L2m among other things

[Ryutheip]

Working on cleaning this computer. Ran Spybot S&D which made it functional, but it has L2M on it, and probably a lot of other problems.

The bg is giving an error message, and getting lots of pop ups. Probably gonna switch to fire fox soon.


Logfile of HijackThis v1.99.1
Scan saved at 4:10:56 PM, on 7/26/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pilgkn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\grckk.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\dfndref_7.exe
C:\WINDOWS\System32\wfxqhv.exe
C:\kybrdef_7.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\ms048965081088.exe
C:\WINDOWS\System32\zqskw.exe
C:\WINDOWS\ymjropbA.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\System32\4b87947a.exe
C:\WINDOWS\System32\redistributor.exe
C:\Program Files\Common Files\{40E73DFC-03E8-1033-0306-011118030001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Lisa\MYDOCU~1\MANTEC~1\mshta.exe
C:\PROGRA~1\COMMON~1\ukfz\ukfzm.exe
C:\WINDOWS\T?sks\?ttrib.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\aspi264477.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\TGlzYQ\command.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\COMMON~1\ukfz\ukfza.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\grckk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qniouta.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 Email Removed
O1 - Hosts: 84.252.148.80 www.Email Removed
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O1 - Hosts: 84.252.148.80 www.3riversfcu.org
O1 - Hosts: 84.252.148.80 3riversfcu.org
O1 - Hosts: 84.252.148.80 www.53.com
O1 - Hosts: 84.252.148.80 53.com
O1 - Hosts: 84.252.148.80 www.amazon.com
O1 - Hosts: 84.252.148.80 amazon.com
O1 - Hosts: 84.252.148.80 www.bbt.com
O1 - Hosts: 84.252.148.80 bbt.com
O1 - Hosts: 84.252.148.80 www.boh.com
O1 - Hosts: 84.252.148.80 boh.com
O1 - Hosts: 84.252.148.80 www.capitalone.com
O1 - Hosts: 84.252.148.80 capitalone.com
O1 - Hosts: 84.252.148.80 www.cnbwax.com
O1 - Hosts: 84.252.148.80 cnbwax.com
O1 - Hosts: 84.252.148.80 www.cwbk.com
O1 - Hosts: 84.252.148.80 cwbk.com
O1 - Hosts: 84.252.148.80 www.ebay.com
O1 - Hosts: 84.252.148.80 ebay.com
O1 - Hosts: 84.252.148.80 www.edsefcu.org
O1 - Hosts: 84.252.148.80 edsefcu.org
O1 - Hosts: 84.252.148.80 egold.com
O1 - Hosts: 84.252.148.80 www.egold.com
O1 - Hosts: 84.252.148.80 www.e-gold.com
O1 - Hosts: 84.252.148.80 e-gold.com
O1 - Hosts: 84.252.148.80 www.firstusa.com
O1 - Hosts: 84.252.148.80 firstusa.com
O1 - Hosts: 84.252.148.80 www.frontierbank.com
O1 - Hosts: 84.252.148.80 frontierbank.com
O1 - Hosts: 84.252.148.80 www.gncu.org
O1 - Hosts: 84.252.148.80 gncu.org
O1 - Hosts: 84.252.148.80 www.householdbank.com
O1 - Hosts: 84.252.148.80 householdbank.com
O1 - Hosts: 84.252.148.80 www.icicibank.com
O1 - Hosts: 84.252.148.80 icicibank.com
O1 - Hosts: 84.252.148.80 www.mbna.com
O1 - Hosts: 84.252.148.80 mbna.com
O1 - Hosts: 84.252.148.80 www.mibank.com
O1 - Hosts: 84.252.148.80 mibank.com
O1 - Hosts: 84.252.148.80 www.midamericabank.com
O1 - Hosts: 84.252.148.80 midamericabank.com
O1 - Hosts: 84.252.148.80 www.myindymacbank.com
O1 - Hosts: 84.252.148.80 myindymacbank.com
O1 - Hosts: 84.252.148.80 www.nafcunet.org
O1 - Hosts: 84.252.148.80 nafcunet.org
O1 - Hosts: 84.252.148.80 www.nationalcity.com
O1 - Hosts: 84.252.148.80 nationalcity.com
O1 - Hosts: 84.252.148.80 www.cnb.com
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe"
O4 - HKLM\..\Run: [BaitDaleFlapBoob] C:\Documents and Settings\All Users\Application Data\PartDebugBaitDale\Funk audio.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINDOWS\System32\cvn0.exe
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\System32\wfxqhv.exe"
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ms048965081088] C:\WINDOWS\ms048965081088.exe
O4 - HKLM\..\Run: [ymjropbA] C:\WINDOWS\ymjropbA.exe
O4 - HKLM\..\Run: [fsr05e9d] RUNDLL32.EXE w2935e94.dll,n 00205e9b000000032935e94
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [w296cb76.dll] RUNDLL32.EXE w296cb76.dll,I2 00205e9b0296cb76
O4 - HKLM\..\Run: [4b87947a.exe] C:\WINDOWS\System32\4b87947a.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [papxkl] C:\WINDOWS\System32\pilgkn.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitsSafe] C:\DOCUME~1\Lisa\APPLIC~1\MFCDLO~1\bin skip rect.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Lisa\Desktop\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Isce] "C:\DOCUME~1\Lisa\MYDOCU~1\MANTEC~1\mshta.exe" -vt yazr
O4 - HKCU\..\Run: [lwvyl] C:\WINDOWS\System32\pilgkn.exe reg_run
O4 - HKCU\..\Run: [ukfz] C:\PROGRA~1\COMMON~1\ukfz\ukfzm.exe
O4 - HKCU\..\Run: [Qqcdumxf] C:\WINDOWS\T?sks\?ttrib.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [4b87947a.exe] C:\Documents and Settings\Lisa\Local Settings\Application Data\4b87947a.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Lisa\LOCALS~1\Temp\2D.tmp3072.exe
O4 - Global Startup: ipwhq.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtjo0713e.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
O21 - SSODL: fOyyInKddrpw - {40E73DFD-EA4D-9757-836A-D38A6A09A1D0} - C:\WINDOWS\System32\tstw.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi264477.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGlzYQ\command.exe

