Solved trojan horse look2me

[Resolved] trojan horse look2me

I have noticed that when loading a page with firefox, I usually get an error that the page cannot be loaded. If I hit the refresh button it reloads no problem. When I ran avg, it found trojan horse look2me. I am wondering if this was causing my problem with loading pages??? I am running win xp sp2, I am also running avgfree 7.5, zone alarm, and avg spyware 7.5. I have also uninstalled norton internet security (within the last month). I did use the removal tool for norton and haven't seen any remenants of that program. I also have mcafee site advisor running as well as ad aware 2007.

Here is a recent HJT log just in case the look2me is not the source of the problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:29 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RedNeck\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crochetville.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://game1.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147365975312
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175286181046
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{922FE74D-11EB-4076-8E14-E378F9738A9D}: NameServer = 198.6.100.98 198.6.1.98
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6777 bytes

 

Hi mva5493

Did you get a filename and location of the infection?

 

as reported by avg:
c:\windows\system32\m8juli1918.dll

 

We better take a closer look.

Note: You must be logged onto an account with administrator privileges to complete the following.​

Download Deckard's System Scanner (dss.exe) to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Here is the main.txt from dss:

Deckard's System Scanner v20070905.67
Run by RedNeck on 2007-09-22 14:22:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as RedNeck.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:34 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\RedNeck\Desktop\dss.exe
C:\DOCUME~1\RedNeck\Desktop\RedNeck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crochetville.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://game1.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147365975312
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175286181046
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7015 bytes

-- Files created between 2007-08-22 and 2007-09-22 -----------------------------

2007-09-22 12:55:02 0 dr-h----- C:\$VAULT$.AVG
2007-09-22 11:49:21 0 d-------- C:\Documents and Settings\RedNeck\Application Data\AVG7
2007-09-22 11:49:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-22 11:48:38 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-21 20:40:30 0 d-------- C:\Program Files\ZSoft
2007-09-17 19:06:31 0 d-------- C:\Documents and Settings\RedNeck\Application Data\EA
2007-09-11 21:24:28 16629 -----n--- C:\WINDOWS\hpomdl01.dat
2007-09-11 21:24:28 20738 -----n--- C:\WINDOWS\hpoins01.dat
2007-09-09 02:40:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-09-03 21:28:44 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-03 21:28:32 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-03 21:28:19 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-03 21:28:19 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-03 21:28:14 5298208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-03 21:27:37 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-03 21:26:09 0 d-------- C:\WINDOWS\Internet Logs
2007-09-03 14:14:15 0 d-------- C:\Program Files\Motorola Wireless
2007-09-02 21:23:24 0 d-------- C:\Documents and Settings\Breona\Application Data\Netscape
2007-09-02 15:19:59 0 d-------- C:\Documents and Settings\RedNeck\Application Data\Netscape
2007-08-29 11:12:17 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2007-08-24 00:20:10 0 d-------- C:\Program Files\Fairies
2007-08-24 00:14:15 0 d-------- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-08-24 00:14:12 0 d-------- C:\Program Files\bfgclient


-- Find3M Report ---------------------------------------------------------------

2007-09-22 14:01:59 0 d-------- C:\Documents and Settings\RedNeck\Application Data\SiteAdvisor
2007-09-17 19:06:08 0 d-------- C:\Program Files\Pogo Games
2007-09-16 16:05:55 502 --a------ C:\WINDOWS\eReg.dat
2007-09-13 11:12:32 0 d-------- C:\Program Files\Common Files
2007-09-13 11:12:21 0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-13 11:12:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-09 02:44:20 0 d-------- C:\Documents and Settings\RedNeck\Application Data\Adobe
2007-09-09 02:41:47 0 d-------- C:\Program Files\Common Files\Adobe
2007-09-03 21:24:14 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-03 12:22:48 0 d-------- C:\Program Files\Google
2007-09-03 11:53:55 0 d-------- C:\Program Files\Coupons
2007-09-03 11:44:39 0 d-------- C:\Program Files\Java
2007-09-03 11:40:21 0 d-------- C:\Program Files\eGames
2007-08-25 09:41:01 0 d-------- C:\Program Files\Messenger
2007-08-24 12:09:08 0 d-------- C:\Documents and Settings\RedNeck\Application Data\AdobeUM
2007-08-20 10:43:25 30464 --a------ C:\WINDOWS\macromix.dll
2007-08-14 23:42:54 0 d-------- C:\Documents and Settings\RedNeck\Application Data\Google
2007-08-14 19:42:37 1289 --a------ C:\WINDOWS\mozver.dat
2007-08-06 14:38:37 0 d-------- C:\Program Files\The Learning Company
2007-08-05 16:43:28 0 d-------- C:\Program Files\Lavasoft
2007-08-05 16:43:22 0 d-------- C:\Documents and Settings\RedNeck\Application Data\Lavasoft
2007-08-02 12:23:56 0 d-------- C:\Documents and Settings\RedNeck\Application Data\Grisoft
2007-07-27 18:29:43 2526 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-19 10:45:05 31 --ah----- C:\WINDOWS\uccspecc.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 05:42 PM]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"NwCplMonitor "= "C:\WINDOWS\system32\redistributor.exe" []
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 05:40 PM]
"PinnacleDriverCheck "= "C:\WINDOWS\system32\PSDrvCheck.exe" [11/10/2003 05:06 PM]
"ClientGW "=" " []
"eSnips "= "C:\Program Files\eSnips\ClientGW.exe" []
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/21/2007 09:54 PM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [09/22/2007 11:48 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 02:32 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]

