Hello. Long story made shorter: I'm trying to cleanup my in-laws Win 2000 computer without much luck. It seems that even after running both Ad Aware and SpyBot S & D, and supposedly fixing the myriad problems, the problems return on next reboot, even though I have not re-connected to the Net. I've checked Add/Remove programs and don't see anything to remove.
Anyway here is the HJ This Log. Thanks in advance for your help.
Logfile of HijackThis v1.99.1
Scan saved at 11:35:56 AM, on 10/14/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Thanks for your help. It took me a while but here are the logs:Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 10/22/2006 8:34:09 AM
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [10/22/2006] at [5:00:35 PM]
-------------------------------------------------------------
Terminated module: hnllhch.dll found in Qoofix.exe (1156)
Terminated module: hnllhch.dll found in rundll32.exe (772)
Terminated module: hnllhch.dll found in bgllqt.exe (876)
Terminated module: hnllhch.dll found in rpdpq.exe (884)
Terminated module: hnllhch.dll found in rpdpq.exe (924)
Terminated module: hnllhch.dll found in rpdpq.exe (932)
Terminated module: hnllhch.dll found in septpop06apsept (2084)
Terminated module: hnllhch.dll found in 5Eplorer.exe (2276)
Terminated module: hnllhch.dll found in PSFREE.EXE (2280)
Terminated module: hnllhch.dll found in spool32.exe (716)
Terminated module: hnllhch.dll found in Explorer.exe (732)
-------------------------------------------------------------
C:\WINNT\System32\bgllqt.exe will be deleted on reboot!
C:\WINNT\System32\dkjsbaw.exe will be deleted on reboot!
C:\WINNT\System32\hnllhch.dll will be deleted on reboot!
C:\WINNT\System32\rpdpq.exe will be deleted on reboot!
C:\WINNT\System32\hdboc.dat will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tnxmw.exe will be deleted on reboot!
User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [10/22/2006] at [5:03:47 PM]
Note: Some registry keys may have been removed.
Logfile of HijackThis v1.99.1
Scan saved at 5:13:03 PM, on 10/22/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Well part of the instructions worked and part did not, so...
Go to Start > Run and type in Services.msc then click OK
Click the Extended tab.
Scroll down until you find Command Service.
Click once on the service to highlight it.
Click Stop
Right-Click on the service.
Click on 'Properties'
Select the 'General' tab
Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
From the drop-down menu, click on 'Disabled'
Click the 'Apply' tab, then click 'OK'
Next:
Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type Command Service and press OK. OK any prompts, close HijackThis, and restart your computer.
Do the same for these bad services below one at a time:
sysmgr64
dllmgr64
Win32 Kernel Update
Go here to learn how to show hidden files/folders:
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
Also go to post #2 and run the the Look2Me Remover again and post that log please and a new hijackthis log, plus the scan results for the file above. Thanks.
Neal,
First of all, things seem to be slowly getting better, thanks to you. I tried to follow the instructions and was only partially successful.
Hijack this was not able to find and fix Command service or Win32 Kernel Update even though they were both evident in services.msc. The other two were found by HJT.
Also, C:\Program Files\Network Monitor\netmon.exe was not found, so could not be scanned.
Here are the two logs you requested:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 10/23/2006 5:44:08 PM
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 7:03:35 PM, on 10/23/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Download AVG anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program
Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on ewido in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware 7.5 guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Once the setup is complete you will need run AVG anti-spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, manually update with the AVG anti-spyware Full database installer from here.
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".[*]Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG anti-spyware Do Not run a scan yet.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3.RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU).
Do not run the Uninstaller and the Remover yet.
Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Lauch AVG anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.
Now close AVG anti-spyware..
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press execute and let it do its job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Then...
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Ok, that went fairly smoothly thanks to your excellent instructions. In case I forget later, just another sincere word of thanks for all of your efforts. They are appreciated very much.
Here are both of the reports:
C:\WINNT\thiselt.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINNT\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\rbcwxtuv.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr015A -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.frEDF7 -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINNT\system32\nsdD.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr0C56 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr309F -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr7C77 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr84B9 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.frC700 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.frD907 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.frFF02 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Program Files\PSCloner\PSCloner.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\PSLister\PSLister.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINNT\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Deskbar -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\Cache -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\GLB13.tmp/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINNT\TIELT001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINNT\dllmgr64.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINNT\sysmgr64.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINNT\system32\eraseme_11313.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINNT\system32\eraseme_87421.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINNT\system32\eraseme_88045.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINNT\win32host.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\nwnmff_17.exe_tobedeleted -> Downloader.Adload.fg : Cleaned with backup (quarantined).
C:\nwnmff_18.exe -> Downloader.Adload.fg : Cleaned with backup (quarantined).
C:\dfndrff_18.exe -> Downloader.Adload.fk : Cleaned with backup (quarantined).
C:\mc44a34.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\dfndrff_e34.exe -> Downloader.Adload.ha : Cleaned with backup (quarantined).
C:\nwnmff_e34.exe -> Downloader.Adload.hb : Cleaned with backup (quarantined).
C:\WINNT\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\7.exe -> Downloader.Agent.aox : Cleaned with backup (quarantined).
C:\topaff.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\web2.exe -> Downloader.Agent.xq : Cleaned with backup (quarantined).
C:\WINNT\srvvrazriw.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\814.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\WINNT\system32\qaz -> Downloader.Ftp.cb : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\!update.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\installerwnusnewer.exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.fr9BF5 -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINNT\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINNT\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\ac3_0003.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\stdrun132560.exe -> Downloader.Small.dtl : Cleaned with backup (quarantined).
C:\Program Files\Common Files\irof\irofd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\803_104.exe -> Dropper.Mudrop.bq : Cleaned with backup (quarantined).
C:\dfndrff_e1.exe -> Hijacker.VB.ia : Cleaned with backup (quarantined).
C:\WINNT\thkpkum.exe -> Hijacker.VB.ij : Cleaned with backup (quarantined).
C:\dfndrff_e.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\temp.frA0B8 -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CC33TYYK\update[1].exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\J8EJBYC1\update[1].exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ROW97HXG\j2update[1].exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temporary Internet Files\Content.IE5\8RATU4EX\update[1].exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\WINNT\system32\taskmngr32.exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\winhelp32.exe -> Proxy.Agent.hd : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Local Settings\Temp\sp_m3_v81.exe -> Proxy.Dlena.w : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\J8EJBYC1\j2update[1].exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ROW97HXG\k2sys64[1].exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\VLCBSQNF\mstskmgr[1].exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\WINNT\system32\mstskmgr.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\mstskmgr.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\msutil64.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\Documents and Settings\Paula\Cookies\paula@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Paula\Cookies\paula@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Paula\Cookies\paula@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINNT\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINNT\uninst104.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINNT\system32\msvcrl.dll -> Worm.Locksky.ao : Cleaned with backup (quarantined).
::Report end
Adobe Flash Player 9 ActiveX
AVG Anti-Spyware 7.5
HijackThis 1.99.1
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Microsoft Excel 97
Microsoft Internet Explorer 6 SP1
Microsoft Word 97
Pop-Up Stopper Free Edition
PowerArchiver 2006 v9.63
Windows 2000 Service Pack 4
Junior Member
or whatever your primary drive is
