pop up problems!

yossarian084

This wont stop. Going to take a hostage soon! AdAware says Look2Me is there as well as Freeprod. Log follows:

Logfile of HijackThis v1.99.1
Scan saved at 3:11:40 AM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\Explorer.EXE
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FriendFinder Messenger\FriendFinder Messenger\FFIMC.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
E:\Program Files\Common Files\Windows\services32.exe
E:\Program Files\Common Files\Windows\AutoIt3.exe
E:\Program Files\InetGet2\gimmysmileysB.exe
E:\PROGRA~1\Network\ipnetwork.exe
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [IpNetwork] E:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - Winlogon Notify: WindowsUpdate - E:\WINDOWS\system32\h40q0ed5eh0.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

skywalker45

Hi,

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

yossarian084

Thanks. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 5:26:22 PM, on 3/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network\ipnetwork.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Common Files\Windows\services32.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - E:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - E:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [IpNetwork] E:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/21/2006 5:16:43 PM

Infected! E:\WINDOWS\system32\lv8u09l9e.dll
Infected! E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001646.dll
Infected! E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001654.dll
Infected! E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001658.dll
Infected! E:\WINDOWS\system32\kodca.dll
Infected! E:\WINDOWS\system32\lv8u09l9e.dll
Infected! E:\WINDOWS\system32\lvj4091qe.dll

Attempting to delete infected files...

Attempting to delete: E:\WINDOWS\system32\lv8u09l9e.dll
E:\WINDOWS\system32\lv8u09l9e.dll Deleted successfully!

Attempting to delete: E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001646.dll
E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001646.dll Deleted successfully!

Attempting to delete: E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001654.dll
E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001654.dll Deleted successfully!

Attempting to delete: E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001658.dll
E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP13\A0001658.dll Deleted successfully!

Attempting to delete: E:\WINDOWS\system32\kodca.dll
E:\WINDOWS\system32\kodca.dll Deleted successfully!

Attempting to delete: E:\WINDOWS\system32\lv8u09l9e.dll
E:\WINDOWS\system32\lv8u09l9e.dll Deleted successfully!

Attempting to delete: E:\WINDOWS\system32\lvj4091qe.dll
E:\WINDOWS\system32\lvj4091qe.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CA9467EC-308B-41E2-A2C1-B6E2492D77CB}"
HKCR\Clsid\{CA9467EC-308B-41E2-A2C1-B6E2492D77CB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{96A77E6C-AA03-41F4-AD5C-644798DC3380}"
HKCR\Clsid\{96A77E6C-AA03-41F4-AD5C-644798DC3380}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{09A0A41F-AEFD-4F57-8D3E-B24D55A92F7F}"
HKCR\Clsid\{09A0A41F-AEFD-4F57-8D3E-B24D55A92F7F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3235CFEA-A889-4C7C-A77B-4114DA3C8C80}"
HKCR\Clsid\{3235CFEA-A889-4C7C-A77B-4114DA3C8C80}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B3060161-6DB3-4EFE-98ED-9765013532B5}"
HKCR\Clsid\{B3060161-6DB3-4EFE-98ED-9765013532B5}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

skywalker45

OK the Look2Me is gone. You might want to print these instructions as you will not have access to the internet for part of this fix. Next we need to make sure you can view all hidden files and folders, explained below:

• Click "Start".
• Click "My Computer".
• Select the "Tools" menu and click "Folder Options".
• Select the "View" tab.
• Under the "Hidden files and folders" heading, select "Show hidden files and folders".
• Uncheck the "Hide protected operating system files (recommended)" option.
• Click "Yes" to confirm.
• Uncheck the "Hide file extensions for known file types".
• Click "OK".

Now run Hijack This again and put a check (tick) next to the following entries:

O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - E:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - E:\Program Files\Toolbar888\ToolBar888.dll

O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe

Close all other browsers/windows and click Fix Checked.

Now restart your PC in safe mode. Do this by rebooting and then immediately begin tapping the F8 key. Keep tapping the F8 until the advanced boot options menu appears. Scroll with the arrow keys to the top choice which is safe mode. Then press enter.

Once in safe mode please use Windows Explorer to delete the following files and/or folders. Do not be alarmed if they don't exist:

E:\Program Files\Toolbar888<----This folder.
E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe<----This file.

Use the Windows Search feature to look for the following file (be sure to include hidden files in your search):

csrrs.exe<----Please note the spelling of this file. Do not delete any files spelled CSRSS.EXE

Once you are finished please reboot into normal mode and post a fresh Hijack This log.

yossarian084

I think we got it. Bless you young jedi!



