narmi2
asked on
Help Remove Virus
i think i have some sort of virus/trojan/worm on my computer which keeps opening up popup windows each time i start internet explorer.
after using norton internet security 2005 it found nothing after a full scan! i read that i must restart the computer and boot up in safe mode then run internet security 2005 and that will fit the problem. the problem is that in safe mode for some reason the internet security 2005 software does not want to start?
after downloading some trial scanners i have come to realise that i have the following on my computer
TargetSavers
ILookup.Begin2Search
but i cant remove them
can someone help?
thanks
after using norton internet security 2005 it found nothing after a full scan! i read that i must restart the computer and boot up in safe mode then run internet security 2005 and that will fit the problem. the problem is that in safe mode for some reason the internet security 2005 software does not want to start?
after downloading some trial scanners i have come to realise that i have the following on my computer
TargetSavers
ILookup.Begin2Search
but i cant remove them
can someone help?
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
narmi2,
Here is now to remove manually ILookup.Begin2Search
http://pctoday.com/editorial/article.asp?article=articles/2005/w1602/40w03.asp&ArticleID=25534&guid=
With all the scans and virus, identify which files and their locations which cannot be deleted after running the above scanners.
Here is now to remove manually ILookup.Begin2Search
http://pctoday.com/editorial/article.asp?article=articles/2005/w1602/40w03.asp&ArticleID=25534&guid=
With all the scans and virus, identify which files and their locations which cannot be deleted after running the above scanners.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm working my way through all your links!
Thanks
Thanks
narmi2, if you have any questions, please ask. Hopefully one or a couple of the auto scanners will get rid of the mailware. If not, use HijackThis.
ASKER
I'm still doing the very first link! I have over 300Gb of files to scan and its gonna take forever!
Thanks will report back asap.
Thanks will report back asap.
Take your time. I posted 3 onliine virus scan. You can run two of them. If you had used Norton antivirus already, skip the Symantec online scan.
ASKER
Hello again!
I've just finished all the sugestions above, but nothing worked! I still get the extra window popup each time i open a browser window. I forgot to mention that each time i open a browser it asks me to install office again?
I have even tried the manual removal methods but when i go into the downloaded program files folder i cannot see the file which i am supposed to delete. The BHO scanners say i have no browser helpers?
HijackThis gave the most errors, so i deleted everything they sugested but still i get the popups and the message telling me to install office again. it even happens when i click on the link on the internet which opens a link in a new browser window.
Please help.
I've just finished all the sugestions above, but nothing worked! I still get the extra window popup each time i open a browser window. I forgot to mention that each time i open a browser it asks me to install office again?
I have even tried the manual removal methods but when i go into the downloaded program files folder i cannot see the file which i am supposed to delete. The BHO scanners say i have no browser helpers?
HijackThis gave the most errors, so i deleted everything they sugested but still i get the popups and the message telling me to install office again. it even happens when i click on the link on the internet which opens a link in a new browser window.
Please help.
ASKER
ASKER
Oops! I just realised I posted this thread in the windows xp section which it should have been in the windows 2000 section!
Does this make a difference when detecting bugs?
turn off your system restore - right click my computer > proeprties>system restore
That options is not there in windows 2000 ???
Does this make a difference when detecting bugs?
turn off your system restore - right click my computer > proeprties>system restore
That options is not there in windows 2000 ???
narmi2,
1. If you have Windows Messenger Service, disable it. The Messenger is the source of popups and virus.
http://www.itc.virginia.edu/desktop/docs/messagepopup/
2. Run HijackThis and post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.
1. If you have Windows Messenger Service, disable it. The Messenger is the source of popups and virus.
http://www.itc.virginia.edu/desktop/docs/messagepopup/
2. Run HijackThis and post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.
ASKER
War1
I dont have Windows Messenger enabled, and I have posted at http://www.hijackthis.de/. It showed 3 items which I needed to delete and I did! But the problem still remains?
Why can I not run Norton AntiVirus when I login in safemode on windows 2000? I did a thorough scan with it and it picked up 3 adware items which I deleted but it would not delete the 4th item. It recommended that I run the process again in safemode but I cant!
any ideas?
I dont have Windows Messenger enabled, and I have posted at http://www.hijackthis.de/. It showed 3 items which I needed to delete and I did! But the problem still remains?
Why can I not run Norton AntiVirus when I login in safemode on windows 2000? I did a thorough scan with it and it picked up 3 adware items which I deleted but it would not delete the 4th item. It recommended that I run the process again in safemode but I cant!
any ideas?
narmi2, I like to see the HijackThis log. Save the analyzed HijackThis log and post a link to it here.
