Arrrgh -- help with popups -- please Look2me?

desperate stephen · Nov 21, 2005

Having nasty problem getting rid of popups. Followed the instructions here, and more. Did lots of scans.

I believe I have Look2me virus, but when I ran remover program recommended here, I did not get a log file opening after reboot. I found a file called lo2 in the folder though. Here it is.

L2Mfix 1.04a

Running From:
C:\Documents and Settings\Dawn\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- changing existing entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

And here's the hijack this file:

Edit by chaslang: Inline log removed

I think line 020 shows the problem, but I don't know how to fix it. Never used Registry Editor.

Arrghhh! Please help. I will be really really grateful.

chaslang · Nov 21, 2005

Please read the instructions again in the READ & RUN ME. See step 7 in particular. HijackThis logs must be attachments. Also read step 3 again. You have multiple antivirus applications installed.

Give this a run: Running Spy Sweeper...

Make sure you attach the Spy Sweeper log when finished and also attach a new HJT log too.
It will take quite awhile for the Spy Sweeper scan to run. It is very intensive and should resolve your Look2Me problems.

desperate stephen · Nov 22, 2005

Wow. Thanks. That seems to have done it. At last. You are a genius.
I have attached my new hijackthis log.

I spent days running every scan I could find, ewido, norton (which I paid for), counterspy (ditto), spyblaster, adaware, microsoft and several online scans. Many of them removed things, probably things I didn't know I had, but only spysweeper cleaned up look2me, which was driving me mad.

I have a question. I'm now running avast, Microsoft antispyware and Spysweep, which I only have as a trial.

Which should I get rid of? Uninstall Spysweep? I think my system is clean now, and I promise to never open any more dodgy keygens, or keygens of any kind.

Thanks so much for your help.

chaslang · Nov 22, 2005

You need to either uninstall Avast or Symantec AV. It's your choice. Since you purchased the Symantect software, you may want to stick with it (at least until the subscription expires).

I would not have both MS Antispyware and SpySweeper running (requires too much of your system resources). Personally I would but SpySweeper and keep it but if you do not want to buy anything else just uninstall SpySweeper.

Let's do some final cleaning! But first make sure you take care of the above before continuing with the below.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O21 - SSODL: HEDCEGIE - {237C5D37-1EA1-3FC4-58AA-53BC212C0D18} - C:\WINDOWS\system32\Ljapaf32.dll (file missing)

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Log in or Sign up

Arrrgh -- help with popups -- please Look2me?

desperate stephen Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

desperate stephen Private E-2

Attached Files:

hijackthislog.1.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member