anyone .. pls . need some help..thanks

any help would be welcome...

henry

 

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When it re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX and place it in your C:\Windows\System32 Directory.


I see you have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items.

Go to Start>Run type msconfig and press Enter.

Select Normal Startup - Load all Device Drivers and Services

Reboot and post a new HJT log.

---------------------------------------------------

 

there is my Look2Me-Destroyer log file.....

this is what you have asked me....

"Close all windows before continuing.
Double-click to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When it re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt at the end of this fix.

----------------------------------------------------------------------------there it is .....

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/3/2006 12:32:24 PM

Infected! C:\WINDOWS\system32\fp2003fme.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007219.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007220.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007221.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007222.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007224.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007228.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007238.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007240.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007243.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007247.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007268.dll
Infected! C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007272.dll
Infected! C:\WINDOWS\SYSTEM32\fp2003fme.dll
Infected! C:\WINDOWS\SYSTEM32\ir22l5fo1.dll
Infected! C:\WINDOWS\SYSTEM32\Ruboex32.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\fp2003fme.dll
C:\WINDOWS\system32\fp2003fme.dll Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007219.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007219.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007220.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007220.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007221.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007221.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007222.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007222.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007224.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007224.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007228.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007228.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007238.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007238.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007240.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007240.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007243.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007243.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007247.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP74\A0007247.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007268.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007268.dll
Deleted successfully!

Attempting to delete: C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007272.dll
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP77\A0007272.dll
Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fp2003fme.dll
C:\WINDOWS\SYSTEM32\fp2003fme.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ir22l5fo1.dll
C:\WINDOWS\SYSTEM32\ir22l5fo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\Ruboex32.dll
C:\WINDOWS\SYSTEM32\Ruboex32.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\RunOnce

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved "{9D31CAB8-BBE9-4200-A137-205B9DFE1FF7}"
HKCR\Clsid\{9D31CAB8-BBE9-4200-A137-205B9DFE1FF7}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

log file with normal start up .....

log file with normal start up.....as requested...

------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:54:33 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Design Ltd\Installers\MCCINST.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServAlert.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServAlert.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\oscar\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qxwvfq.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Time Sync] C:\Program Files\Time Sync\time.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Xbyhtm.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [5BqqgJK] C:\WINDOWS\ltqtn.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.1.74.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120489827292
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} - http://www.advnt01.com/dialer/canada_ver3.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InstallTest - Unknown owner - C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Metric Conversion Calculator Installer - Unknown owner - C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0\US30Service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

Ok, now for round 2.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------


Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

---------------------------------------------------------------------------------------------


Download and install CleanUp!
NOTE: Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64. Download & run this tool to find out for sure.....

http://www.kellys-korner-xp.com/regs_edits/xp_whichcpu.exe

----------------------------------------------------------

Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:

• Open AdAware SE.
• Go to AdWatch User Interface.
• Go to Tools and Preferences.
• At the bottom of the screen you will see 2 options Active and Automatic.
• Active: This will turn Ad-Watch On\Off without closing it
• Automatic: Suspicious activity will be blocked automatically
• Uncheck both options. You can enable these after resolving your problem.
• Unless they are turned off they could interfere with the fix by HijackThis.

---------------------------------------------------------------------------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Search Assistant
MyWebSearch
Web_Rebates
SpyKiller
SpyHunterPrograms of dubious repute

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):


R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qxwvfq.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Xbyhtm.exe
O4 - HKLM\..\Run: [5BqqgJK] C:\WINDOWS\ltqtn.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball...GameLoader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} - http://www.advnt01.com/dialer/canada_ver3.CAB
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)


---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\Program Files\WindowsSA
C:\Program Files\Web_Rebates
C:\WINDOWS\system32\Qxwvfq.exe
C:\Program Files\Enigma Software Group
C:\WINDOWS\system32\Xbyhtm.exe
C:\WINDOWS\ltqtn.exe
C:\Program Files\SpyKiller



---------------------------------------------------------------------------------------------

Restart in normal mode.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

Ewido
Kaspersky
HJT

How is your system behaving now, please?

 

no more popups.....

popups seem to be gone now.... after running the Look2Me-Destroyer . everything looks pretty good , should i still go thru the last procedure that you have asked me to. i really appreciate the help , thanks so much for your time.

cgexx

 

should i still go thru the last procedure that you have asked me to

YES!

