Random advertisement pop ups, cant be stopped :S

Unknown

I've had this for a few days now, every now and then some random advertisement pops up, even when i have firefox closed. (The pages are usually called the same, but the .coms are different. yyy102.html and yyy65.html i think). At first i tried Spy bot s&d, got a bunch of stuff, removed them. It asked me to reboot for it to remove the last few things. I did, nothing happened after i rebooted, and the pop ups were still coming up. I got Ad-aware, same thing, after i rebooted, nothing happened. So last night i formatted my c:\ and reinstalled windows there (I have one disk partitioned into 4). I spent last night reinstalling drivers and stuff, and a bit of todays morning aswell. I also installed Musicmatch jukebox, mIRC, MSN live messenger beta, Xfire and limewire. No pop ups when i was doing this. Today when i got home from school, my computer had a firefox window open with around 100 of them, i think they had been coming all the time :S. So i tried spybot s&d again, and still nothing after i reboot. And limewire opens itself after i close it now. And i cant open taskmanager the normal way, only in another way that my friend suggested, i copied it to my desktop and i can only run it from there. I really dont want to have to delete the other drives aswell, is there any way i could fix this?

Thanks for any help you could give me.

RichD

I'm a bit of a novice but here are a few suggestions. Try booting into safe mode and run spybot and adaware again. Also try downloading Hijack This, Run the scan and create a log and then post the logfile here. Some of the other guys can have a look at it and tell you what is wrong.

Takaru

RichD wrote:

I'm a bit of a novice but here are a few suggestions. Try booting into safe mode and run spybot and adaware again. Also try downloading Hijack This, Run the scan and create a log and then post the logfile here. Some of the other guys can have a look at it and tell you what is wrong.

Thanks, i think that it DID fix something (Didnt ask for a restart, just said everything was removed succesfully) , but im still getting popups.

Oh and i got hijack this, i noticed that it says Internet explorer on the top, but i use firefox. Um, its probably nothing important, i was just pointing it out :P
Heres the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:39:04 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\My Documents\FAH504-Console.exe
D:\My Documents\FahCore_82.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\winupdates\winupdates.exe
C:\windows\winsysban10.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
D:\Program Files\LucasArts\Star Wars Jedi Academy\GameData\jampDed.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
D:\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piprkw.exe reg_run
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140470296140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140470278578
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\e2jmlc111f.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@D:+My Documents+FAH504-Console.exe - Stanford University - D:\My Documents\FAH504-Console.exe

skywalker45

Hi Takaru. You have a Look2Me/VX2 infection. Please follow the instructions below:

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Takaru

Alright, thanks

Here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 10:04:17 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\winupdates\winupdates.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\windows\winsysban10.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
D:\MYDOCU~1\SMBOLS~1\regsvr32.exe
D:\My Documents\??stem\?pool32.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\My Documents\FAH504-Console.exe
D:\My Documents\FahCore_82.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {684E1E0E-82B4-A067-9D7F-AD98B01CF6ED} - C:\WINDOWS\system32\lgxhl.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piprkw.exe reg_run
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Sadt] "D:\MYDOCU~1\SMBOLS~1\regsvr32.exe" -vt mt
O4 - HKCU\..\Run: [Mrqrncj] D:\My Documents\??stem\?pool32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140470296140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140470278578
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@D:+My Documents+FAH504-Console.exe - Stanford University - D:\My Documents\FAH504-Console.exe

skywalker45

Did you run Look2Me destroyer? If not please run it and follow the instructions in my last post carefully. Post the log that it generates along with a fresh hijack this log after a reboot. This may take several posts as it appears another infection or more have taken root between postings and I don't believe the Look2Me is gone.

Takaru

Okay, sorry i missed the part before where you asked me to post the l2me log.

Heres the newest one

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/22/2006 10:37:02 PM

Infected! C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005676.dll
Infected! C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005677.dll
Infected! C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005685.dll
Infected! C:\WINDOWS\system32\i4nmle511h.dll
Infected! C:\WINDOWS\system32\j2p00c7mef.dll
Infected! C:\WINDOWS\system32\j6l4lg3q16.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005676.dll
C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005676.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005677.dll
C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005677.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005685.dll
C:\System Volume Information\_restore{984B4DB1-443F-4B9D-B879-62E805CDA83F}\RP85\A0005685.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i4nmle511h.dll
C:\WINDOWS\system32\i4nmle511h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j2p00c7mef.dll
C:\WINDOWS\system32\j2p00c7mef.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j6l4lg3q16.dll
C:\WINDOWS\system32\j6l4lg3q16.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

---

Also, a new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:44:48 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\winupdates\winupdates.exe
C:\windows\winsysban10.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
D:\MYDOCU~1\SMBOLS~1\regsvr32.exe
D:\My Documents\??stem\?pool32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\My Documents\FAH504-Console.exe
D:\My Documents\FahCore_82.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: (no name) - {684E1E0E-82B4-A067-9D7F-AD98B01CF6ED} - C:\WINDOWS\system32\lgxhl.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd10.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames10.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban10.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\piprkw.exe reg_run
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Sadt] "D:\MYDOCU~1\SMBOLS~1\regsvr32.exe" -vt mt
O4 - HKCU\..\Run: [Mrqrncj] D:\My Documents\??stem\?pool32.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140470296140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140470278578
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{08B76961-6D8A-4399-8601-F37E4C53E26B}: NameServer = 195.250.187.46,195.250.197.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@D:+My Documents+FAH504-Console.exe - Stanford University - D:\My Documents\FAH504-Console.exe


Thanks for your time.

skywalker45

OK your log seems to be changing a little with each post. That's not atypical with malware but I saw in your second log what I thought was a CWS infection. So here's how I think we should proceed. You might want to print these instructions because you will not have access to the internet for part of this fix. Please download CWShredder from my signature below. Unzip the program to your desktop. Double click on it then click check for update. Once it updates please close the program. We don't want to run it yet.

Next download Ewido Anti-Malware from my signature below. Install the program and follow the setup instructions below:

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
• Launch ewido, there should be a big "E" icon on your desktop, double-click it.
• The program will prompt you to update click the "OK" button
• The program will now go to the main screen
  
  You will need to update ewido to the latest definition files.
  
  
• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

Next restart your PC in safe mode, do this by rebooting your PC, as the PC is booting begin pressing the F8 key. Keep tapping F8 until the advanced boot options menu appears. Scroll with the arrow keys to the top choice which is safe mode. Press enter.

Once in safe mode double click on CWShredder. Click Fix, then click OK. Allow the program to run. When it is finished just exit the program.

Next open Ewido Anti-Malware and follow the instructions below:

• If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  
• Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  
• Click on scanner
• Click on Settings
  • Under "How to scan" all boxes should be selected
  • Under "Possibly unwanted software" all boxes should be selected
  • Under "What to scan" select scan every file
  • Click OK
• Click on Complete system scan
• Let the program scan the machine
  
• If ewido finds anything, it will pop up a notification. Please select Perform action with all infections. Allow the program to run.
  
  Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  
  
• Click Save report
• Save the report to your desktop
• Exit ewido

Reboot the PC into normal mode and post the Ewido log and a fresh Hijack This log.