0

I have tried doing a system restore, and I have run Ad-Aware and Spypot as weel at F-Prot AntiVirus.

But I still get pop-ups (I am sure this was caused by my running some ill-advised software).

Can anyone give me suggestions about my next step or action?

Here is my Output from HiJackThis. I have run this and checked everything to be fixed too. But this does not seem to work either.

Logfile of HijackThis v1.99.1
Scan saved at 7:22:27 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gelsana\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bclpk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\j0n20a5oed.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

4
Contributors
22
Replies
23
Views
11 Years
Discussion Span
Last Post by D3m3nt3d
0

That is a very short log. Are you sure you copied it all? If you used msconfig or any other tool to prevent items from running at start up, you need to re-enable them, so we can check to see if its malware. Also do the scan in normal mode of windows., not safe.

0

That is a very short log. Are you sure you copied it all? If you used msconfig or any other tool to prevent items from running at start up, you need to re-enable them, so we can check to see if its malware. Also do the scan in normal mode of windows., not safe.

OK, I did as you asked and when I restarted I got this pop up:

RUNDLL
Error loading C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
The specified module could not be found.

And here is the output from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:00:52 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sys09410111086.exe
C:\WINDOWS\sys01101110864.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\slk8x2peu.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\windows\mousepad4.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\qwinorag.exe
C:\WINDOWS\system32\csrrs.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\QmlsbA\command.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\embinpiA.exe
C:\Program Files\EQAdvice\EQAdvice.exe
C:\WINDOWS\CheckS02.exe
C:\WINDOWS\system32\winspy.exe
C:\WINDOWS\errorhandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wintask.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\BundleInstall.exe
C:\WINDOWS\system32\rk.exe
C:\WINDOWS\win3206086410111.exe
C:\WINDOWS\newfrn.exe
c:\windows\eee2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Documents and Settings\Bill\Desktop\HijackThis.exe
C:\WINDOWS\CROSOF~1\iexplore.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\ctxad.exe
C:\WINDOWS\b.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bclpk.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsr16.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\system32\w9seq.dll
O4 - HKLM\..\Run: [{1C-CC-C6-6E-ZN}] c:\windows\system32\dwdsregt.exe CORN001
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys09410111086] C:\WINDOWS\sys09410111086.exe
O4 - HKLM\..\Run: [sys01101110864] C:\WINDOWS\sys01101110864.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\qwinorag.exe CORN001
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [embinpiA] C:\WINDOWS\embinpiA.exe
O4 - HKLM\..\Run: [ms04110864101] C:\WINDOWS\ms04110864101.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win3206086410111] C:\WINDOWS\win3206086410111.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [wahm] c:\windows\eee2.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000140.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [Iinl] "C:\Program Files\sami\emia.exe" -vt yazr
O4 - Startup: Z_Start.lnk = C:\ZICORN001.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinorag.exe
O4 - Global Startup: wmplayer.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: svchost.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\ktpol7731.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmlsbA\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\embinpi.exe

0

Man you are loaded. Download the following.

Ewido
www.ewido.com

Spysweeper
http://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=2180&ac=420

CCleaner
http://www.ccleaner.com/

--------------------------------------------------------------
Install them all. Run ewido first. Update it, then scan and let it remove anything it finds. Then spysweeper, let it remove anything it finds. Then run CCLeaner, and let it cleanup the tempoary files.
-------------------------------------------------------------

That should take out most of them. When your done, post the ewido log, and a new HJT log.

0

Man you are loaded. Download the following.

Ewido
www.ewido.com

Spysweeper
http://www.webroot.com/consumer/products/spysweeper/freescan.html?rc=2180&ac=420

CCleaner
http://www.ccleaner.com/

--------------------------------------------------------------
Install them all. Run ewido first. Update it, then scan and let it remove anything it finds. Then spysweeper, let it remove anything it finds. Then run CCLeaner, and let it cleanup the tempoary files.
-------------------------------------------------------------

That should take out most of them. When your done, post the ewido log, and a new HJT log.

This may take some time. In order to run spysweeper so that it removes the bugs it found, I had to buy the product. But there is a problem installing the active version. I have to contact their tech support.

0

These look like great tools. One thing that concerns me is that there is a virus that Ewido keeps finding. I would think that running it once would clean the computer and if I run the program again it will not find it. There seems to be something that keeps putting a virus on my system.

0

Thank you. I will post it when I get home :) Right now ewido is running and it takes a while to complete.

