Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

POPUPS GONE CRAZY HELP [RESOLVED]

Started by jmarten , Apr 23 2006 01:09 PM

  • This topic is locked This topic is locked

#1
jmarten
Posted 23 April 2006 - 01:09 PM

jmarten

    Member

  • Member
  • PipPip
  • 15 posts
Hello I just formatted my hard drive and started fresh I got my internet working and havent yet installed anything else and was looking at some stuff on the internet and then all of a sudden all these popups started coming and I have all this adware and stuff I need help to get rid of it fast. I have run disk celean up , spybot, adaware. and there is always some file that cant be deleted til i restart and it runs again. but they are never gone. please help I just want it working good so I can put everything back on it. Here is my hijack this log. Please help fast.

Logfile of HijackThis v1.99.1
Scan saved at 2:05:50 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jayme\My Documents\Unzipped\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop...an/pestscan.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\hrn6055se.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
Armodeluxe
Posted 23 April 2006 - 01:20 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
jmarten
Posted 23 April 2006 - 02:26 PM

jmarten

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello I did what you said didn't get any error. here are my logs

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/23/2006 3:21:18 PM

Infected! C:\WINDOWS\system32\s8puli7918.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002360.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002362.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002397.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001845.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001854.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001884.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001891.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001924.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001932.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001938.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001946.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001969.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001973.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001979.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002011.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002015.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002046.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002053.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002110.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002123.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002124.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002134.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002135.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002295.dll
Infected! C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002299.dll
Infected! C:\WINDOWS\system32\cJtsrvps.dll
Infected! C:\WINDOWS\system32\jt8q07l5e.dll
Infected! C:\WINDOWS\system32\s8puli7918.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\s8puli7918.dll
C:\WINDOWS\system32\s8puli7918.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002360.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002360.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002362.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002362.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002397.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP10\A0002397.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001845.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001845.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001854.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001854.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001884.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001884.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001891.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001891.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001924.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001924.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001932.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001938.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001938.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001946.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001946.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001969.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001969.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001973.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001979.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0001979.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002011.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002011.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002015.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002046.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002046.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002053.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002053.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002110.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002110.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002123.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002123.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002124.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002124.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002134.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002134.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002135.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002135.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002295.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002295.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002299.dll
C:\System Volume Information\_restore{EF130EF3-5310-465D-8958-0FA924742A92}\RP8\A0002299.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cJtsrvps.dll
C:\WINDOWS\system32\cJtsrvps.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jt8q07l5e.dll
C:\WINDOWS\system32\jt8q07l5e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s8puli7918.dll
C:\WINDOWS\system32\s8puli7918.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{A0D15FD8-7428-4EF3-B300-B1FF280B9B9E}"
HKCR\Clsid\{A0D15FD8-7428-4EF3-B300-B1FF280B9B9E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AA048B61-1378-451A-A276-7010AD6BA601}"
HKCR\Clsid\{AA048B61-1378-451A-A276-7010AD6BA601}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{42DD3D61-AC6E-4153-8CF3-0044E282670F}"
HKCR\Clsid\{42DD3D61-AC6E-4153-8CF3-0044E282670F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{19BA48A7-0EB8-430C-9291-728B2C6D2AC0}"
HKCR\Clsid\{19BA48A7-0EB8-430C-9291-728B2C6D2AC0}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



Logfile of HijackThis v1.99.1
Scan saved at 3:24:25 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jayme\Desktop\Clean Up Stuff\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop...an/pestscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
  • 0

#4
Armodeluxe
Posted 24 April 2006 - 05:44 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Looks like we got it, your log looks good. :whistling:

Is everything running ok now?
  • 0

#5
Armodeluxe
Posted 07 May 2006 - 12:13 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP