need help with VX2 / Look2Me

You did not complete the steps in the READ ME FIRST. For example, you never ran the online scanners (step 1 of the cleanup).

Since you seem to already have L2MeFix and have already run Option 1, now run option 2 to have it run the fix. Post the log from this too.

Your HJT log shows other problems with WinSync. FInish running the READ ME FIRST and the L2MeFix option 2 and then post a new HJT log.

Then continue onto the steps below.



1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post both logs as attachments. You will need to post these in a second message.

 

Download Pocket KillBox

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below at the bottom of this message into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but when asked if you want to Reboot say No. Keep saying no to reboot until you enter the final file then say Yes!

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it just continue.

Also note: If you get an error message about Pending Operations after saying yes to reboot, just reboot your computer manually.

C:\WINDOWS\ICONT.EXE
C:\WINDOWS\SYSTEM32\bH.dll
C:\WINDOWS\SYSTEM32\LSSSD4.EXE
C:\WINDOWS\SYSTEM32\BDMDQRM.EXE
C:\WINDOWS\SYSTEM32\JEAEK.DLL
C:\WINDOWS\SYSTEM32\SFSFDKS.DLL
C:\WINDOWS\SYSTEM32\PWKWY.DAT
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nrir.exe


After reboot post a new HJT log and let me know how these steps went and how things are working.

 

Okay let's continue.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to Command Service (or if not found look for cmdService) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Command Service

If that does not work try entering the short name: cmdService

Now exit HJT but do not reboot if it tells you one is needed. We will be restarting HJT again in a few lines.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lsssd4.exe reg_run
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\YWwA\command.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\lsssd4.exe
C:\WINDOWS\YWwA\command.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Your log is now clean!

Are you really still having popup problems?

If so, what do they say? Is there a URL? When do you get them? Is it only when connected to certain sites?

 

You're welcome!

That's great news. Now to help keep you clean, follow the steps in the below thread:

How to Protect yourself from malware!