0
Logfile of HijackThis v1.99.1
Scan saved at 6:51:34 PM, on 3/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Documents and Settings\Bill\Desktop\ssf-snr-a-setup1_0.exe
C:\DOCUME~1\Bill\LOCALS~1\Temp\is-3PFIA.tmp\is-4C5M6.tmp
C:\Documents and Settings\Bill\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [gggel] C:\WINDOWS\system32\krulke.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\fncfg.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe




---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          6:52:03 PM, 3/24/2006
 + Report-Checksum:     5B2BB195

 + Scan result:

    [480] C:\WINDOWS\system32\uxrrtosa.dll -> Adware.Look2Me : Error during cleaning
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Bill\Local Settings\Temp\Cookies\bill@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.6:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.7:...s2nch8mh.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.8:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.9:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.10:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.11:...s2nch8mh.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.12:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.13:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.14:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.15:...s2nch8mh.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
    :mozilla.16:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.17:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.18:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.19:...s2nch8mh.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.20:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.21:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.22:...s2nch8mh.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.28:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.29:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.30:...s2nch8mh.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
    :mozilla.31:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.32:...s2nch8mh.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
    :mozilla.33:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.34:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.35:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.36:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.37:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.38:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.39:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.40:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.41:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.42:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.43:...s2nch8mh.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.44:...s2nch8mh.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
    :mozilla.45:...s2nch8mh.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.46:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.47:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.48:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.49:...s2nch8mh.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
    :mozilla.53:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.54:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.55:...s2nch8mh.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.62:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.63:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
    :mozilla.73:...s2nch8mh.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.77:...s2nch8mh.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
    :mozilla.78:...s2nch8mh.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.82:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.83:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.84:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.85:...s2nch8mh.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
    :mozilla.87:...s2nch8mh.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.94:...s2nch8mh.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
    :mozilla.96:...s2nch8mh.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
    :mozilla.97:...s2nch8mh.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\System Volume Information\_restore{66783AE0-D228-45B1-B07B-87ECDBEA3460}\RP52\A0015175.dll -> Downloader.Qoologic.bj : Cleaned with backup


::Report End

Edited by mike_2000_17: Fixed formatting

0

Well, I have some good news. Now I have gotten Webroot Spy Sweeper's complete version to run!

0

Good! now let it finsih then post a new HJT log, and we will finally finsih getting you cleaned!

0

The Spy Sweeper currently says no adware or unwanted items found. THe ewido anti-virus program seems to keep finding stuff even after it has been run previously.

I think I see what might be the cause of the problems. I will bold it below.

Here is the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 8:20:39 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bill\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lwstujl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\q4rqle951h.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

0

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.

As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

0

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.

As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

So I just found out the hard way when I stopped it as a process :o

I ran ewido anti-malware. I found that the 162 in the list are actually mostly firefox cookies except for this one:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:14:12 PM, 3/25/2006
+ Report-Checksum: AAE87EDE

+ Scan result:

[1568] C:\WINDOWS\system32\imetmib1.dll -> Adware.Look2Me : Error during cleaning
[1740] C:\WINDOWS\system32\imetmib1.dll -> Adware.Look2Me : Error during cleaning

I am going to restart in safe mode and see if I can get a clean slate and then try in normal mode once more....

0

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You will receive a Done Scanning message, click OK.
--When completed, you will receive this message: Done removing infected files! --Look2Me-Destroyer will now shutdown your computer, click OK.
--Your computer will then shutdown.
--Turn your computer back on.
--Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

0

Heh, I knew there was a specific program to use to remove it. I just couldnt rememeber it.

Well, I know for next time. :)

0

That log looks pretty short. If you have disabled stuff from running at startup, re-enable them, reboot and post a new log.

As far as Explorer.exe goes, that is a critical windows file. Is is what you use to navigate your computer.

It looks like I am infected with Look2Me virus. Any advice in getting rid of it?

I have run a couple of anti-virus programs and they say they have found it and cleaned it, but it is still there. I have run the programs you suggested in safe mode, but it still remains.

0

Symantec has a little removal fix that worked pretty good for me. I used all the spyware and said it was clean, but the problem still existed until I ran FxNdotN.exe. Spybot couldn't clean it and kept finding it. After that, and I think I had to physically delete the key from the registry (Symantec gave those instructrions also), everything was back to normal. Hope you get it fixed!

Cassaundra

0

They are not having NewDotNet problems, they have a Look2Me infection :)

Look2Me Destroyer should get it, if not there are other ways of removing it...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.