Help Please![INACTIVE]

dee

By dee,
in Malware Removal

 Share Followers 0

Recommended Posts

dee

dee

Posted
Posted (edited)

Our computer has recently acquired a host of popups(esp. from ad-w-a-r-e.com). Our virus scanner detected something named dfndra.exe. Can anyone help?

Logfile of HijackThis v1.99.1

Scan saved at 오후 6:37:00, on 2006-06-21

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\System32\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Hcontrol.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\windows\system32\psdsregk.exe

C:\WINDOWS\SYSC00.exe

C:\WINDOWS\system32\mptft.exe

C:\WINDOWS\system32\ssn6tuu.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ssec.exe

C:\WINDOWS\system32\nr1rnqm8.exe

C:\WINDOWS\system32\kwintqez.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\tfthot.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\WINDOWS\system32\kwintqez.exe

C:\WINDOWS\ATKOSD.exe

C:\WINDOWS\Lg\command.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\Program Files\Network Monitor\netmon.exe

C:\WINDOWS\system32\packet.exe

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\rcss.exe

C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\kwintqez.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Alzip\ALZip.exe

C:\Documents and Settings\xp\Local Settings\Temp\_AZTMP1_\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\chhru.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mdovfxi.exe

O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll

O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\Hcontrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe

O4 - HKLM\..\Run: [newname] C:\\nwnm.exe

O4 - HKLM\..\Run: [{05-56-69-95-ZN}] C:\windows\system32\psdsregk.exe GID003

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe

O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe

O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"

O4 - HKLM\..\Run: [w1e0bc54.dll] RUNDLL32.EXE w1e0bc54.dll,I2 0016b54b01e0bc54

O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\system32\kwintqez.exe GID003

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

O15 - Trusted Zone: http://www.gopd.co.kr

O15 - Trusted Zone: http://*.gopd.co.kr

O15 - Trusted Zone: http://cfolder.nownuri.net

O15 - Trusted Zone: http://client.nownuri.net

O15 - Trusted Zone: http://club.nownuri.net

O15 - Trusted Zone: http://help.nownuri.net

O15 - Trusted Zone: http://helpdesk.nownuri.net

O15 - Trusted Zone: http://join.nownuri.net

O15 - Trusted Zone: http://mplug.nownuri.net

O15 - Trusted Zone: http://pdsfind1.nownuri.net

O15 - Trusted Zone: http://www.nownuri.net

O15 - Trusted Zone: http://*.nownuri.net

O15 - Trusted Zone: http://adrenalin.pdbox.co.kr

O15 - Trusted Zone: http://bbs.pdbox.co.kr

O15 - Trusted Zone: http://bbs2.pdbox.co.kr

O15 - Trusted Zone: http://bbs3.pdbox.co.kr

O15 - Trusted Zone: http://bbs4.pdbox.co.kr

O15 - Trusted Zone: http://client.pdbox.co.kr

O15 - Trusted Zone: http://cp.pdbox.co.kr

O15 - Trusted Zone: http://find.pdbox.co.kr

O15 - Trusted Zone: http://ftp2.pdbox.co.kr

O15 - Trusted Zone: http://gopd.pdbox.co.kr

O15 - Trusted Zone: http://help.pdbox.co.kr

O15 - Trusted Zone: http://mboard.pdbox.co.kr

O15 - Trusted Zone: http://media.cp.pdbox.co.kr

O15 - Trusted Zone: http://mfind.pdbox.co.kr

O15 - Trusted Zone: http://my.pdbox.co.kr

O15 - Trusted Zone: http://point.pdbox.co.kr

O15 - Trusted Zone: http://shop.pdbox.co.kr

O15 - Trusted Zone: http://side.pdbox.co.kr

O15 - Trusted Zone: http://www.pdbox.co.kr

O15 - Trusted Zone: http://*.pdbox.co.kr

O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab

O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103760526388

O16 - DPF: {A555B624-1393-46BD-ADFF-4455DD650FC5} (MediaShell T-Player Control) - http://aod.empas.com/player/drm/inc/dll/TPlayer.cab

O16 - DPF: {BCA935CA-7E41-4F73-BA9C-FAB4393DBAC0} (MADanalCtrl Control) - http://www.csafer.net/ActiveX/MAStreamCtrl.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O16 - DPF: {EACD6BE5-C0EE-4909-9B71-B2807C8A245C} (JukeOn Login Control) - http://jukeon.dl.sayclub.com/jukeon/jukeon...01/jukeonax.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll

O20 - Winlogon Notify: policies - C:\WINDOWS\system32\hr2805fue.dll

O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Lg\command.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

O23 - Service: Windows Packet Driver (packet) - Unknown owner - C:\WINDOWS\system32\packet.exe

O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe

O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Edited by dee
Link to post
Share on other sites
therock247uk

therock247uk

Posted
Posted

Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Link to post
Share on other sites
  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing