1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I have a VIRUS!! HELP!

Discussion in 'Virus & Other Malware Removal' started by Smurfette, Apr 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    I have a virus that is called adware.look2me. I have ran norton virus umpteen times. It is up to date and newly installed. I have tried everything. I have spybot and ad-aware 6.0. It seems people tell me to download that usually, but I already have it.

    Thanks so much for any help you can give, Tammy
     
  2. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Also, I have went and tried to delete the file. It say's "Cannot delete artiveds.cpy:Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

    Thanks again, Tammy
     
  3. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    post a hijack log
     
  4. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Hi, Thanks for replying. Here is my hijack log.

    Thanks, Tammy



    Logfile of HijackThis v1.97.2
    Scan saved at 4:13:01 AM, on 4/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\KeyText\KeyText.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Outlook Express\MSIMN.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Common Files\Symantec Shared\Nmain.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tammy Dunbar\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: KeyText.lnk = C:\Program Files\KeyText\KeyText.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: ComcastHSI (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/backgammon-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Dominoes by pogo - http://domino03.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://temp36.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://temp92.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Keno by pogo - http://keno.pogo.com/applet/keno/keno-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet/pebble/pebble-ob-assets.cab
    O16 - DPF: Perfect Passer by pogo - http://perfectpasser01.pogo.com/applet/perfectpasser/perfectpasser-ob-assets.cab
    O16 - DPF: Pirate's Gold by pogo - http://swashbucks11.pogo.com/applet/piratesgold/piratesgold-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit09.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Sawgrass Golf by pogo - http://sawgrass.pogo.com/applet/sawgrass/sawgrass-ob-assets.cab
    O16 - DPF: SciFi Slots by pogo - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: Spades by pogo - http://spades03.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://sweet07.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem07.pogo.com/applet/holdem/holdem-ob-assets.cab
    O16 - DPF: Top Down Baseball by pogo - http://topdown02.pogo.com/applet/topdown/topdown-ob-assets.cab
    O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://temp36.pogo.com/applet/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo - http://turbo16.pogo.com/applet/turbo21/turbo21-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass/worldclass-ob-assets.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
    O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GINWORDSSINGLE Class) - http://66.98.132.156/g_bin_eng/wordssingle_2_0_0_22.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GINMAHJONG Class) - http://66.98.132.156/g_bin_eng/mahjong_2_0_0_10.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
     
  5. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    you need one of the experts to look at the log
    i gather all the 016 items are games you have d/l
    i cannot see the item you are worried about in the log.it is probaly in system restore.
    turn off system restore and turn it back on again to clean it out.
    reboot and run your virus checker and see if it still picks it up after cleaning restore
     
  6. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    TY Dai for replying!! Experts, help me out!! Pretty please!! lol

    Thanks, Tammy
     
  7. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    i have asked someone to have a look
     
  8. Smurfette

    Smurfette Thread Starter

    Joined:
    Aug 2, 2003
    Messages:
    144
    Does NAV show where it's located? Could be in XP's backup file. Try clearing your restore point points:


    I have tried restoring and everything. I'm about to go crazy. The file is located at C:\WINDOWS\SYSTEM32\artiveds.cpy.dll. The virus is called adware.Look2Me. When I go in and try to delete artiveds.cpy.dll, it gives me the following message: "Cannot delete artiveds.cpy: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I still need help! :(

    Thanks, Tammy
     
  9. colmaca

    colmaca

    Joined:
    Jul 11, 2003
    Messages:
    1,429
    (y)
    How do I Remove Look2Me?

    Because the software highly integrates itself with Explorer, it can be hard to remove. Included below is a basic manual removal method for Look2Me as well as an excellent Visual Basic Script that can be run to help remove it.

    Follow the instructions below to remove Look2Me

    Click on Start, Run, and type REGEDIT and click Ok to start the Registry Editor

    Now open the Windows Task Manager

    On Windows 95/98/ME, Press CTRL+ATL+DEL
    On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab

    In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)

    Select the Registry Editor (you may have to press ALT + Tab)

    Delete the following registry keys if they exist

    HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}

    Close the Registry Editor

    Restart your computer

    Now open My Computer and Drive C, open the Windows directory, and then the System directory
    Note: %SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    Delete all files that look similar to the following, where * represents a letter or number

    msg{********-****-****-****-************}****.dll

    Open Internet Explorer

    Click Tools, Internet Options

    Click the Programs tab and then click Reset Web Settings to restore default settings for home page, search page, and other settings.

    For Automatic Removal of Look2Me (option 1)

    Download and run the program Killbox created by Option^Explicit Software Solutions.
    or
    Download and run the program Kill2Me from Merijn.
    http://www.spywareinfo.com/~merijn/downloads.html
    For Automatic Removal of Look2Me (option 2)

    Download the following Visual Basic script provided by Mosaic1, a member of Spywareinfo, and save it to c:\removel2me.vbs

    Look2Me Removal Program

    This is a Visual Basic Scripting file, so you'll have to have the Windows Scripting Host installed. You can download the following file to disable or reenable the Windows Scripting Host.

    noscript.exe

    Now open the Windows Task Manager

    On Windows 95/98/ME, Press CTRL+ATL+DEL
    On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab

    In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)

    Click the Applications tab, click the New Task Button, and type the path to the script you saved.

    c:\removel2me.vbs

    Click Ok

    Click Shutdown on the Task Manager toolbar and scroll down to Restart your computer.
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Cai was right in his analysis that it may be left over in the system volume folder so turning off system restore along with emptying the virus quarantine folder then rebooting should take care of it..Then re-enable the restore feature after rebooting.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221158

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice