Amaena Anti-virus pop up, plus random others

[Ithlinae]

Dear Knowledgable Folk,

I've been following instructions fro your site for the past two days, I tried removing the Blackworm (Symantec Blackworm removal tool says it's not there); I tried removing geeby.dll, it's not in the registry in safe mode; and finally, I found some .dll's that I can't remove, can't rename, because "the file is locked or is being used by another program."  I managed to locate them thanks to Spyware Doctor.  It also showed some registry values that never come up in HijackThis logs.  I deleted/fixed/renamed/modified everything I could find that was considered dangerous, but still the pop ups abound.  I remember seeing a post that said that even a format did not manage to get rid of this stuff.  I can't post a new hjt log at the moment, but as it doesn't display the files considered malicious by Spyware Doctor, I thought you guys might be able to suggest something else.  Thanks for all your help and time in advance.  Cheers

[GTO]

Hi, lthlinae. Welcome to the 2-Spyware.com forums!

I have to see your HijackThis log. I cannot help you without it. It is quite difficult and ineffective to try eliminating the infection without knowing what it actually is.

[admin13]

[ADDED BY THE ADMINISTRATOR]

Logfile of HijackThis v1.99.1
Scan saved at 8:00:26 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lucyna\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\irl2l53o1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


This is the latest htj log. I dunno what else to do, I still have that pop up, and others! HEEEEEEEEEEELPPP!!!!!!

[GTO]

Please follow these steps:

1. Download the l2mfix tool and unpack it to a chosen folder.

2. Run the l2mfix tool by executing the l2mfix.bat file.

3. After you get done, run a new HijackThis scan and post a fresh log here.

[Ithlinae]

Logfile of HijackThis v1.99.1
Scan saved at 7:01:22 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Lucyna\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe


Above please find the newest, freshest hjt log.  After I ran l2mfix and restarted, there was yet ANOTHER pop up window.....  I want to cry.   Is there NO way to get rid of this sh**?  

[GTO]

Hi, lthlinae.

Please download a trial version of the ewido anti-malware program. Install it, run a complete system scan and remove all the threats the program will find.

[Ithlinae]

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         7:21:20 PM, 4/6/2006
 + Report-Checksum:      FF6C0306

 + Scan result:

   HKU\S-1-5-21-472685443-1950939147-3198043977-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
   C:\Config.Msi\52ee14.rbf -> Logger.Agent.gk : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/dn4401hqe.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/enr8l19u1.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/ikrtrmgr.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/is50_32.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/j8l40i3qe8.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/jt8407lqe.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/ktp0l77m1.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/nqtui0.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/nvj0291mg.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/sqgina.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\backup.zip/dlls/tormmgr.dll -> Adware.Look2Me : Error during cleaning
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\dn4401hqe.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\enr8l19u1.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\ikrtrmgr.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\is50_32.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\j8l40i3qe8.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\jt8407lqe.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\ktp0l77m1.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\nqtui0.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\nvj0291mg.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\sqgina.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Desktop\l2mfix\dlls\tormmgr.dll -> Adware.Look2Me : Cleaned with backup
   C:\Documents and Settings\Lucyna\Local Settings\Temp\Cookies\lucyna@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
   C:\Documents and Settings\Lucyna\Local Settings\Temp\Cookies\lucyna@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
   C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
   C:\WINDOWS\system32\guard.vir -> Adware.Look2Me : Cleaned with backup


::Report End

This is a report from ewido.  So far so good, no pop ups have appeared since I turned my laptop on.  GTO, you might have performed a miracle  If you don't mind, I'll be recommending this site to all my friends, who happen to have a similar problem.  Many thanks, man....

[GTO]

I'm glad I could help you :wink:.

Good Luck