ASKER
Have HijackThis remove this process in Safe Mode
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\fp6m03j1 e.dll
If you did not install these programs, have HijactThis remove them
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=
O4 - HKCU\..\Run: [feedreader.exe] C:\Program Files\FeedReader\feedreade r.exe
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1 BD81524B51 B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0 DDDA5DEA23 9} (OTAutoInstall Class) - http://trials1.endeavors.com/autodesk/acad2006/clientdownloads/OTAI.CAB
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\fp6m03j1
If you did not install these programs, have HijactThis remove them
R1 - HKCU\Software\Microsoft\Wi
F2 - REG:system.ini: UserInit=
O4 - HKCU\..\Run: [feedreader.exe] C:\Program Files\FeedReader\feedreade
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1
O16 - DPF: {AF087E66-838E-4A97-8A0B-0
ASKER
Thanks for that!
R1 - I'm not positive but I think that's something to do with my linksys router. How would I find out?
F2 - I have no idea what that is?
O4 - Is ok as its an RSS feed reader
Both O16's were trial programs I installed and removed a long time ago
But thanks. I'll do that now.
R1 - I'm not positive but I think that's something to do with my linksys router. How would I find out?
F2 - I have no idea what that is?
O4 - Is ok as its an RSS feed reader
Both O16's were trial programs I installed and removed a long time ago
But thanks. I'll do that now.
020 is the main problem. If after you delete the file, it comes back, let me know. I have other ways of removing the file.
ASKER
Winlogon is back!
narmi2,
C:\WINNT\system32\fp6m03j1 e.dll is probably the source of your popups. When you said it came back, you were able to delete it, it got regerated it. Instead of deleting it, disable it by removing all permissions.
Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and other permissions. If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".
C:\WINNT\system32\fp6m03j1
Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and other permissions. If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".
ASKER
I can't seem to see that file!
I ran the hijackthis again and O20 has come up under a different .dll !!!
Looks like it can rename itself.
So I removed all persmissions from the new O20 but the popups still remain.
I ran the hijackthis again and O20 has come up under a different .dll !!!
Looks like it can rename itself.
So I removed all persmissions from the new O20 but the popups still remain.
What type of ads or popups are you getting?
A hidden program is generating the file. Use Rootkit Revealer to find the hidden file.
http://www.systeminternals.com/utilities/rootkitrevealer.html
A hidden program is generating the file. Use Rootkit Revealer to find the hidden file.
http://www.systeminternals.com/utilities/rootkitrevealer.html
ASKER
I like to see the Rootkit Revealer log, if it is not too large.
Do the popups happen only when you visit a website? Or does it happen randomly at anytime? If the former, many websites generate popup ads. You just need a good popup blocker. The popups are not coming from your computer.
Do the popups happen only when you visit a website? Or does it happen randomly at anytime? If the former, many websites generate popup ads. You just need a good popup blocker. The popups are not coming from your computer.
ASKER
Ok I will post the log as soon as i can!
I'm sure this is not just any popup thing because whe i open the browser and type something into the addressbar for example ebay it gives me a popup with an alternative auction site each and everytime i go to a website.
I know microsoft.com does not have any popups but it also gives a popup for that site too saying something like "we'rve detected you are using internet explorer, firefox is much better you should give that a try"
So some of the popups seem to be based on the sites i go to!
I'm sure this is not just any popup thing because whe i open the browser and type something into the addressbar for example ebay it gives me a popup with an alternative auction site each and everytime i go to a website.
I know microsoft.com does not have any popups but it also gives a popup for that site too saying something like "we'rve detected you are using internet explorer, firefox is much better you should give that a try"
So some of the popups seem to be based on the sites i go to!
Looks like you are getting redirected. Do a search for HOSTS file and open it with Notepad. Check your sites are being redirected to another DNS number. Hosts file is a hidden file, so you have to unhide hidden file.
ASKER
Unfortunatily I couldnt run the rootkit revealer yesterday and am planning to run it today.
The problem doesnt totally redirect me. It always opens a second windows based on the window i open. so for example if i open 1 window and go to ebay after that window has opened and while i am browsing that site it will open another window at randow times even if i dont click on a link on ebay.
this second window will be based on the first window so for example it opens another auction site in the second window.
The problem doesnt totally redirect me. It always opens a second windows based on the window i open. so for example if i open 1 window and go to ebay after that window has opened and while i am browsing that site it will open another window at randow times even if i dont click on a link on ebay.
this second window will be based on the first window so for example it opens another auction site in the second window.
Did you check the HOSTS file? Be sure to scroll to the bottom.