[guestolo]

Can you do the following please

Download and unzip to your desktop InstalledPrograms.zip
Double click on InstalledPrograms.vbs

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents

[Ryutheip]

INSTALLED SOFTWARE (23) - LISACOMPUTER - 7/26/2006 4:18:59 PM

Comcast High-Speed Internet Install Wizard   
Forethought   
HijackThis 1.99.1   Ver: 1.99.1
Icons   
Icons   
J2SE Runtime Environment 5.0 Update 3   Ver: 1.5.0.30   Installed: 7/20/2006
LimeWire 4.12.3   Ver: 4.12.3
Logitech Desktop Messenger   
Logitech Print Service   
Logitech QuickCam Software   Ver: 8.47.0000
Logitech VideoCall   
Logitech® Camera Driver   
Macromedia Flash Player 8   Ver: 8
MediaTickets By OIN    Ver: 1.0
Messenger Plus! 3 & Sponsor   
MSN Messenger 7.5   Ver: 7.5.0324.0   Installed: 5/30/2006
Quicklinks   
Spybot - Search & Destroy 1.4   Ver: 1.4
Surf SideKick   
ToolBar888   
WebFldrs XP   Ver: 9.50.5318   Installed: 4/9/2006
webHancer Survey Companion   
WinRAR Archivierer

[guestolo]

You are quite infected, nothing we can't fix, but I will also let you know another option
You have no windows updates on this computer, chances are without updates you will get reinfected in no time

I don't want you too install any windows udpates yet, as they may not install correctly

But another option is to format this computer and start fresh with a clean install

Let me know what option you choose, to continue to fix this computer, or format and clean install this computer

[Ryutheip]

I'm planning on reformating it as soon as the user returns to Germany (foreign exchange student).

I'm a bit worried though, is there a chance of this infection spreading to other computers on our network? If so, what can I do to prevent it?

[guestolo]

Since there are no windows updates on this computer
and the possiblility it is hooked to a network, disconnect it immediately

It is not a very good idea keeping a vulnerable computer connected to other computers!!!