Logfile of HijackThis v1.99.1
Scan saved at 3:04:23 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Network\ipnetwork.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Comcast Rhapsody\rhaphlpr.exe
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IpNetwork] E:\Program Files\Network\ipnetwork.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

skywalker45

Yes, you're log is clean. Are there any other problems you're having?

yossarian084

Having another issue but its not related to the spyware. I recently reinstalled Windows on this laptop and at the beginning it asked if I wanted to change the file system from fat32 to NFTS (Ithink that was the abreviation). Anyway, it partitioned my drive, puting the new windows install on an E: side and all my old stuff to include a windows install on C:. I now get mesages saying I am running out of disk space on E. Should I repartition the drive to make more room on E?


If you want me to post all this in a new thread I will, may make more sense.

yossarian084

This thing embedded itself but good. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:44 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Common Files\Windows\services32.exe
E:\WINDOWS\system32\msiexec.exe
c:\windows\mousepad5.exe
E:\WINDOWS\ZHJldw\command.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunesHelper.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes.exe
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - E:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname5.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad5.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard5.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: Shell Extensions - E:\WINDOWS\system32\swxcoins.dll
O23 - Service: Command Service (cmdService) - Unknown owner - E:\WINDOWS\ZHJldw\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

Trogan

yossarian084, I moved your new thread here. I'm sure Skywalker45 will get you fixed up

skywalker45

Yuck!! What happened yossarian084? Did this all get loaded back on from a backup when you were talking about partitioning the drives and such? This is worse than before. OK, first things first, we'll have to go through all the things we went through before and then some more. Follow the instructions below first:

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

yossarian084

The first time I ran Look2Me destroyer, it didnt leave a log so this is the second run.

I'm not sure how this happened again so soon. There is a Toolbar888 that I cant seem to get rid of and this Freeprod thing keeps installing on my machine. Then the Look2 me problems start......

Logs:

Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 3/23/2006 3:52:01 PM

Infected! E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP19\A0001866.dll

Attempting to delete infected files...

Attempting to delete: E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP19\A0001866.dll
E:\System Volume Information\_restore{739CE198-3FA7-49E5-BB03-962819628A97}\RP19\A0001866.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CA9467EC-308B-41E2-A2C1-B6E2492D77CB}"
HKCR\Clsid\{CA9467EC-308B-41E2-A2C1-B6E2492D77CB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{96A77E6C-AA03-41F4-AD5C-644798DC3380}"
HKCR\Clsid\{96A77E6C-AA03-41F4-AD5C-644798DC3380}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{09A0A41F-AEFD-4F57-8D3E-B24D55A92F7F}"
HKCR\Clsid\{09A0A41F-AEFD-4F57-8D3E-B24D55A92F7F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3235CFEA-A889-4C7C-A77B-4114DA3C8C80}"
HKCR\Clsid\{3235CFEA-A889-4C7C-A77B-4114DA3C8C80}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B3060161-6DB3-4EFE-98ED-9765013532B5}"
HKCR\Clsid\{B3060161-6DB3-4EFE-98ED-9765013532B5}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A3915C62-CCA4-4BCA-AB6C-1E97157FAC6A}"
HKCR\Clsid\{A3915C62-CCA4-4BCA-AB6C-1E97157FAC6A}

Logfile of HijackThis v1.99.1
Scan saved at 4:06:04 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunesHelper.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\Program Files\Common Files\Windows\services32.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - E:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL (file missing)
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - E:\Program Files\Toolbar888\ToolBar888.dll (file missing)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

Would any of this cause Itunes not to run? When I try starting it I get the "ITunes has encountered an error and needs to shut down" message.

skywalker45

Yes it could cause a problem with itunes or any other programs. You have a variant of the W32Gaobot.AO worm. I would like you to visit the symantec web site and try to run their removal tool. You can get to that here.

We were able to kill this thing before manually but we'll try it this way now. If the tool doesn't work we'll kill it manually again and then do some more things to prevent re-infection. We'll worry about the toolbar888 later.

Also this last log looks much different than the first. In the first I saw malware loading from the C:\ drive but you're Windows installation is on the E:\ drive. Could you please elaborate on your setup? We need to be able to isolate the infection.

yossarian084

My setup is admittedly weird. I was having some problems with the machine so decided to do a windows reinstall. I put the disk in and it asked if I wanted to convert to NTFS. I said yes and it seemed to go fine. It did not wipe the HD but put a partition (E:) with a new windows install, and left the old one on C: Pop ups aside, should I just reinstall again and format the whole drive?