ASKER
I've done a search for 'HOSTS' and it only returned the following:
C:\Program Files\PowerQuest\Drive Image 2002\BDBUILD\MS\LMHOSTS
C:\Program Files\Spyware Doctor\tools\hostsscanner. dll
C:\WINNT\system32\drivers\ etc\hosts
C:\WINNT\system32\drivers\ etc\lmhost s.sam
C:\Program Files\PowerQuest\Drive Image 2002\BDBUILD\MS\LMHOSTS
C:\Program Files\Spyware Doctor\tools\hostsscanner.
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
This is the file that you want to look at
C:\WINNT\system32\drivers\ etc\hosts
Open it with Notepad and scroll to the bottom.
C:\WINNT\system32\drivers\
Open it with Notepad and scroll to the bottom.
ASKER
This is the content is hosts
127.0.0.1 localhost
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1
127.0.0.1 www.pacimedia.com
127.0.0.1 localhost
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com
127.0.0.1 idownload.com
127.0.0.1 www.mytotalsearch.com
127.0.0.1 mytotalsearch.com
127.0.0.1 www.lop.com
127.0.0.1 lop.com
127.0.0.1 www.websearch.com
127.0.0.1 websearch.com
127.0.0.1 www.page-not-found.net
127.0.0.1 page-not-found.net
127.0.0.1 www.isearchhere.com
127.0.0.1 isearchhere.com
127.0.0.1 xads.offeroptimizer.comm
127.0.0.1 search.offeroptimizer.com
127.0.0.1 ximages.offeroptimizer.com
127.0.0.1 xlime.offeroptimizer.com
127.0.0.1 xadsj-o.offeroptimizer.com
127.0.0.1 xadsj.offeroptimizer.com
127.0.0.1 www.offeroptimizer.com
127.0.0.1 as.adwave.com
127.0.0.1 sr.adwave.com
127.0.0.1 www.adwave.com
127.0.0.1 adwave.com EVENT:HOST:127.0.0.1
127.0.0.1 www.pacimedia.com
ASKER
And this is the log from RootkitRevealer
http://img344.imageshack.us/img344/7297/rootkitrevealerlog0kr.png
http://img344.imageshack.us/img344/7297/rootkitrevealerlog0kr.png
ASKER
And also. In the last 2 days I've restarted my computer 3 times. Each time it gets into windows it complains about a dll. But the strainge thing is it complains about a different dll each time for example
restart 1 - an exception occurred while trying to run ""c:\winnt\system32\izrtpr io.dll", dllgetversion"
restart 2 - an exception occurred while trying to run ""c:\winnt\system32\dfound .dll", dllgetversion"
restart 3 - an exception occurred while trying to run ""c:\winnt\system32\WSNINE T.DLL", dllgetversion"
Would this have anything to do with the problems i'm getting?
Thanks for the help
restart 1 - an exception occurred while trying to run ""c:\winnt\system32\izrtpr
restart 2 - an exception occurred while trying to run ""c:\winnt\system32\dfound
restart 3 - an exception occurred while trying to run ""c:\winnt\system32\WSNINE
Would this have anything to do with the problems i'm getting?
Thanks for the help
Your HOSTS file looks OK. The listings in there are placed there by one of your antispyware programs. The block spyware, not anything else.
In Rootkit Revealer, delete the 4 items listed with the Description, "Hidden from Windows API". One is in Startup folder, the others are in Temp folder.
Use CCleaner to remove files in Temp directory.
http://www.ccleaner.com
In Rootkit Revealer, delete the 4 items listed with the Description, "Hidden from Windows API". One is in Startup folder, the others are in Temp folder.
Use CCleaner to remove files in Temp directory.
http://www.ccleaner.com
ASKER
I just done all that and am still getting the problem.
I was wondering, is there a program out there which detects programs being used to open a window?
For example, if I opened microsoft word it might say that the following exe was used to open word:
WINWORD.EXE
Located in:
C:\Program Files\Microsoft Office\OFFICE11
Do you know if such a program exists as it might tell me where or what is opening these extra internet explorer windows?
Thanks for the help as always.
I was wondering, is there a program out there which detects programs being used to open a window?
For example, if I opened microsoft word it might say that the following exe was used to open word:
WINWORD.EXE
Located in:
C:\Program Files\Microsoft Office\OFFICE11
Do you know if such a program exists as it might tell me where or what is opening these extra internet explorer windows?
Thanks for the help as always.
Process Explorer may be what you want. I have used it to find out what programs are doing.
http://www.systeminternals.com/utilities/processexplorer.html
http://www.systeminternals.com/utilities/processexplorer.html
ASKER
Thanks for that link!
I loaded that program and set its property to always ontop so i could see any new process loading up.
I forcefully closed all the processes I wasnt sure about and started browsing the web. Everything looks normal and it was showing the cpu usage of iexplorer.