C:\Documents and Settings\RedNeck\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2/27/2007 4:28:41 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [6/16/2004 6:22:58 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN



-- End of Deckard's System Scanner: finished at 2007-09-22 14:23:23 ------------

when I started to install dss, an avg window popped up and told me the look2me threat had been found....I had previously told it to clean it so maybe it is still there .

 

Nothing showing there, and I suspect it's because of the date range. dss only shows files created in the last 90 days, and the file(s) we're looking for might be older. Lets go ahead and run a tool specialized for look2me.

Please download Look2Me-Destroyer by Atribune, saving the file to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

 

here is the new hjt log as well as the look2me destroyer log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:52 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\RedNeck\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crochetville.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [eSnips] "C:\Program Files\eSnips\ClientGW.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://game1.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147365975312
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175286181046
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{922FE74D-11EB-4076-8E14-E378F9738A9D}: NameServer = 198.6.100.98 198.6.1.98
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7319 bytes


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/22/2007 3:10:03 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

I'm a bit perplexed now. I know that the file in question is within Look2Me-Destroyer's definitions, and I would have expected for it to find a copy in at least a system restore point. Since it did not, I would guess that the file was picked up very recently (like today) and was successfully nabbed by AVG. Odd we aren't seeing any other indication of infection though.

Lets make sure the file is gone. Copy the bolded command below.

dir c:\windows\system32\m8juli1918.dll /a h /s >>c:\present.txt

Open a command window and right click>Paste the command in, then hit enter. Now open C:\present.txt and post it's contents, if any.

 

sorry for not responding, I was away from this computer adding memory to another one, and fixing yet another...just a little bit of computer know how and you are suddenly in high demand.....Dave I don't know how you do it day in an day out (maybe I do a little it's the challenge of it all)

not sure what response you were expecting, but when I did the command listed above I got a file not found error

 

That's good ....... means the file is not there anymore.

Run an online scan to make sure, but I'd say you're clean.

 

will do when I get home, once again I am working on another computer Thanks again Dave!

 

here are the scan results:
KASPERSKY ONLINE SCANNER REPORT
Monday, September 24, 2007 1:15:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 24/09/2007
Kaspersky Anti-Virus database records: 422770


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\RedNeck\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 16535
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:27:10

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Internet Logs\V-D168D52A799D4.ldb Object is locked skipped

C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\temp\ZLT04018.TMP Object is locked skipped

C:\WINDOWS\temp\ZLT0706f.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\RedNeck\LOCALS~1\Temp\hsperfdata_RedNeck\492 Object is locked skipped

Scan process completed.

 

results of another scan using kapersky:
Monday, September 24, 2007 3:28:36 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 24/09/2007
Kaspersky Anti-Virus database records: 422770


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 89920
Number of viruses found 26
Number of infected objects 67
Number of suspicious objects 0
Duration of the scan process 02:04:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Ad-Aware SE Personal.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\AVG Anti-Spyware.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Dell Printer Supplies - Inkjet.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Mozilla Firefox.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Nero Home Essentials SE.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Nero Online Upgrade.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Nero StartSmart Essentials.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\NetZero Internet.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\NetZero Quick Help.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Norton Internet Security.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\NZ HiSpeed User Guide.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\QuickTime Player.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Yahoo! Mail.lnk Object is locked skipped

C:\Documents and Settings\Breona\Desktop\Unused Desktop Shortcuts\Yahoo! Messenger with Voice.lnk Object is locked skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\626_101newer.exe.bac_a03608 Infected: Trojan-PSW.Win32.LdPinch.arr skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\cvn0.exe.bac_a03608 Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03608/wfxqhv.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03608/zqskw.exe Infected: Trojan.Win32.Runner.j skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03608/cvn0.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03608 CAB: infected - 3 skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03608 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03848/wfxqhv.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03848/zqskw.exe Infected: Trojan.Win32.Runner.j skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03848/cvn0.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03848 CAB: infected - 3 skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\D8B9A.tmp.bac_a03848 CryptFF.b: infected - 3 skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\dfndref_7.exe.bac_a03608 Infected: Trojan-Clicker.Win32.VB.ly skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\drsmartload.exe.bac_a03608 Infected: Trojan-Downloader.Win32.Adload.de skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\drsmartload292a.exe.bac_a03608 Infected: Trojan-Downloader.Win32.Adload.db skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\drsmartload45a7h.exe.bac_a03608 Infected: Trojan-Downloader.Win32.VB.aiv skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\drsmartloa€.bac_a03608 Infected: Trojan-Downloader.Win32.Adload.db skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\fym9bvo.exe.bac_a03608 Infected: Trojan-Downloader.Win32.Agent.ala skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\kybrdef_7.exe.bac_a03608 Infected: Trojan-Downloader.Win32.VB.air skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\ldC91E.tmp.bac_a03608 Infected: not-virus:Hoax.Win32.Renos.dv skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\loader[1].exe.bac_a03608 Infected: Trojan-Downloader.Win32.Adload.de skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\nwnmef_7.exe.bac_a03608 Infected: Trojan-Downloader.Win32.VB.aiy skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\simpole.tlb.bac_a03608 Infected: Trojan-Downloader.Win32.Zlob.xg skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\system32n9nyb.exe.bac_a03608 Infected: Trojan.Win32.Runner.j skipped

