After an EWIDO scan, two of the 28 infections could not be removed. They had "cleaning error" messages. The path is :
"Windows/system32/pmcn20.dll" a reference to "Spyware Look2me" is also given. When I try to delete the PMCN20 file in C:, I get a window message "Cannot delete file, file is being used by someone or another program". I get the same kind of message when trying to clean the "Temp" and "Temporary Internet Files" folders in safe mode. The message here reads cannot remove "INDEX.DAT" it is being used by someone or another program.

Also, how about if we put a team together that finds the people responsible for writing spyware around the world, when caught, beat the **** out of them, filming the whole event, then posting the video online for the deterent value.

any help will be very appreciated.

I appreciate the people here that take the time to help us NEWBIES...

Attached Files

hijackthis.log (5.1 KB, 2 views)

Hi Darsus,

Welcome to PCHF, in order to get a complete picture of what you are dealing with, it would be most helpful for you to follow these instructions and then post your ewido and HJT logs back here.

Show hidden files and folders:
For XP:

1.On the Tools menu in Windows Explorer, click Folder Options.
2.Click the View tab.
3.Under Hidden files and folders, click Show hidden files and folders.
4.If you see a warning message, click Yes.
5.Click Apply.
6.Click OK.

Disable system restore to prevent re-infection.
(if you have/use it.)
(you can turn it back on when youre pc is clean).


How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Pre-work clean up

Download CCleaner, Install and run it. Make sure that all options are checked including Advanced, click OK to all warnings. Click on the Analyze button, let it run. When it is finished, click on the Run Cleaner button, exit CCleaner.

Then run HijackThis, please verify that it is installed into its own folder and is not being run from a temporary file. Choose option to save a log and attach the log here.

You can post your ewido log as a cut and paste.

Look forward to your reply,

TTFN

LGW

Hi Darsus,

I was hoping you would post here soon. I just left you instructions at your other post with the info about your ewido log. I will merge the two after I have taken a look at your HJT log.

LGW

Hi Darsus,

Took a look at your HJT, there are a few questions I have before we start trying to fix your computer.

First, do you have a Realtek audio card installed, or did you at one time?

Second do you recognize this entry?

and last can you please post the ewido log that you mentioned in your other post.

While you are doing that, I will merge the two posts.

Look forward to your reply,

TTFN

LGW

This will be embarrassing. At 43, I am not versed in this computer stuff. I look in the "Sound's and audio devices" area in the control panel, and it does refer to "REALTEC".

And no, that referenced line does not look familiar.

When I try to "Quick Reply" to you I get bombarded with the windows that I am trying to get rid of. It's like the spyware KNOWS what I am doing? Here's the EWIDO report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:46:53 PM, 11/10/2005
+ Report-Checksum: C1BE0CEB
+ Scan result:
[1012] C:\WINDOWS\system32\pmcn20.dll -> Spyware.Look2Me : Error during cleaning
[1676] C:\WINDOWS\system32\pmcn20.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\Temp\Cookies\steve@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

::Report End