Can't seem to fix this one. I need help.

Question

complete -2 Junior Poster

18 Years Ago

I have tried doing a system restore, and I have run Ad-Aware and Spypot as weel at F-Prot AntiVirus.

But I still get pop-ups (I am sure this was caused by my running some ill-advised software).

Can anyone give me suggestions about my next step or action?

Here is my Output from HiJackThis. I have run this and checked everything to be fixed too. But this does not seem to work either.

Logfile of HijackThis v1.99.1
Scan saved at 7:22:27 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gelsana\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bclpk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\j0n20a5oed.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

windows-virus

4 Contributors
22 Replies
251 Views
3 Days Discussion Span
Latest Post 18 Years Ago Latest Post by D3m3nt3d

All 22 Replies

tayspen 28 <Insert title here>

18 Years Ago

That is a very short log. Are you sure you copied it all? If you used msconfig or any other tool to prevent items from running at start up, you need to re-enable them, so we can check to see if its malware. Also do the scan in normal mode of windows., not safe.

tayspen 28 <Insert title here>

18 Years Ago

Man you are loaded. Download the following.

Ewido
www.ewido.com

Spysweeper
http://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=2180&ac=420

CCleaner
http://www.ccleaner.com/

--------------------------------------------------------------
Install them all. Run ewido first. Update it, then scan and let it remove anything it finds. Then spysweeper, let it remove anything it finds. Then run CCLeaner, and let it cleanup the tempoary files.
-------------------------------------------------------------

That should take out most of them. When your done, post the ewido log, and a new HJT log.

tayspen 28 <Insert title here>

18 Years Ago

There is a free trial. Or a least a tool you can use, it is an exellent prodeuct if you are going to buy it, it will do it job and it will do it well.

http://www.webroot.com/shoppingcart/tryme.php?bjpc=64021&vcode=DT02A

tayspen 28 <Insert title here>

18 Years Ago

Ok, just post the ewido log, and a fresh HJT log, and I will look at it when I get home :).

tayspen 28 <Insert title here>

18 Years Ago

Ok, hereis a link to the Spysweeper trial. Im not if the link I gave you above is the one I wanted ;).

http://msn-cnet.com.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html?part=msn-cnet&subj=dl_hotfiles&tag=ppd_feed

Its

Free to try; 29.99 to buy

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

complete -2 Junior Poster · Answer 1 · 2006-03-23T08:06:09+00:00

That is a very short log. Are you sure you copied it all? If you used msconfig or any other tool to prevent items from running at start up, you need to re-enable them, so we can check to see if its malware. Also do the scan in normal mode of windows., not safe.

OK, I did as you asked and when I restarted I got this pop up:

RUNDLL
Error loading C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
The specified module could not be found.

And here is the output from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:00:52 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sys09410111086.exe
C:\WINDOWS\sys01101110864.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\mousepad4.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\qwinorag.exe
C:\WINDOWS\system32\csrrs.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\QmlsbA\command.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\embinpiA.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\system32\winspy.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wintask.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\BundleInstall.exe
C:\WINDOWS\system32\rk.exe
C:\WINDOWS\win3206086410111.exe
C:\WINDOWS\newfrn.exe
c:\windows\eee2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Documents and Settings\Bill\Desktop\HijackThis.exe
C:\WINDOWS\CROSOF~1\iexplore.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\ctxad.exe
C:\WINDOWS\b.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bclpk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsr16.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O4 - HKLM\..\Run: [{1C-CC-C6-6E-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys09410111086] C:\WINDOWS\sys09410111086.exe
O4 - HKLM\..\Run: [sys01101110864] C:\WINDOWS\sys01101110864.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinorag.exe CORN001
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [embinpiA] C:\WINDOWS\embinpiA.exe
O4 - HKLM\..\Run: [ms04110864101] C:\WINDOWS\ms04110864101.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3206086410111] C:\WINDOWS\win3206086410111.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [wahm] c:\windows\eee2.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [Iinl] "C:\Program Files\sami\emia.exe" -vt yazr
O4 - Startup: Z_Start.lnk = C:\ZICORN001.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinorag.exe
O4 - Global Startup: wmplayer.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: svchost.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\ktpol7731.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmlsbA\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\embinpi.exe

complete -2 Junior Poster · Answer 2 · 2006-03-24T11:38:41+00:00

Man you are loaded. Download the following.
Ewido
www.ewido.com
Spysweeper
http://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=2180&ac=420
CCleaner
http://www.ccleaner.com/
--------------------------------------------------------------
Install them all. Run ewido first. Update it, then scan and let it remove anything it finds. Then spysweeper, let it remove anything it finds. Then run CCLeaner, and let it cleanup the tempoary files.
-------------------------------------------------------------
That should take out most of them. When your done, post the ewido log, and a new HJT log.

