Need some help with a HJT log

I'm trying to help a friend clean up his PC, and what a mess it is. Here's what I've done so far;

Turned off system restore
Updated and ran Spybot, it cleaned up 103 items
Updated and ran Adaware, it cleaned up 231 items
Updated and ran AVG, it found and fixed 60 infected files

He was complaining about pop-ups occurring even when IE wasn't open, AVG was popping up virus warnings all the time, he was getting redirects to websites all the time.

I'm sure I haven't rid this machine of all the nasties yet, so I'm posting the HJT log in hopes I can get this thing clean again. It's been a while since I've seen one this bad;

Logfile of HijackThis v1.99.1
Scan saved at 8:23:35 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\logonui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wmapsrvs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
C:\program files\seekmo\seekmo.exe
C:\Program Files\ipwins\ipwins.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\SYSTEM32\nwinlqez.exe
c:\windows\system32\dwdsregt.exe
c:\program files\common files\aol\1125424419\ee\aolsoftware.exe
C:\tmp\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C5E1197A9FA975760EA83FA5EF80752B94E3D8785E7540203CC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [{21-1B-BD-DB-ZN}] c:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe "
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\nwinlqez.exe GID003
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinlqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\prdsregp.exe
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\ir82l5lo1.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe

 

Hello BillB, and welcome to Windows BBS forums.

I'll be having a look at this log and will return shortly.

Please be patient as I get a quick look at things and return.

 

Your friend appears to ahve a Look2Me infection, pretty nasty sucker. But we have a couple of things to use and fix it.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

 

Hi TeMerc,

Thanks for the quick reply. Here is the new HJT log and the Look2me text file as you requested;

Logfile of HijackThis v1.99.1
Scan saved at 9:45:40 PM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\logonui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wmapsrvs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
C:\windows\system32\dwdsregt.exe
C:\program files\seekmo\seekmo.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\SYSTEM32\nwinlqez.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1125424419\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tmp\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C5E1197A9FA975760EA83FA5EF80752B94E3D8785E7540203CC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [{21-1B-BD-DB-ZN}] C:\windows\system32\dwdsregt.exe GID003
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe "
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\nwinlqez.exe GID003
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinlqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\prdsregp.exe
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O20 - Winlogon Notify: Fault - C:\WINDOWS\system32\sqrrun.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 6/1/2006 9:38:07 PM

Infected! C:\WINDOWS\system32\ir82l5lo1.dll
Infected! C:\WINDOWS\SYSTEM32\sqrrun.dll
Infected! C:\WINDOWS\SYSTEM32\pLpsvc.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\SYSTEM32\sqrrun.dll
C:\WINDOWS\SYSTEM32\sqrrun.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\pLpsvc.dll
C:\WINDOWS\SYSTEM32\pLpsvc.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} "
HKCR\Clsid\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BD472F60-27FA-11cf-B8B4-444553540000} "
HKCR\Clsid\{BD472F60-27FA-11cf-B8B4-444553540000}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "
HKCR\Clsid\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} "
HKCR\Clsid\{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{53C74826-AB99-4d33-ACA4-3117F51D3788} "
HKCR\Clsid\{53C74826-AB99-4d33-ACA4-3117F51D3788}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{89CF4544-BAA6-47DA-B7ED-01AFB92DBF55} "
HKCR\Clsid\{89CF4544-BAA6-47DA-B7ED-01AFB92DBF55}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C7D5D497-D72E-4891-AFF1-F82BE82B4249} "
HKCR\Clsid\{C7D5D497-D72E-4891-AFF1-F82BE82B4249}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4019C652-897D-4883-8FE6-D4D5AAD8665A} "
HKCR\Clsid\{4019C652-897D-4883-8FE6-D4D5AAD8665A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F9A00E87-D0DD-40B7-8934-57BBB5FEEBEB} "
HKCR\Clsid\{F9A00E87-D0DD-40B7-8934-57BBB5FEEBEB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{39315467-9C3A-46E4-A70B-3765B1B739DD} "
HKCR\Clsid\{39315467-9C3A-46E4-A70B-3765B1B739DD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6E89465F-2B7C-4E0D-8BBE-AB29EF3D71CC} "
HKCR\Clsid\{6E89465F-2B7C-4E0D-8BBE-AB29EF3D71CC}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{41D53627-0664-4150-867D-47BD2ABBF990} "
HKCR\Clsid\{41D53627-0664-4150-867D-47BD2ABBF990}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B83A6BE2-8959-47DF-9F90-B61E690814FF} "
HKCR\Clsid\{B83A6BE2-8959-47DF-9F90-B61E690814FF}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

