• ### Announcements

• #### IE 11 copy/paste problem

It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Followers 0

# My computer has been taken over by malware

## 2 posts in this topic

Okay, so i'm going to try and make this as quick and concise as possible:

----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7

Scan saved at 8:33:16 AM, on 7/6/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\PROGRA~1\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\WINNT\system32\svchost.exe

\Server\My Documents\Setup_Software Packages\Spyware Setup\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Mix 4] C:\PROGRA~1\Spam Draw Copy\Defy Wait.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F47AB357-E1D5-46DE-8F41-C20784820640}: NameServer = 216.219.253.211,216.219.254.10,209.130.136.2,206.165.50.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.com

-------------------------------------------------------------------------------------------

The only recent thing that I did before all this happened was I upgraded to the most recent version of Norton Systemworks. It said I had 2 quarentine files and did I want to delete them. I said yes and I reboot my system after upgrading like it said to and couldn't log in to my domain, it kept rebooting. I logged in under the administrator on my local machine and did a scan and found 13 virus/malware infections when before there were none.

I hope someone can help me get rid of all this because I'm afraid that I'll have to save as much data as I can otherwise and reformat my harddrive if I can't because it's really cutting into my production time at work.

Thanks in advance and get back as soon as possible.

JT

##### Share on other sites

Okay, so I read through the pinned post about reading your HijackThis log and analyzing it yourself. It was very informative and I got rid of pretty much all the bad stuff on it. It stopped the autoloading of www.look2me.com so far but the only thing I couldn't get rid of was the section that says:

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

I couldn't get rid of it in HijackThis, I couldn't end the process from the Task Manager for this item:

C:\Program Files\Common Files\WinTools\WToolsA.exe

and I couldn't physically delete the files that are there using Windows Explorer to find them. The only other thing I can think of to do is restart my computer in Safe Mode and try removing it from there because as my understanding of safe mode goes, no processess (or very little) are running so maybe i'll be able to remove it that way.

I'm still receiving the BHO popup for the WToolsB.dll but that's probably because of the previously mentioned issue. It popsup about very minute or so.

Any help anyone can give would be appreciated. Thanks everyone!

JT