This may take some time. In order to run spysweeper so that it removes the bugs it found, I had to buy the product. But there is a problem installing the active version. I have to contact their tech support.

complete -2 Junior Poster · Answer 3 · 2006-03-24T18:53:50+00:00

These look like great tools. One thing that concerns me is that there is a virus that Ewido keeps finding. I would think that running it once would clean the computer and if I run the program again it will not find it. There seems to be something that keeps putting a virus on my system.

complete -2 Junior Poster · Answer 4 · 2006-03-24T19:52:39+00:00

Thank you. I will post it when I get home :) Right now ewido is running and it takes a while to complete.

complete -2 Junior Poster · Answer 5 · 2006-03-25T06:55:30+00:00

Logfile of HijackThis v1.99.1
Scan saved at 6:51:34 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Documents and Settings\Bill\Desktop\ssf-snr-a-setup1_0.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\is-3PFIA.tmp\is-4C5M6.tmp
C:\Documents and Settings\Bill\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [gggel] C:\WINDOWS\system32\krulke.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\fncfg.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe




---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          6:52:03 PM, 3/24/2006
 + Report-Checksum:     5B2BB195

 + Scan result:

    [480] C:\WINDOWS\system32\uxrrtosa.dll -> Adware.Look2Me : Error during cleaning
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.6:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.7:...s2nch8mh.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.8:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.9:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.10:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.11:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.12:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.13:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.14:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.15:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.16:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.17:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.18:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.19:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.20:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.21:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.22:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.28:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.29:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.30:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.31:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.32:...s2nch8mh.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
    :mozilla.33:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.34:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.35:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.36:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.37:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.38:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.39:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.40:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.41:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.42:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.43:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.44:...s2nch8mh.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
    :mozilla.45:...s2nch8mh.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.46:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.47:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.48:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.49:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.53:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.54:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.55:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.62:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.63:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.73:...s2nch8mh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.77:...s2nch8mh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
    :mozilla.78:...s2nch8mh.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.82:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.83:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.84:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.85:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.87:...s2nch8mh.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.94:...s2nch8mh.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
    :mozilla.96:...s2nch8mh.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
    :mozilla.97:...s2nch8mh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP52\A0015175.dll -> Downloader.Qoologic.bj : Cleaned with backup


::Report End

complete -2 Junior Poster · Answer 6 · 2006-03-25T07:55:30+00:00

Well, I have some good news. Now I have gotten Webroot Spy Sweeper's complete version to run!

tayspen 28 <Insert title here> Team Colleague · Answer 7 · 2006-03-25T08:07:05+00:00

Good! now let it finsih then post a new HJT log, and we will finally finsih getting you cleaned!

complete -2 Junior Poster · Answer 8 · 2006-03-25T20:24:25+00:00

The Spy Sweeper currently says no adware or unwanted items found. THe ewido anti-virus program seems to keep finding stuff even after it has been run previously.

I think I see what might be the cause of the problems. I will bold it below.

Here is the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 8:20:39 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bill\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\q4rqle951h.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

tayspen 28 <Insert title here> Team Colleague · Answer 9 · 2006-03-25T20:50:42+00:00

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.

As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

complete -2 Junior Poster · Answer 10 · 2006-03-26T05:31:32+00:00

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.
As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

So I just found out the hard way when I stopped it as a process :o

I ran ewido anti-malware. I found that the 162 in the list are actually mostly firefox cookies except for this one:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:14:12 PM, 3/25/2006
+ Report-Checksum: AAE87EDE

+ Scan result:

[1568] C:\WINDOWS\system32\imetmib1.dll -> Adware.Look2Me : Error during cleaning
[1740] C:\WINDOWS\system32\imetmib1.dll -> Adware.Look2Me : Error during cleaning

I am going to restart in safe mode and see if I can get a clean slate and then try in normal mode once more....

tayspen 28 <Insert title here> Team Colleague · Answer 11 · 2006-03-26T06:08:40+00:00

Ah, so you have the look2Me infection.

Look here for removal instructions.

http://www.pchell.com/support/look2me.shtml

Or, you could download Spysweeper, and it should knock it out fore you without you doing it manually.

http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

Post a new log.

D3m3nt3d 1 Posting Whiz in Training · Answer 12 · 2006-03-26T06:41:06+00:00

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You will receive a Done Scanning message, click OK.
--When completed, you will receive this message: Done removing infected files! --Look2Me-Destroyer will now shutdown your computer, click OK.
--Your computer will then shutdown.
--Turn your computer back on.
--Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

tayspen 28 <Insert title here> Team Colleague · Answer 13 · 2006-03-26T07:35:30+00:00

Heh, I knew there was a specific program to use to remove it. I just couldnt rememeber it.

Well, I know for next time. :)

complete -2 Junior Poster · Answer 14 · 2006-03-26T08:44:47+00:00

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.
As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

It looks like I am infected with Look2Me virus. Any advice in getting rid of it?

I have run a couple of anti-virus programs and they say they have found it and cleaned it, but it is still there. I have run the programs you suggested in safe mode, but it still remains.

tayspen 28 <Insert title here> Team Colleague · Answer 15 · 2006-03-26T08:45:48+00:00

Did you try What Demented said? That should take care of it...

Cass 0 Newbie Poster · Answer 16 · 2006-03-26T12:26:34+00:00

Symantec has a little removal fix that worked pretty good for me. I used all the spyware and said it was clean, but the problem still existed until I ran FxNdotN.exe. Spybot couldn't clean it and kept finding it. After that, and I think I had to physically delete the key from the registry (Symantec gave those instructrions also), everything was back to normal. Hope you get it fixed!

Cassaundra

D3m3nt3d 1 Posting Whiz in Training · Answer 17 · 2006-03-26T20:20:56+00:00

They are not having NewDotNet problems, they have a Look2Me infection :)

Look2Me Destroyer should get it, if not there are other ways of removing it...

Can't seem to fix this one. I need help.

Recommended Answers Collapse Answers

All 22 Replies

Recommended Answers