OK, it looks as tho the tool removed the infected files.

Lets carry on and please let me know of any odd behavior with the machine.

Please go to 'Task Manager' by hitting Ctrl+Alt+Delete and 'End Task' on the following process(es):
C:\windows\system32\dwdsregt.exe
C:\program files\seekmo\seekmo.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\SYSTEM32\nwinlqez.exe

Please go to Add/Remove, and if found, uninstall the following:
ipwins
seekmo
180Solutions
Zango

:arrow: Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm


O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C5E1197A9FA975760EA83FA5EF80752B94E3 D8785E7540203CC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll


O4 - HKLM\..\Run: [{21-1B-BD-DB-ZN}] C:\windows\system32\dwdsregt.exe GID003

O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe "

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\nwinlqez.exe GID003

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\nwinlqez.exe

O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\prdsregp.exe


O20 - Winlogon Notify: Fault - C:\WINDOWS\system32\sqrrun.dll (file missing)

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
c:\program files\seekmo<<<<---folder
C:\Program Files\ipwins<<<<---folder
C:\WINDOWS\SYSTEM32\sregp.exe<<<--file
C:\WINDOWS\system32\run.dll <<<--file
C:\WINDOWS\SYSTEM32\nlqez.exe <<<--file
C:\windows\system32\sregt.exe <<<--file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

TeMerc,

I was able to stop the processes you listed, but the only thing in add/remove programs was seekmo so I uninstalled that. I fixed all the items in HJT that you listed. The only file/folder I found to delete was Ipwins, the others weren't there. Here's the new HJT log, hopefully this thing is getting closer to being clean. Thanks so much for the help.

Logfile of HijackThis v1.99.1
Scan saved at 12:21:55 PM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\logonui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wmapsrvs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\common files\aol\1125424419\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\tmp\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125424419\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Email AntiVirus (Email AV) - Unknown owner - C:\WINDOWS\email-av.exe (file missing)
O23 - Service: Microsoft Logon User Interface Skining (LogonUInterf) - Unknown owner - C:\WINDOWS\logonui.exe
O23 - Service: Microsoft WMI Performance Adapter AddOn (WMIPerAddOn) - Unknown owner - C:\WINDOWS\wmapsrvs.exe

 

OK, that's a clean logfile, are there any other things going on that would perhaps indicate any remaining malwares?

Let me know, then I'll proceed accordingly.

 

Hi TeMerc,

I'm not sure that this thing is completely clean yet. I put it online to get spybot, adaware, spywareblaster and AVG updates if there were any and to surf for a while. I didn't see any pop-ups like he said he had nor did AVG pop-up any virus warning like it was doing. However, I took it offline and ran Spybot and Adaware scans. Spybot found 21 items, including 180Solutions, Coolwebsearch, Zeno, Coremetrics and a few others, and Adaware found 6 items including Zeno search and some tracking cookies. I'm running an AVG scan now to see if it finds anything. Do you think further investigation is needed, or do you think these things were just residual leftovers from the other cleanups?

 

Bill, I'd need to know just what the Spybot and Adaware findings were to give you a spcecific answer. It is possible the finding were remnants of the infection.

