download ewido security suite it is a trial version of the program.
* Install ewido security suite
* When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido, there should be an icon on your desktop double-click it.
* The program will prompt you to update click the OK button
* The program will now go to the main screen

2. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update
* Click on Start

3. The update will start and a progress bar will show the updates being installed.

4. Once the updates are installed do the following:
* Click on scanner
* Click on Complete System Scan and the scan will begin.

5. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report
* Save the report to your desktop

6. Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
 
You must log in or register to reply here.
Back
Top