C:\Documents and Settings\home\.housecall6.6\Quarantine\uninst.exe.bac_a03608 Infected: Trojan-Downloader.Win32.Zlob.vn skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\cert8.db Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\history.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\key3.db Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\parent.lock Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\search.sqlite Object is locked skipped

C:\Documents and Settings\RedNeck\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\RedNeck\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/misspellsearch.exe/stream/data0005 Infected: not-a-virus:AdTool.Win32.Toolbar.a skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/misspellsearch.exe/stream Infected: not-a-virus:AdTool.Win32.Toolbar.a skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/misspellsearch.exe Infected: not-a-virus:AdTool.Win32.Toolbar.a skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/Setup-ToolBar.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Mostofate.c skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/Setup-ToolBar.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.c skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip/Setup-ToolBar.exe Infected: not-a-virus:AdWare.Win32.Mostofate.c skipped

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip ZIP: infected - 6 skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Application Data\Mozilla\Firefox\Profiles\git1h5s1.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\History\History.IE5\MSHist012007092420070925\index.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Temp\hsperfdata_RedNeck\492 Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\RedNeck\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\RedNeck\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\RedNeck\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\RedNeck\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\gogogo.exe Infected: Backdoor.Win32.IRCBot.ih skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe/10 Infected: Trojan.WinREG.Qoologic skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe/3 Infected: Trojan.BAT.Agent.aj skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe/4 Infected: Trojan.BAT.Agent.ak skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe/9 Infected: Trojan.BAT.Agent.al skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe QuickBatch: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe UPX: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP516\A0080157.exe PE_Patch.UPX: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP522\A0080219.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP542\A0080837.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP542\A0080837.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP542\A0080837.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP542\A0080904.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe/10 Infected: Trojan.WinREG.Qoologic skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe/3 Infected: Trojan.BAT.Agent.aj skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe/4 Infected: Trojan.BAT.Agent.ak skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe/9 Infected: Trojan.BAT.Agent.al skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe QuickBatch: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe UPX: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082140.exe PE_Patch.UPX: infected - 4 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082146.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082146.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082146.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP584\A0082147.exe Infected: IM-Worm.Win32.Sohanad.aw skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP593\A0082792.dll Infected: not-a-virus:AdWare.Win32.Coupons skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083551.exe Infected: Backdoor.Win32.SdBot.bnr skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083552.exe Infected: Trojan-Downloader.Win32.VB.air skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083553.exe Infected: Backdoor.Win32.SdBot.bnr skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bop skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bop skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe UPX: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe PE_Patch.UPX: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP597\A0083555.exe CryptFF: infected - 2 skipped

C:\System Volume Information\_restore{76CAAB92-04C5-4F0B-92DD-1C5012EF68FB}\RP631\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Internet Logs\V-D168D52A799D4.ldb Object is locked skipped

C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\temp\ZLT04018.TMP Object is locked skipped

C:\WINDOWS\temp\ZLT0706f.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I am thinking something is not right here, I don't think that the firewall, anti-spyware and antivirus would miss this many things???

 

I don't know if this is the same infection or not but I started a topic in January with this computer and cleaned it with Temerc's help. I thought look2me was something I had seen before there was a reference to it here: http://www.windowsbbs.com/showthread.php?t=61754 post #9 has a reference to a look2me log not sure if this is the same infection but it is the same computer.

 

Here's why the Kaspersky scans are so different.

Scan #1

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\RedNeck\LOCALS~1\Temp\


Scan #2

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\


And here's what needs to be removed, going by those results.

C:\Documents and Settings\home\.housecall6.6\Quarantine\all contents

C:\Documents and Settings\RedNeck\Desktop\unused icons\misspelled_programs.zip << This one is actually OK. The fact that it is an unused icons folder (which I do not have because desktop cleanup wizard is disabled) makes it a good target for 'getting rid of junk you don't need' category

C:\Documents and Settings\RedNeck\SmitfraudFix << scanners still flag some of the files used in the tool. Tool is updated regularly and should be removed anyway.

C:\gogogo.exe


The rest is infected System restore points, which you already know how to handle.

 

so it's not a bad as it looked at 3 am this morning when I should have been sleeping instead of trying to make sense of a file that only partly makes sense to me when I am wide awake. Will fix the rest and move on the the next system.

 

Interpreting logs through toothpick eyes can be difficult

I'll marked this one resolved.