Perhaps you could give me some details and we could go from there.

 

TeMerc,

Sorry to be so long posting back, I was running scans under all the user accounts on the machine. The spybot and adaware scans found pretty much the same things under each account. Here is the spybot and adaware logs from the main account on the pc;

Spybot:

03.06.2006 10:19:33 - ### Version: 1.4
03.06.2006 10:19:33 - ### Date: 6/3/2006 10:19:33 AM
03.06.2006 10:19:48 - ##### checking bots #####
03.06.2006 10:20:58 - found: CoolWWWSearch IE Search page
03.06.2006 10:29:44 - found: Zeno Uninstall settings
03.06.2006 10:29:44 - found: Zeno Executable
03.06.2006 10:29:45 - found: Zeno Text file
03.06.2006 10:29:45 - found: Zeno Library
03.06.2006 10:29:51 - found: NewDotNet User settings
03.06.2006 10:29:59 - found: Windows Security Center.SP2Update Settings
03.06.2006 10:29:59 - found: Windows Security Center.AntiVirusOverride Settings
03.06.2006 10:29:59 - found: Windows Security Center.FirewallOverride Settings
03.06.2006 10:29:59 - found: Windows Security Center.FirewallDisableNotify Settings
03.06.2006 10:30:00 - found: Windows Security Center.AntiVirusDisableNotify Settings
03.06.2006 10:30:00 - found: Windows Security Center.UpdateDisableNotify Settings
03.06.2006 10:30:01 - found: 180Solutions.SearchAssistant Type library
03.06.2006 10:34:32 - found: CasaleMedia Tracking cookie (Firefox: default)
03.06.2006 10:34:32 - found: CasaleMedia Tracking cookie (Firefox: default)
03.06.2006 10:34:32 - found: CasaleMedia Tracking cookie (Firefox: default)
03.06.2006 10:34:59 - found: Advertising.com Tracking cookie (Firefox: Van)
03.06.2006 10:34:59 - found: Advertising.com Tracking cookie (Firefox: Van)
03.06.2006 10:35:00 - found: CoreMetrics Tracking cookie (Firefox: Van)
03.06.2006 10:35:03 - found: MusicMatch Bookmark (Internet Explorer: van crosby)
03.06.2006 10:35:10 - found: MusicMatch Bookmark (Firefox: default)
03.06.2006 10:35:14 - ##### check finished #####


Adaware:

Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, June 03, 2006 10:36:48 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R110 31.05.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.ZenoSearch(TAC index:4):2 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.ZenoSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment : "BrowserUpdateSched "
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : BrowserUpdateSched

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : van crosby@realmedia[3].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:van crosby@realmedia.com/
Expires : 12-31-2020 8:00:00 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : van crosby@www.smartmoney[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:van crosby@www.smartmoney.com/
Expires : 12-31-2019 8:00:00 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : van crosby@adserver[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:van crosby@ads.revsci.net/adserver
Expires : 3-31-2038 5:37:40 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : van crosby@smartmoney[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:van crosby@smartmoney.com/
Expires : 2-10-2036 9:37:24 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : van crosby@cgi-bin[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:van crosby@tickets.airtran.com/skylights/cgi-bin/
Expires : 3-25-2007 10:44:20 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 6
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.ZenoSearch Object Recognized!
Type : File
Data : zxdnt3d.cfg
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\system32\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 7

10:53:19 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:31.326
Objects scanned:240530
Objects identified:7
Objects ignored:0
New critical objects:7

 

Did you let Spybot and Adaware 'fix' each of the findings?

All of those are harmless for the most part and you can have them fixed\removed\repaired.

Let me know and after you allow those items to be fixed rescan and see if they are gone.

