Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Any Volunteers To Help Me?


  • This topic is locked This topic is locked
8 replies to this topic

#1 givemeaclue

givemeaclue

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 01 November 2005 - 08:30 PM

I recently bought a new laptop and due to inexperience with computers I have allowed a legion of virus, worms and neverending problems to my system. I have spent the last few days trying to kick them all out, but my task is proving to be impossible - the worms always seem to come back, especially W32 spybot.

I have used Norton, Spyware Doctor, Ad-Aware SE, Spybot- Search and Destroy and CW-Shredder and I still can't get rid of the virus. The tools seem to remove it temporarily, but as soon as I connect to the net it comes back. Slow running of the system, annoying pop-ups and an ever disturbing list of hidden files under the folder C:\Documents and Settings\My Name\Complete (which I cannot delete) are some of the problems I'm experiencing.

As a last resort I have downloaded Hijackthis, but to be honest, I haven't got a clue of what the results of the scan mean. I would be grateful if anyone if you guys could help me. Here's the logfile:


Logfile of HijackThis v1.99.1
Scan saved at 01:23:42, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\windows\sp2update00.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MARCRO~1\LOCALS~1\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130411753906
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\ir60l5jm1.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:57 PM

Posted 02 November 2005 - 01:06 AM

Hello and welcome to BC! :thumbsup:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Hi there, stranger!

#3 givemeaclue

givemeaclue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 02 November 2005 - 06:46 AM

Thanks for the tip Rawe! That SpySweeper seems to really work! I followed your directions and the annoying pop-ups have stopped. However, I did not manage to save the session log... (sorry) The program said it needed to shut down the computer in order to delete some of the infected files, and before I realized it was already to late to copy the log... Is that a problem?

The pop-ups are now sorted, but I recently scanned the computer with Norton and Ad-Aware SE and they still detect W32 virus'. Is there anything else I can do?

The hidden files still exist. I keep deleting them, but they keep piling up for as long as my computer is connected to the network. They are in the folder C:\Documents and Settings\My Name\Complete, ad they all zipped files of the same size. Is that file a result of LimeWire? I no longer have LW installed, but that folder won't disappear.

In case it's of any use, here the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:43:19, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\MARCRO~1\LOCALS~1\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130411753906
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks for your help!!

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:57 PM

Posted 02 November 2005 - 08:49 AM

You still have some infections.. And I'm not surprised really. I'm glad the popups are sorted though :thumbsup:

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished.
Hi there, stranger!

#5 givemeaclue

givemeaclue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 02 November 2005 - 06:41 PM

Hi again, Rawe! Sorry I've not been in touch for a while...Had to shoot to work earlier today...

God! My computer is like honey to bees - virus' seem to love it!! I've scanned it with DrWeb and deleted all the infections (there were quite a few) and then reboot it. Here's the new logfile for HJT:

By the way, thank you ever so much for your help. You are a star, mate!!

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:34:21, on 03/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\acer\epm\epm-dm.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\HJT folder\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130411753906
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:57 PM

Posted 03 November 2005 - 12:56 AM

Almost finished..

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Next, launch HijackThis and run a scan with it. Check the following objects for removal if present:

O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe


Now close ALL open windows except for HijackThis and hit FIX CHECKED.

Do a search for the following file and delete if found:

winlogi.exe

Finally, reboot into normal mode and post the Ewido log along with a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#7 givemeaclue

givemeaclue
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 03 November 2005 - 03:44 AM

Hi, Rawe!
I followed your instructions for Ewido. It took forever to scan my computer, but I think it was well worth it.

Here are the new logs files for Ewido and HJT respectively:

By the way, thanks again. Also, I have to dash to work in a minute, so sorry if I don't reply to you instantly.


ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 08:30:33, 04/11/2005
+ Report-Checksum: 46D280F

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0VTM0ID1\WinFixerScannerInstall[1].exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup
C:\WINDOWS\Temp\Cookies\marc rovira@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\marc rovira@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Temporary Internet Files\Content.IE5\GL89SZYF\drsmartload_js[2].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Temporary Internet Files\Content.IE5\GLEXCN6D\drsmartload_js[2].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Temporary Internet Files\Content.IE5\KH1B3K9Z\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Cookies\marc rovira@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Cookies\marc rovira@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Cookies\marc rovira@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Cookies\marc rovira@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\Cookies\marc rovira@ad.yieldmanager[3].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\524926_512_4092_2588_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\459642_3352_536_1980_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\1246056_3736_536_3048_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\1050124_2900_536_3260_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\525816_3352_536_3332_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\263872_3352_536_4012_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temp\1573756_260_2684_3332_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temporary Internet Files\Content.IE5\KXQJKPE7\prompt[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Local Settings\Temporary Internet Files\Content.IE5\GTMB812J\launcher[1].exe -> Spyware.Maxifiles : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Cookies\marc rovira@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Cookies\marc rovira@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Cookies\marc rovira@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Cookies\marc rovira@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marc Rovira\Cookies\marc rovira@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Common Files\Download\mc-58-12-0000137.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\MsMovies\p.zip/Video.exe -> TrojanDropper.WinAD.h : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP9\A0001810.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002223.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002238.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002247.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002305.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002312.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP11\A0002537.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002627.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002641.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002653.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002656.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002672.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002687.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002690.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002707.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP12\A0002720.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002725.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002726.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002729.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002733.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002750.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002754.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002773.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002789.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002792.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002808.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002812.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002815.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002816.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002830.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002834.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002839.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002843.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002858.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002862.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002881.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002882.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002891.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002892.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002905.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002906.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002919.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002920.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002931.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP14\A0002934.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0002967.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0002968.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0002979.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0002980.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003007.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003011.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003021.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003041.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003044.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003079.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003198.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003218.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003219.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003237.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003240.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003257.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003260.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003261.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003278.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP15\A0003282.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003308.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003312.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003321.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003328.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003335.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003350.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003356.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003364.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003367.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP16\A0003382.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003394.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003404.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003408.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003436.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003449.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003454.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003461.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003476.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003477.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003478.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003481.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003500.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003520.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003521.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003533.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003534.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003593.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003594.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{5A642873-CC12-4861-8594-8E802081E708}\RP17\A0003595.dll -> Spyware.Look2Me : Cleaned with backup


::Report End



Here's the HJT:


Logfile of HijackThis v1.99.1
Scan saved at 08:34:39, on 04/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\HJT folder\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130411753906
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Is there anything else I should do?

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:57 PM

Posted 03 November 2005 - 04:05 AM

Your log looks fine to me.. :thumbsup:

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


Be sure to set a new restore point.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
  • EULAlyzer by Javacool <= No need to read End user license agreements when installing software--

    # Discover potentially hidden behavior about the software you're going to install
    # Pick up on things you missed when reading license agreements
    # Keep a saved database of the license agreements you view
    # Instant results - super-fast analysis in just a second
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:57 PM

Posted 03 November 2005 - 08:57 AM

Since this issue appears to be resolved, this Topic has been closed. If you need this Topic reopened, please PM a Staff member with the address of this thread and ask them. If you need any other help, feel free to start a new thread. Everyone else, please begin a New Topic. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users