I'll try the fixes listed abaove and repost.....

yossarian084

Logs follow....

Symantec W32.Gaobot FixTool 1.30.0

C:\System Volume Information: (not scanned)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=opinionnode;dir=opinion;pos=ad1;ad=lb;t=y;rss=n;poe=no;page=section;front=y;tile=1;ord=636521669400504300 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=dionneenode;dir=opinion;dir=columns;dir=opinion;dir=dionnee;pos=ad1;ad=lb;t=y[1] (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=robinsongnode;dir=opinion;dir=columns;dir=opinion;dir=robinsong;pos=ad1;ad=lb[1] (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=dionneenode;dir=opinion;dir=columns;dir=opinion;dir=dionnee;pos=ad6;ad=ss;ad=bb;ad=hp;r[1] (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=opeds_miscnode;dir=opinion;dir=columns;dir=opinion;dir=opeds_misc;pos=ad6;ad=ss;ad=bb;a[1] (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\0D2RS563\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=robinsongnode;dir=opinion;dir=columns;dir=opinion;dir=robinsong;pos=ad6;ad=ss;ad=bb;ad=[1] (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\4DMNOTEF\2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=educationnode;dir=education;pos=ad6;ad=ss;ad=bb;ad=hp;rss=n;poe=no;page=article;tile=6;ord=730402790164099000 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\4DMNOTEF\C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=educationnode;dir=education;pos=ad1;ad=lb;t=y;rss=n;poe=no;page=article;tile=1;ord=786587289887051000 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLQB4HUF\2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=educationnode;dir=education;pos=ad6;ad=ss;ad=bb;ad=hp;rss=n;poe=no;page=article;tile=6;ord=786587289887051000 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\CLQB4HUF\C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=educationnode;dir=education;pos=ad1;ad=lb;t=y;rss=n;poe=no;page=article;tile=1;ord=730402790164099000 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\GX2VWTQ3\1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=opinionnode;dir=opinion;pos=ad6;ad=ss;ad=bb;ad=hp;rss=n;poe=no;page=section;front=y;tile=6;ord=129836041246384320 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1YFKPYJ\1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=opinionnode;dir=opinion;pos=ad6;ad=ss;ad=bb;ad=hp;rss=n;poe=no;page=section;front=y;tile=6;ord=286776926114624900 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1YFKPYJ\1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dir=opinionnode;dir=opinion;pos=ad6;ad=ss;ad=bb;ad=hp;rss=n;poe=no;page=section;front=y;tile=6;ord=636521669400504300 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1YFKPYJ\C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=opinionnode;dir=opinion;pos=ad1;ad=lb;t=y;rss=n;poe=no;page=section;front=y;tile=1;ord=129836041246384320 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1YFKPYJ\C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=opinionnode;dir=opinion;pos=ad1;ad=lb;t=y;rss=n;poe=no;page=section;front=y;tile=1;ord=286776926114624900 (WARNING: not scanned, path to long)
E:\Documents and Settings\Pache\Local Settings\Temp\Temporary Internet Files\Content.IE5\O1YFKPYJ\opinion;A=1;D=2;C=1;C=3;C=12;E=CCDBE;F=3;G=2;S=53;S=245;B=4;B=35;B=69;B=105;VS=3;dcopt=ist;dir=opeds_miscnode;dir=opinion;dir=columns;dir=opinion;dir=opeds_misc;pos=ad1;ad=[1] (WARNING: not scanned, path to long)
W32.Gaobot has not been found on your computer.

Logfile of HijackThis v1.99.1
Scan saved at 5:36:33 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunesHelper.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
E:\Program Files\Common Files\Windows\services32.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Windows Media Player\wmplayer.exe
E:\Documents and Settings\Pache\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKCU\..\Run: [services32] E:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

skywalker45

OK. The log seems free of the Gaobot worm. But some more malware has crept in. Because of your setup we would have huge problems eliminating all of it. So here is my suggestion. You shouldn't have 2 Windows installations running on 2 separate partitions. This will create an unstable and dangerous environment for malware to install since malware most often looks for the partitions where Windows resides. In my opinion you should back up your data to CD or similar media and do a clean install to 1 partition. It's OK to have 2 partitions but with Windows only on one. Secondly I would use the NTFS file system. Windows XP tends to run more efficiently when installed using that structure. Let me know if you have any more problems.

yossarian084

Thanks. My other thread is asking how to do just that so I'll just follow those instructions. Cheers!

skywalker45

Great! I'll close this thread now. When and if you need it re-opened PM me or one of the other moderators and we'll open if for you.