 

I've told Spybot and Adaware to fix everything they find on each scan. I haven't had the machine back online since before the first scan yesterday. I ran another scan with each today and here are the results;

Spybot:

04.06.2006 12:39:12 - ##### check started #####
04.06.2006 12:39:12 - ### Version: 1.4
04.06.2006 12:39:12 - ### Date: 6/4/2006 12:39:12 PM
04.06.2006 12:39:26 - ##### checking bots #####
04.06.2006 12:48:14 - found: Zeno Uninstall settings
04.06.2006 12:48:14 - found: Zeno Uninstall settings
04.06.2006 12:48:14 - found: Zeno Text file
04.06.2006 12:48:23 - found: Windows Security Center.SP2Update Settings
04.06.2006 12:48:23 - found: Windows Security Center.AntiVirusOverride Settings
04.06.2006 12:48:23 - found: Windows Security Center.FirewallOverride Settings
04.06.2006 12:48:23 - found: Windows Security Center.FirewallDisableNotify Settings
04.06.2006 12:48:23 - found: Windows Security Center.AntiVirusDisableNotify Settings
04.06.2006 12:48:23 - found: Windows Security Center.UpdateDisableNotify Settings
04.06.2006 12:52:28 - ##### check finished #####


Adaware:

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, June 04, 2006 1:34:10 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R110 31.05.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.ZenoSearch(TAC index:4):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.ZenoSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment : "BrowserUpdateSched "
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : BrowserUpdateSched

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
1:50:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:24.786
Objects scanned:240650
Objects identified:1
Objects ignored:0
New critical objects:1

 

OK, the Zeno items found by Spybot are the actualy uninstall strings\info, which we in the sec comm usually ignore.

Do a file search for 'Zeno' and delete what you find.

The windows security settings for Spybot can be moved to ignore. Altho, as I write this, I want to say those are either falase\positives or something which was fixed in a previous update, I need to give a quick check on that.

For the registry value, we can delete that, it shouldn't be there.

But lets first back up your registry.

Click the 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

In the right hand side of the window, look for:
BrowserUpdateSched

Right click it, select 'Delete', close registry reboot and rescan, let me know what is found.

 

I did a search for Zeno and found startup folder entries on all the accounts which I deleted. I could not find the 'BrowserUpdateSched' entry in the registry at the location you mentioned. I did run another spybot scan and the same entries showed up again.

 

Does spybot give you any error messages or the like when you have it 'fix' selected?

Try scanning in safe mode, and fixing as well, rescan and see results.

Altho, I don't think it is any major threat.

 

No error messages when I tell either Spybot or Adaware to fix problems. I did a Spybot scan in safe mode, the only entries that showed up were the windows security ones. I told it to fix and it says all were fixed. Did a rescan in normal mode, the security entries and the Zeno one showed up again. It says it is fixing the entries but they continue to show up on subsequent scans. Should I tell Spybot to permanently ignore the windows security ones if they are false positives? Should I manually delete the zeno registry entries?

 

Yes, I had suggested moving the windos items to ignore ealrier, and as long as your comfortable removing the items from registry manually, fine.

 

Ok, I've told Spybot to exclude the windows security items completely. I found the zeno file and reg entries and deleted them manually. The thing is, they seem to come back after a reboot and I don't know why.

 

I think I have this thing ready for prime time again.

The Zeno search thing was a bear to get rid of. I did some searching on the net this morning for it and found hits on the Norton and Mcafee sites that described it and what to look for (files, reg entries, etc.). There were two items in the startup folder that I had to get rid of for each account; Z_start and Zeno. Then I did a search for the files mentioned on the mcafee site and found a few; dwdsregt.exe (along with a prefetch item with the same name), zxdnt3d.cng, and twinsqez.exe (it had a prefetch item as well), I also found several iterations of the Zeno.lnk file in the root directory. I removed the files and went into safe mode and looked for the same things. When I booted up again in normal mode, I did scans on each account in Spybot and Adaware, both now come up clean.

Hopefully this thing is clean again, at least the Zeno thing isn't coming back as it did before.

TeMerc, thanks again for all your help with this. I really appreciate it.