IE automatically keeps on popping up [with unwanted websites]

In my machine IE automatically keeps on popping up with some unwanted websites. I happen to do some research on this and I am not sure whether what I found is correct. Can anyone please help me in getting rid of this problem.

I found out that there is some unwanted DLL that is getting created in windows\system32 dir, whose name gets changed whenever you reboot. When I tried to delete it, it says access denied. Then I tried to see which process is using this dll by using process explorer tool. It showed me that winlogon.exe is using this. And also this creates a registry entry under,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

The key name it creates changes every time you reboot. Even after deleting this, it gets created again.

Thanks in advance

 

Hello Praveen,

Two tools to use in troubleshooting this:

Download Ewido http://www.ewido.net/en/

Install as a scanner only: under "Additional Options ", uncheck "Install background guard ".

Before using it, update it. Scan in safe mode: tap the F8 key on bootup. Post anything it finds here, may need more than one post for it.



HijackThis:

Download from here http://radiosplace.com/ latest version 1.99

Download it to it's own folder, for example create a folder C:\HijackThis - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created, copy resultant .txt file and paste into your next post.

Regards - Charles

 

IE automatically keeps on popping up

Hello Charles,
Thanks for the reply...here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 8:28:41 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\progra~1\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\notes\ntmulti.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\userdump.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\progra~1\c4ebreg\isamtray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\CiscoSecureAA\PROGRAM\Client.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
F:\Softwares\HijackThis_v1.99.1.exe

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe "
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe "
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: default.caa
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} (gpwsx.plugin) - http://w3.ibm.com/tools/print/plugin/gpwsx.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\n8n60i5se8.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TEST SERVICE (TEST) - Unknown owner - C:\temp\delete\Debug\delete.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Also to add, I feel it could be service running as svchost.exe, which is very difficult to find. Please let me know if you find anything.

 

PeteC--I know I should not crash someoneelse's thread, but what does it mean when HJT reports "(file missing) "?
I will post in a new thread if you prefer, but it may have pertinence here.

 

PeteC--Most kind of you. Thanks. Wish I had not asked.
I have a hard time believing that many people have Winpcap Remote Capture Service installed. And yet that "(file missing)" notation appears in many HJT logs.
http://www.winpcap.org/docs/docs32a1/html/group__remote.html

But I can understand the bolded paragraph if this can happen without Winpcap's presence.

P.S. Seems some time since I have seen it, but I remember there was a spyware program that announced "xyz.dll is missing from your PC" and helpfully offered a download. Of course, xyz.dll was the spyware.

 

Looks like ewido found the problem, but it could not delete the dll that is causing the problem.

Here is the scan report of ewido,
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:38:28 PM, 5/25/2006
+ Report-Checksum: C39AF0C2

+ Scan result:

[976] C:\WINDOWS\system32\fpj6031se.dll -> Adware.Look2Me : Error during cleaning
[1804] C:\WINDOWS\system32\uervpa.dll -> Adware.Look2Me : Error during cleaning
[2144] C:\WINDOWS\system32\uervpa.dll -> Adware.Look2Me : Error during cleaning
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.227:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ituie1jc.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\vncviewer\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\Starware -> Adware.Starware : Cleaned with backup
C:\Documents and Settings\Limited\Cookies\limited@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Program Files\ORL\VNC\VNCHooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup
C:\Program Files\ORL\VNC\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup
C:\Program Files\ORL\VNC\WinVNC.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup
C:\WINDOWS\system32\xbllite.dll -> Adware.Look2Me : Cleaned with backup
F:\Softwares\VNC\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Error during cleaning
F:\Softwares\VNC\vnc_x86_win32\vncviewer\vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup


::Report End

 

Hello Praveen,

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/

Instructions are provided on that page and post it's log after windows re boots along with a fresh HijackThis log.

Regards - Charles

 

It worked wonders. Looks like it's a great tool.
Thanks for the great help.

-Praveen

 

I'm glad you're satisfied with the result, but we here would like to see the result as well.

First, because others are helped, and second, the people that respond to problems such as yours want to see what the effect on your system is. It takes a lot of time and effort to clean up malware remotely like this.

So would you be so kind as to post the logs that I asked you to in my last post.

Regards - Charles

 

Sorry for not putting the log. I understand your concern.
Here's the log.


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/25/2006 11:40:07 PM

Infected! C:\WINDOWS\system32\gp4ml3h11.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151100.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151108.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151144.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151158.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151181.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151185.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151189.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151193.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151201.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151225.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151233.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151388.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151396.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151408.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151409.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154433.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154439.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154451.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154452.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154459.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154525.dll
Infected! C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154526.dll
Infected! C:\WINDOWS\system32\d20m0cd1ef0.dll
Infected! C:\WINDOWS\system32\gp4ml3h11.dll
Infected! C:\WINDOWS\system32\mxpatcha.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\gp4ml3h11.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151100.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151100.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151108.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151108.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151144.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151144.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151158.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151158.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151181.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151181.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151185.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151185.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151189.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151189.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151193.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151193.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151201.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151201.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151225.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151225.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151233.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP466\A0151233.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151388.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151388.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151396.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151396.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151408.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151408.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151409.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0151409.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154433.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154433.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154439.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154439.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154451.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154451.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154452.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154452.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154459.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP467\A0154459.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154525.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154525.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154526.dll
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP469\A0154526.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\d20m0cd1ef0.dll
C:\WINDOWS\system32\d20m0cd1ef0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp4ml3h11.dll
C:\WINDOWS\system32\gp4ml3h11.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mxpatcha.dll
C:\WINDOWS\system32\mxpatcha.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9B7D8642-2501-4DFF-896A-2BBA8622D5C4} "
HKCR\Clsid\{9B7D8642-2501-4DFF-896A-2BBA8622D5C4}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

Hi Praveen,

Thank you very much.

We need one more log posted by you, the HighjackThis log.


You have to reset XP's System restore to clear the infection from it's files:

Right click My Computer > Properties > System Restore tab > Check "Turn off System Restore on all drives ".

Reboot.

Go back and re-enable SR - will create an initial restore point.

Regards - Charles