1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: winlogon trojan..popper

Discussion in 'All Other Software' started by robsters1, Jul 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. robsters1

    robsters1 Thread Starter

    Joined:
    Jun 27, 2006
    Messages:
    6
    I've got a poppermalware thats driving me crazy.. It just won't go away, n I can't get into the usuer a/c in safe mode.... I have a winlogon trojan I can't remove. I Have tried many things including running from safe mode. It won't let me logon to the user a/c to delete the files I think are causing it to load popups in both firefox and explorer.

    hi jack this logfile is..

    Logfile of HijackThis v1.99.1
    Scan saved at 8:44:22 AM, on 18/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\desk98.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijackthis\HijackThis.exe /startupscan
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\ktj0l71m1.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

    Please advise what's my next move

    I think the nasty files are in the internet explorer temp directory and windows/sys 32
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    http://www.atribune.org/ccount/click.php?id=7 to download Look2Me-Destroyer.exe and save it to your desktop.
    · Close all windows before continuing.
    · Double-click Look2Me-Destroyer.exe to run it.
    · click the Scan for L2M button, your desktop icons will disappear, this is normal.
    · Once it's done scanning, click the Remove L2M button.
    · You will receive a Done Scanning message, click OK.
    · When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    · Your computer will then shutdown.
    · Turn your computer back on.
    · Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
    ========================

    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
    · Install ewido.
    · Run the application
    · Click on scanner
    · Click Complete System Scan and the scan will begin.
    · When the scan is finished, Set all items to delete
    · Apply all actions
    · look at the bottom of the screen and click the Save report button.
    · Save the report to your C: Drive
    This will take some time to run!
    RE-Boot
    Post that log and a new HiJack log
     
  3. robsters1

    robsters1 Thread Starter

    Joined:
    Jun 27, 2006
    Messages:
    6
    Well have done most of your recommended actions.. just realised i didn't restartafter eiwedo. I have just started using bot browsers and so far no popups :) Only this I v lost my quickstart bar icons

    here are the logfile as requested..
    ewiedo said this as it was going...
    Timer deletion failed, Value: 000003E5
    Timer deletion failed, Value: 000003E5
    Timer deletion failed, Value: 000003E5
    Timer deletion failed, Value: 000003E5
    Timer deletion failed, Value: 000003E5
    synchronize database and filecache
    application start was blocked because of several instances
    synchronize database and filecache
    synchronize database and filecache

    Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 00002741, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 0000274C, Position: .\DownloadHttp.cpp, 287
    Error: failed to connect to server, Value: 0000274C, Position: .\DownloadHttp.cpp, 287
    Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 234

    + Created at: 7:45:30 AM 19/07/2006

    + Scan result:



    C:\WINDOWS\system32\LZLMA11N.DLL -> Adware.Look2Me : No action taken.
    :mozilla.62:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.65:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.66:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.67:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.68:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.79:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
    :mozilla.88:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
    C:\Documents and Settings\Robz1\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : No action taken.
    C:\Documents and Settings\Robz1\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : No action taken.
    :mozilla.38:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.139:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.140:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.141:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.142:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
    :mozilla.83:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.84:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.85:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
    :mozilla.6:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.7:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.8:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    :mozilla.9:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\Robz1\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : No action taken.
    :mozilla.42:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.143:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
    :mozilla.20:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.26:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.27:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.28:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.29:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    :mozilla.30:C:\Documents and Settings\Robz1\Application Data\Mozilla\Firefox\Profiles\hi83cvzt.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
    C:\Documents and Settings\Robz1\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : No action taken.

    Look 2 me destroyer.. log..

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 18/07/2006 9:41:25 AM

    Infected! C:\WINDOWS\system32\ktj0l71m1.dll
    Infected! C:\WINDOWS\system32\dIdramp.dll
    Infected! C:\WINDOWS\system32\fpl6033se.dll
    Infected! C:\WINDOWS\system32\hrr6059se.dll
    Infected! C:\WINDOWS\system32\kedhe.dll
    Infected! C:\WINDOWS\system32\ktj0l71m1.dll
    Infected! C:\WINDOWS\system32\kyd103.dll
    Infected! C:\WINDOWS\system32\o2lu0c39ef.dll

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\ktj0l71m1.dll
    C:\WINDOWS\system32\ktj0l71m1.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\dIdramp.dll
    C:\WINDOWS\system32\dIdramp.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\fpl6033se.dll
    C:\WINDOWS\system32\fpl6033se.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\hrr6059se.dll
    C:\WINDOWS\system32\hrr6059se.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\kedhe.dll
    C:\WINDOWS\system32\kedhe.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\ktj0l71m1.dll
    C:\WINDOWS\system32\ktj0l71m1.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\kyd103.dll
    C:\WINDOWS\system32\kyd103.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\o2lu0c39ef.dll
    C:\WINDOWS\system32\o2lu0c39ef.dll Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{877ACD6C-918C-4DA3-8C35-FFA5639C5044}"
    HKCR\Clsid\{877ACD6C-918C-4DA3-8C35-FFA5639C5044}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9E1FD87B-D7E9-4F60-964C-59B3EE6BE2A9}"
    HKCR\Clsid\{9E1FD87B-D7E9-4F60-964C-59B3EE6BE2A9}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded


    Hi jack this just run..

    Logfile of HijackThis v1.99.1
    Scan saved at 8:05:22 AM, on 19/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\desk98.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Hijackthis\HijackThis.exe /startupscan
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe


    Great work .. thanks.. i just need to figure out how to replace my qs bar icons now.. I think I can just drag n drop ?

    Cheers Rob
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Have no idea what qs is
    ===================
    Get all of these and/or verify you have the current versions

    SpywareBlaster 3.5.1 http://majorgeeks.com/download2859.html
    SpyBot V1.4 http://www.majorgeeks.com/download2471.html
    AdAware SE 1.06 http://www.majorgeeks.com/download506.html
    MS Windows Defender - http://www.microsoft.com/downloads/...E7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en (XP and W2K only)

    DownLoad them (they are free), install them, check each for their
    definition updates
    and then run AdAware, MS Defender (W2k/XP) and Spybot, fixing anything they say.

    In SpywareBlaster - Always enable all protection after updates
    In SpyBot - After an update run immunize

    Check for updates and run weekly
    ======================

    Clean [​IMG] - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

    Restore points
    Turn off restore points, boot, turn them back on – here’s how

    XP
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
     
  5. robsters1

    robsters1 Thread Starter

    Joined:
    Jun 27, 2006
    Messages:
    6
    Thank you .. will do .. but gotta go now work calls.. I'll be in touch later
    Rob
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Was only in Taiwan once - Taipei - crazy drivers but really enjoyed the business trip there and the food was devine!
     
  7. robsters1

    robsters1 Thread Starter

    Joined:
    Jun 27, 2006
    Messages:
    6
    Well they havn't changed.. you see claret on the road quite often.. mostly crazy youn scooter riders.. The fix seems to have worked thanks.. I'm still having trouble setting my folders preferences but no popups .. yeah!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/484106

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice