I am running WinXp, getting lots of reoccurring popups (free floating and in tabs in Firefox) , SLOW performance and it seems to be system restoring to previous restore points by itself (installed new soundcard and it disappears/reappears - desktop icons appear/disappear - desktop display settings reorganise by itself) even after deleting System Restore points and now cannot create a new one.
I have checked multiple forums and spent the last two days pulling my hair. Anybody that can help with this would be really fantastic.
I have scanned with updated versions of the following:
Spybot S&D
SpywareBlaster
Ewido Anti-Malware
Spyware Doctor
CWShredder
Norton (just in case - nothing came?)
AVG (just in case - had stuff come up but says it cleaned it)
My Hijack This Log follows:
Thanks!
Ryan
Logfile of HijackThis v1.99.1
Scan saved at 10:01:15 PM, on 2/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\System32\BRMFRSMG.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINNT\System32\MsgSys.EXE
C:\Documents and Settings\unknown\Desktop\HijackThis.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\main\launchpd.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Webshots\webshots.scr
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\WINNT\\main\launchpd.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\WINNT\TV\EXPLBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0A50726E-51A2-42BB-8392-98F050C40A10} (SkillJamLoader Class) - http://cashgames.ski...llJamLoader.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://cashgames.ski...com/ssp/SSP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\jtl2073oe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINNT\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: windows rom driver (windows cdrom) - Unknown owner - C:\WINNT\mscdex.exe (file missing)
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)
And also for reference the Ewido Log where it couldn't clean "Adware.Look2Me" from the system:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:45:19 PM, 2/17/2006
+ Report-Checksum: A280EA7
+ Scan result:
[2004] C:\WINNT\system32\LITWN11N.DLL -> Adware.Look2Me : Error during cleaning
[276] C:\WINNT\system32\LITWN11N.DLL -> Adware.Look2Me : Error during cleaning
C:\WINNT\system32\mvjql9151.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__dxgest.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__LYFIL11N.DLL -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\g004ladq1d0e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__cietcfg.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\__delete_on_reboot__meidpe.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\unknown\Local Settings\Temporary Internet Files\Content.IE5\YP1EJI5K\AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\unknown\Cookies\unknown@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WHCXSFYZ\drsmartload[1].exe -> Downloader.VB.wr : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\8LABCDER\d72[1].exe -> Downloader.Adload.q : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\8LABCDER\visfx500[1].exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\ER0H61KV\fran-forever[1].exe -> Adware.EZula : Cleaned with backup
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\ER0H61KV\boost[1].exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\Recycled\Dc2.exe -> Downloader.VB.wr : Cleaned with backup
C:\System Volume Information\_restore{BC19EA0D-E7D9-4772-B98C-B43202222515}\RP1\A0000002.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{BC19EA0D-E7D9-4772-B98C-B43202222515}\RP1\A0000007.dll -> Adware.Look2Me : Cleaned with backup
::Report End
Edited by RAWR, 17 February 2006 - 10:51 PM.