Why would I put up another round of fixing otherwise?

The popups were a manisfestation of one of the multiple infections on this system.

Complete the next steps I laid out....or you are still infected with trojan downloaders and other useless crapware.

 

there we go kaspersky scan done...

there are the results....
-----------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, April 04, 2006 12:04:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/04/2006
Kaspersky Anti-Virus database records: 186193
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 104000
Number of viruses found: 26
Number of infected objects: 38
Number of suspicious objects: 5
Duration of the scan process: 12252 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/svchost.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\oscar\Desktop\benoit\setup.exe/data0104 Suspicious: Backdoor.Win32.VB.gen
C:\Documents and Settings\oscar\Desktop\benoit\setup.exe/data0199 Infected: Trojan-Dropper.Win32.Fearless
C:\Documents and Settings\oscar\Desktop\benoit\setup.exe/data0200 Infected: Trojan-Dropper.Win32.VB.r
C:\Documents and Settings\oscar\Desktop\benoit\setup.exe Infected: Trojan-Dropper.Win32.VB.r
C:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n
C:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n
C:\Program Files\BitTorrent\uninstall.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n
C:\Program Files\mIRC.ExCurSioN.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\Program Files\mIRC.ExCurSioN.rar/mIRC.ExCurSioN.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\Program Files\mIRC.ExCurSioN.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\Program Files\Norton AntiVirus\Quarantine\075C05E7 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\0B4E317F Infected: DoS.Win32.Jman.a
C:\Program Files\Norton AntiVirus\Quarantine\0E785E04 Infected: Nuker.Win32.Beer
C:\Program Files\Norton AntiVirus\Quarantine\10CE6172 Infected: DoS.Win32.Octopus
C:\Program Files\Norton AntiVirus\Quarantine\11140642.dll_ Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\1A7B195C Infected: Nuker.Win32.Divine
C:\Program Files\Norton AntiVirus\Quarantine\1AFD28CC Infected: not-a-virus:NetTool.Win32.ICMPPing
C:\Program Files\Norton AntiVirus\Quarantine\1BCE27E6 Infected: IM-Flooder.Win32.VB.bc
C:\Program Files\Norton AntiVirus\Quarantine\1C5C78BB Infected: Flooder.Win32.PacketStorm
C:\Program Files\Norton AntiVirus\Quarantine\424C7385.exe Infected: Trojan-Downloader.Win32.VB.ft
C:\Program Files\Norton AntiVirus\Quarantine\4967774C.exe Infected: Trojan-Downloader.Win32.PassAlert.i
C:\Program Files\Norton AntiVirus\Quarantine\5100150D/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\5100150D Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\5194156C Infected: Trojan.Java.ClassLoader.z
C:\Program Files\Norton AntiVirus\Quarantine\52CF2017 Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton AntiVirus\Quarantine\5E866E2C/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\5E866E2C Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\63170992.exe/run.exe Infected: Trojan-Downloader.Win32.PassAlert.i
C:\Program Files\Norton AntiVirus\Quarantine\63170992.exe Infected: Trojan-Downloader.Win32.PassAlert.i
C:\Program Files\Norton AntiVirus\Quarantine\64E86632.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\64EF3A2B.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\64F50E23.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\666E7AAE.exe Infected: Trojan-Dropper.Win32.Fearless
C:\Program Files\Norton AntiVirus\Quarantine\6E4327BF.tmp Infected: Trojan-Dropper.Win32.Fearless
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\4A9169A6-7089-448B-8878-8D85EC\0F74910E-3EB1-4F5C-AC24-7D1E6D Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.d
C:\WINDOWS\Downloaded Program Files\flash.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as
C:\WINDOWS\SYSTEM32\biN.exe Infected: Trojan-Dropper.Win32.Agent.og
C:\WINDOWS\SYSTEM32\BO2808040510.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d
C:\WINDOWS\SYSTEM32\req.exe Infected: Trojan-Dropper.Win32.Agent.hg

Scan process completed.

 

OK.....I'm not sure I'm making this clear enough.

Please re-read the instructions in post #6 http://www.techsupportforum.com/497853-post6.html

Complete them all, and post all logs requested at the same time.