Trojan Removal

Let's get started by fixing your Look2Me infection. Run the below and attach the requested log:

Look2Me VX2 Removal

Then also attach a new HJT log.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Program Files\??crosoft.NET\ntvdm.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [w03fa3e7.dll] RUNDLL32.EXE w03fa3e7.dll,I2 00032296003fa3e7
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\woqkwi.exe reg_run
O4 - HKCU\..\Run: [Aora] "C:\DOCUME~1\SHAUNA~1\APPLIC~1\CROSOF~1.NET\winword.exe" -vt yazr
O4 - HKCU\..\Run: [Czypht] C:\Program Files\??crosoft.NET\ntvdm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\??crosoft.NET <--- the whole folder
C:\Documents and Settings\SHAUNA~1\Applications Data\CROSOF~1.NET <--- the whole folder
C:\WINDOWS\system32\w03fa3e7.dll
C:\WINDOWS\system32\woqkwi.exe
C:\WINDOWS\system32\dmonwv.dll
C:\Program Files\PartyPoker
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

As per the READ & RUN ME directions, you must not use Spybot's Teatimer. It will get in the way of fixes. Ity was not running in you first HJT log but it is now. Please disable it, Also, uninstall Windows Defender while we work on this.

Where did the below two items come from? What have you been installing/downloading?

1) O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
2) Also look in Add/Remove programs and uninstall MatrixScreenSaver if found. Read the below about this program:
http://www.bleepingcomputer.com/startups/mss.exe-2702.html


After disabling Teatimer and uninstalling MatrixScreenSaver, and Windows Defender, attach a new HJT log.

 

That is due to this line:

O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async

which comes from this: http://support.microsoft.com/default.aspx?scid=kb;en;306331

You probably do not need this unless you knowingly did this for some reason. So I'm going to include it in a list of things to fix below.

That is due to one of the items I was questioning.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\dvdupgrd.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [MatrixScreenSaver] C:\DOCUME~1\SHAUNA~1\LOCALS~1\Temp\mss.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\woqkwi.exe reg_run <--- this will probably come back! We need to locate some other hidden files.
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\SHAUNA~1\Local Settings\Temp <--- it would be best to delete all files in this folder. Only ones from the current date may be denied since Windows will be using them.
C:\WINDOWS\system32\woqkwi.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Now run the below procedure and attach the requested logs so we can work up a full fix for the WinSync problem:

Qoologic/Winsync/Kavsvc

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\dialler.exe
C:\WINDOWS\SYSTEM32\FY20.DLL
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\pygvp.dat
C:\WINDOWS\system32\woqkwi.exe
C:\WINDOWS\system32\fbvcfsc.exe
C:\WINDOWS\system32\eusaeoa.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xqwi.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click Scan and select the following line (if may not be there just continue to the next steps if it is already gone) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\woqkwi.exe reg_run


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\dialler.exe
C:\WINDOWS\SYSTEM32\FY20.DLL
C:\WINDOWS\system32\dmonwv.dll
C:\WINDOWS\system32\pygvp.dat
C:\WINDOWS\system32\woqkwi.exe
C:\WINDOWS\system32\fbvcfsc.exe
C:\WINDOWS\system32\eusaeoa.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xqwi.exe

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Looks good! But before you connect it to the internet you need to get an antivirus, an antisypware blocker and other tools, and a real firewall (a big must).

Here is the order of what you should do BEFORE you connect to the internet

• If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.
• Use whatever PC you have been using to refer to the below link :
  • How to Protect yourself from malware!

And from this the above link download and installed the below

• AVG antivirus in step 2 - you will not be able to update online but updates can be download from AVG Anti-Virus Updates
• Download and install ZoneAlarmFree firewall from step 2
• Download and install SpwareBlaster and enable all protection - get updates and renable new protection later
• from step 5 Download and install Spybot and skip the update process while installing since you are offline. But make sure you leave the SDhelper function enabled and DO NOT use Teatimer. Also immediately use the Immuninze feature.
• from step 5 Download and install MS Windows Defender (unless you have another full time blocking program you purchased for this PC. Something like Spy Sweeper).
• Download and install FireFox from step 7
• Complete steps 6, 9 and 10

Now reboot the PC and connect it to the internet and then immediately go back to the how to protect thread and run all other steps like steps 1 & 8 and get all updates for all programs.

 

You're welcome. Surf safely!