Then when finally the popup came it loaded a new process
CTFMON.EXE
description
Cicero Loader
I again closed it and was browsing the web again. but that ctfmon didnt show up again until a popup came up!
could that be the problem?
I loaded that program and set its property to always ontop so i could see any new process loading up.
I forcefully closed all the processes I wasnt sure about and started browsing the web. Everything looks normal and it was showing the cpu usage of iexplorer.
Then when finally the popup came it loaded a new process
CTFMON.EXE
description
Cicero Loader
I again closed it and was browsing the web again. but that ctfmon didnt show up again until a popup came up!
could that be the problem?
ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/
Not sure why the a MS office program is opening popups. Go ahead and terminate the process.
http://www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/
Not sure why the a MS office program is opening popups. Go ahead and terminate the process.
ASKER
Ok I just did a little test and realised that ctfmon.exe also starts when I open microsoft word!
So I used 'Process Explorer' to 'Suspend' ctfmon.exe which was opened by word. This rendered word useless, but when I started to browse the web, not 1 popup opened for the whole period ctfmon.exe was suspended!
The problem is, when I simply kill the process, it opens again as soon as a popup is generated, but by suspending it no popups open!.
As soon as I 'Resume' the process all the popups start again?
So I have no idea what to do.
So I used 'Process Explorer' to 'Suspend' ctfmon.exe which was opened by word. This rendered word useless, but when I started to browse the web, not 1 popup opened for the whole period ctfmon.exe was suspended!
The problem is, when I simply kill the process, it opens again as soon as a popup is generated, but by suspending it no popups open!.
As soon as I 'Resume' the process all the popups start again?
So I have no idea what to do.
Seems like there is an adware tied to ctfmon.exe. You ran the antivirus and antispyware above and did not find anything? Did you run Ewido?
http://www.ewido.net/en/
http://www.ewido.net/en/
ASKER
Thanks for the reply
I ran antivirus norton and it found some stuff. if was able to remove it all except 1 which i cant remember the name of. It advised me to re-run antinorton virus in safe mode, but when i try to do that in safe most anti norton virus will not start for some reason.
ewido i have not tried yet and will try as soon as i get home
Thanks
I ran antivirus norton and it found some stuff. if was able to remove it all except 1 which i cant remember the name of. It advised me to re-run antinorton virus in safe mode, but when i try to do that in safe most anti norton virus will not start for some reason.
ewido i have not tried yet and will try as soon as i get home
Thanks
ASKER
typos.....
Thanks for the reply
I ran antivirus norton and it found some stuff. if was able to remove it all except 1 which i cant remember the name of. It advised me to re-run antinorton virus in safe mode, but when i try to do that in safe MODE anti norton virus will not start for some reason.
ewido i have not tried yet and will try as soon as i get home
Thanks
Thanks for the reply
I ran antivirus norton and it found some stuff. if was able to remove it all except 1 which i cant remember the name of. It advised me to re-run antinorton virus in safe mode, but when i try to do that in safe MODE anti norton virus will not start for some reason.
ewido i have not tried yet and will try as soon as i get home
Thanks
ASKER
I used ewido and it detected look2me. I told it to remove it but it could not. I even ran ewido in safe mode but it still detected it and could not remove it.
I downloaded http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html and it detected nothing?
Each time I run ewido it detects look2me under a different dll
What do I do?
I downloaded http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html and it detected nothing?
Each time I run ewido it detects look2me under a different dll
What do I do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, but must of that stuff is not on my system in the registry
ASKER
I think I managed to get rid of it! But my method was a bit extreme. I created a new partition on the hdd and installed another copy of windows 2000. I installed the virus software on this partition and did a FULL system scan on all the hdds and partitions. It found and deleted about 10 items.
When I logged back in again to the original windows 2000, I had no error messages, no popups, and was a lot faster.
Now all I gotta do is test it for a little while and if everything goes well I can simply delete the new windows 2000 partition! :)
Thanks for all the help!
When I logged back in again to the original windows 2000, I had no error messages, no popups, and was a lot faster.
Now all I gotta do is test it for a little while and if everything goes well I can simply delete the new windows 2000 partition! :)
Thanks for all the help!
narmi2, Glad you got rid of the spyware.
Check for virus and adware. Run the following scanners that you have not run.
Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/
or
Trojan Hunter
http://wiki.castlecops.com/Securing_Your_Computer:_Trojan_Removal_Programs#TrojanHunter_Trial
or
Ewido
http://www.ewido.net/en/
If no joy, download HijackThis
http://www.majorgeeks.com/download3155.html
Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyze, Save. Post a link to the saved list here.
Best wishes!