Help with Look 2 Me removal.

Okay! he L2MeFix cleaned up a whole load of bad files. How are things working currently?

You may want to do the below and post your HJT log so we can make sure no other problems exist:


Downloading, Installing, and Running HijackThis

 

Look at the log file and in the process list see if you see a line like below:

c:\windows\system32\cmd.exe

If you have a line in the process list that shows cmd.exe on it, edit out the cmd.exe to say "edited command prompt" (just a note to us). There is a bug in vB that prevents logs from being uploaded if this file is in the process list.

 

You should uninstall Aluria Security Center. They have long been know to be associated with malware companies. See these for example:

http://www.bleepingcomputer.com/startups/SecurityCenter.exe-9582.html
http://www.boston.com/business/technology/articles/2004/11/06/spyware_killer_displays_its_own_ads/
http://netrn.net/spywareblog/archives/2004/11/06/aluria-confused/

You appear to be using two firewalls (McAfee and ZoneAlarm). You must use only one firewall.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Now exit HJT.

Now run this: Look2Me VX2 Removal and post the two logs from L2MeFix. Also attach a new HJT log (this will require a second message).

 

I was talking about McAfee's Firewall. You uninstalled your antivirus. The McAfee firewall is showing still. It may be broken but it is showing. But now you have now antivirus.

Something seems to be blocking the L2MeFix from working. The below line is still showing in your log:
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en0ol1d31.dll

Do you have admin priviledges?

Trying running L2MeFix but only option 2 from safe mode and post the log.

 

Let's try to address some other problems too.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to McAfee Personal Firewall Service (if that is not found, look for: MpfService). Then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.


Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

McAfee Personal Firewall Service

If that does not work, use the short name: MpfService

Now exit HJT and do not reboot if it asks you to do so.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\DOCUME~1\Jeff\LOCALS~1\Temp\2005101716257_mcinfo.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Jeff\LOCALS~1\Temp\2005101716257_mcinfo.exe /insfin
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\en0ol1d31.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\en0ol1d31.dll
C:\DOCUME~1\Jeff\LOCALS~1\Temp\2005101716257_mcinfo.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! A few other things have been fixed but you did not comment on what I asked you to do in message number 9.

I said:

You must make sure you run it in safe mode and do not have any browsers or other unnecessary processes running.

 

It seems to be having a problem completely fixing all the problems. Also it is not fixing one of the infected registry keys:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]

Let's do this manually.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixL2M.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixL2M.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now reboot into safe mode and run L2MeFix option 2 again. Then reboot and post the log and a new HJT log. If this does not work, I will be asking you to uninstall MS Antispyware. Sometimes protection/blocking tools can also block fixes.

 

Does this happen even when you ran option 2 while in normal boot mode and when it reboots just allow normal boot mode?


Download this: Find It NT/2000/XP

Unzip it to its own folder and then run "find.bat" by double clicking on it. Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it run.

The tool should generate a text file log. Normally it pops up as a notepad file named output.txt when it completes. Attach this log as an attachment to your next post.

Also please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Question: Does the filename in the O20 line of HJT change after each reboot or does it only change when we try to fix that line? The current log showed:

O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\irr6l59s1.dll

If it changes after reboots, we will have to avoid rebooting after you post any logs. You will have to wait until the next fix is provided.

 

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Tell me if you can see the below (just look):
C:\WINDOWS\system32\irr6l59s1.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\SYSTEM32\dnr6019se.dll
C:\WINDOWS\SYSTEM32\h64mlgh1164.dll
C:\WINDOWS\SYSTEM32\obffilt.dll

Also post a new HJT log and DO NOT REBOOT your PC unless I request it.

 

Download these:

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126

Extract them to their own folders somewhere that you will be able to find them later.

We are going to be deleting a list of files using Pocket Killbox. I'll explain how further down. Here is the list of files:

Here is a list of files that we need to delete using Killbox.
C:\WINDOWS\system32\irr6l59s1.dll
C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\SYSTEM32\dnr6019se.dll
C:\WINDOWS\SYSTEM32\h64mlgh1164.dll
C:\WINDOWS\SYSTEM32\obffilt.dll

and the last one is c:\WINDOWS\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\system32\irr6l59s1.dll

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

If you get a Pending File Operations error message, just reboot manually (but tell me later when you come back).

After it reboots continue with the below.

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

NOW:

Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot into normal mode again.

Now get another find.bat log and post it. Also post a new HJT log. Do not reboot after posting these logs!!!

 

Is this file still on your PC?
C:\WINDOWS\system32\en08l1du1.dll

It is one of the ones I requested you delete using Killbox. It still shows in your HJT log too. Before giving you the next steps, I want to know if it is still present.

 

OKay let's try this. If this does not work, I will be asking you to uninstall Ewido and MS Antispyware until we get this fixed.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixL2M.reg (yes overwrite the previous one) and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixL2M.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\en08l1du1.dll

After clicking Fix, exit HJT.

We are going to be deleting a list of files using Pocket Killbox. I'll explain how further down. Here is the list of files:

Here is a list of files that we need to delete using Killbox.
c:\WINDOWS\system32\guard.tmp

and the last one is C:\WINDOWS\system32\en08l1du1.dll

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\en08l1du1.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\System32\guard.tmp

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\system32\en08l1du1.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

If you get a Pending File Operations error message, just reboot manually (but make sure you tell me later when you come back if you got this error or any others.).

After it reboots continue with the below.


Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit VX2finder.


Now get another find.bat log and also a new HJT log and post both of them. If you see a new O20 line in your HJT log. Look to see if the file is present and let me know. Also while looking, sort the folder (the c:\windows\system32 folder) by Date and tell me if you see any fairly new (Sept or Oct of 2005) file names and what they are.

Do not reboot after posting these logs!!!

 

Okay! Looks clean now. Are you having any other malware problems?

 

You're welcome! Now let's try to keep you clean. Check out the below:

How to Protect yourself from malware!