Non-stop browser pop-ups...HJT log

By lifetimegig
Jun 13, 2005
Topic Status:
Not open for further replies.
  1. Please help, below is HijackThis log, began getting these popups couple days ago;

    Logfile of HijackThis v1.99.1
    Scan saved at 9:04:59 PM, on 6/12/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\SPAMfighter\SFAgent.exe
    c:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Maven\mavenAgent.exe
    C:\Program Files\Maven\mavenUpdater.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Owner\My Documents\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
    O4 - HKCU\..\Run: [pxwma] C:\WINDOWS\System32\pxwma.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - Startup: Start Maven Updater.lnk = C:\Program Files\Maven\mavenUpdater.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Start Maven Client.lnk = C:\Program Files\Maven\mavenAgent.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZ
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1101322650875
    O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\m4460ehseh460.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  2. tdeg

    tdeg Newcomer, in training Posts: 348

    Go to housecall.trendmicro.com and run the beta scan.

    You need to be using Internet Explorer to go to the site though.

    Then install Ad-Ware and/or your favorite spyware blasting program.

    I think this may be the issue

    "O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe"
  3. Spike

    Spike Newcomer, in training Posts: 2,371

    Welcome to Techspot :)

    Straight away, I've picked out this...

    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe - My Web Search, an adware program.

    Please could you precisely follow the instructions provided by RealBlackStuff here, and then post a fresh HJT log as a txt attachment in this thread, and then we can all look again. :D

    I'm afraid Wtta.exe isn't the only problem here, and trendmicro.com probably won't be enough to get your machine clean again.
  4. tdeg

    tdeg Newcomer, in training Posts: 348

    I've had good luck with the beta scan on Trendmicro, it seems to pick up most of the spyware and remove it. Plus they update it fairly regularly.

    That said, them spyware people are tricky buggers and you usually need to use a couple of scanners to clean them all out.
  5. lifetimegig

    lifetimegig Newcomer, in training Topic Starter

    Thing will still not quit...

    Followed realblackstuff's instructions to a t, ran adaware and spybot in safe mode, also removed wtta.exe and anything related to mywebsearch ...thought I had it but it came back...attached is new hjt log from safe mode after running adaware and spybot again in safe mode....PLEASE HELP....

    Attached Files:

  6. Steve05

    Steve05 Newcomer, in training Posts: 51

    Hello and welcome to TechSpot Forum

    Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

    I see you have BroadJump on your system. This is the newer name for BroadJump Foundation Client (BJCFD) from BroadJump.com, now Motive. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. I suggest that you carry out the fixes indicated below but I would approach your ISP as soon as possible and ask them how to remove it and why they installed it in the first place. Do not attempt to uninstall the program yourself.

    Please download CleanUp .CleanUp! is a tool for taking care of all those uuencoded files on your system. This program will find and delete all temporary files that are taking up your disk space. I advised to configure the software for better results and better understanding ( Don’t run it yet )

    Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

    Reboot your system in Safe Mode (By continually tapping the F8 key, until the menu appears).

    Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll


    Please remember to close all other windows, including browsers then click Fix checked.

    Run CleaUp and click yes whe asked for log off.

    Reboot in normal mode.

    If you have broadband or fast internet speed, please run an online scan at Trend Micro or RAV Antivirus.
    Please select the “autoclean” option when using Trend Micro.

    Please post a fresh Hijack This log so that we can check if your system is clean.
  7. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    My list of objectionable items looks slightly different:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitefaw32.exe
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
    O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\Owner\My Documents\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [pxwma] C:\WINDOWS\System32\pxwma.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\u6ru0g99e6.dll
  8. lifetimegig

    lifetimegig Newcomer, in training Topic Starter

    still getting loadingwebsite but better....

    the amount of popups has decreased significantly but still the darn loadingwebsite.com...attached is hjt file...
  9. Spike

    Spike Newcomer, in training Posts: 2,371

    VX2/Look2Me or Target Saver - O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE

    Unknown - O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\i6nmlg5116.dll



    Download L2MFix from http://www.atribune.org/downloads/l2mfix.exe

    I'm afraid I don't know this program, but is has apparently been successful for many others.

    I would suggest that you read this entire thread...
    http://www.short-media.com/forum/showthread.php?t=33544
    ... before doing anything, or else wait for further instructions here.

    (note, If you use the Trojan Hunter scanner, the L2Mfix is reported as a dialler, but is in fact a false positive. see http://forum.misec.net/board/TrojanHunter/1115660474)
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    n20050308.EXE

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\i6nmlg5116.dll

    Now click on the Fix Checked button in HJT.
    When done, delete the highlighted bold files.

    Attention: the filename in the O20 may have changed. Delete whatever .dll you find there!

    If it still fails, get http://www.downloads.subratam.org/VX2Finder.exe and run that.
  11. lifetimegig

    lifetimegig Newcomer, in training Topic Starter

    VX2,HJT logs

    browser still launching by itself, attached most recent logs from hjt and vx2finder.

    020 Winlogon Notify does keep changing, deleting whatever is there.

    this thing has been going on way too long, sorry for draggin it out, been away. Help much appreciated....
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Download Ewido Security Suite (trial) from http://www.ewido.net/en/download/
    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    Start Ewido. When you run it the first time, you get a warning "Database could not be found!". Click OK.
    On the main screen, click on Update in the left menu, then click the Start Update button.
    After the Update finishes, the status bar at the bottom will display "Update successful".
    -- If you have problems updating see here: http://www.ewido.net/en/download/updates/
    Once the updates are installed do the following:
    Click on Scanner
    Make sure the following boxes are checked before scanning:
    - Binder
    - Crypter
    - Archives
    Click on Start Scan and let Ewido scan the PC.
    While the scan is in progress, you will be prompted to 'Clean files', click OK
    When the scan is done, you'll find a Save report button at the bottom of the screen.
    Click 'Save report' and save it to your desktop.
    Reboot your PC and post back the Ewido Scanlog as a .txt attachment
  13. lifetimegig

    lifetimegig Newcomer, in training Topic Starter

    ewido scan report

    attached is scan from ewido however no options for binder, crypter, archives. did remove several though, mostly cookies. still getting single pop-ups...mostly loadingwebsite.com, lately also dirtyhippo.com, etc, random.
     
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Can you post a new HJT log as .txt attachment?
  15. lifetimegig

    lifetimegig Newcomer, in training Topic Starter

    New hjt file

    Thanks for staying with this...a real pain recently is 'winfixer' that keeps popping up and tells you it's downloading itself, Zonealarm appears to deny it but still getting icons.
  16. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    n20050308.EXE <<== or whatever .EXE name is in that O4 line

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\WinFixer 2005\wfx5.exe

    Next, click Start/Run and type in:
    cmd and hit Enter
    regsvr32 /u dnlu0139e.dll and hit Enter <<== or whatever .DLL name is in that O20 line
    Exit the command window.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
    O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122591734093
    O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\dnlu0139e.dll
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.

    Your infection is of the Adware.Look2Me variant. Try this:
    http://sarc.com/avcenter/venc/data/adware.look2me.html
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.