followed instrucs and almost there

Welcome to MGs!

Use a different browser like Mozilla FireFox to attach your log. Since you cannot run either online scan I would also suggest that you run the below and attach the requested log.

Running Spy Sweeper

 

Okay your first problem is that your OS and IE versions are way out of date and represent a major security risk to you. Once we have fixed any existing problems on your PC, you must get updated. Some of your problems may even be due to the fact that you have not installed all the necessary security updates to protect you.

Running with no antivirus application and no firewall is just as bad as the above. You have a bunch of problems and some are very bad as you will see below.

You have a major problem with the below:

You also have a second trojan that steals passwords for financial related locations. See:
http://www.securitymob.com/my_smob/alert_info.asp?alert=29192


You should looking into changing all of your passwords especially for financial institutions. You should call them and check to make sure tha no suspicious activities have been occurring. Do not use this PC to do any password changes or any financial related activities.


Let's begin your cleanup!


First download GetRunKey125b.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey125b.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment. Do this before continuing to the below.

Now look in Add/Remove programs and uninstall Crystalys_Media if found.

Now run the procedure in the following link and attacht the two logs: Look2Me VX2 Removal

Now continue on to my next message.

 

After doing what I posted in message number 4, continue with the below.

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\windows\batserv2.exe
After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: CMBHO Class - {6379A99A-9102-446C-A837-0623E1810D75} - C:\Program Files\Crystalys media\cm.dll
O3 - Toolbar: CM Band - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - C:\Program Files\Crystalys media\cm.dll
O4 - HKLM\..\Run: [lihymgnA] C:\WINDOWS\lihymgnA.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\windows\System32\msvcp.exe
O4 - HKLM\..\Run: [HostSrv] C:\windows\sachostx.exe
O4 - HKLM\..\Run: [lspins] "C:\windows\System32\igps.exe"
O4 - HKLM\..\Run: [BatSrv] C:\windows\batserv2.exe
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\jt2607fse.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\windows\System32\pgpdobmp.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Crystalys media <--- the whole folder
C:\Program Files\Common Files\VCClient <--- the whole folder
C:\WINDOWS\inet20003 <--- the whole folder
C:\WINDOWS\lihymgnA.exe
C:\WINDOWS\sysldr32.exe
C:\windows\System32\msvcp.exe
C:\windows\sachostx.exe
C:\windows\System32\igps.exe
C:\WINDOWS\system32\jt2607fse.dll <--- this may have changed names by now or it may be gone due to running L2MeFix
C:\windows\System32\pgpdobmp.dll
C:\windows\batserv2.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <--- look in this folder and delete all file that begin with ibm000 . You may find some that are .exe files and some that are .dll files. They should show in the runkeys.txt log too.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay! SpySweeper fixed a ton of problems. After you complete the rest of my instructions attach the runkeys.txt log, the L2MeFix logs (these will probably not be needed if you have not run them yet because it looks like SpySweeper fixed the Look 2 Me infection), then attach the follow up HJT log requested at the end of message # 5.

 

The GetRunKey125b.zip link was broken below if you tried it and had a problem I fixed it now.

 

It would only be empty if you did not unzip both files from the GetRunKey125b.zip file. You must make sure that both files were extracted from the ZIP file to the same folder. You cannot run the GetRunKey125b.bat from inside the zip file. If you do, it will not find the grep.exe file that it needs.

 

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [lihymgnA] C:\WINDOWS\lihymgnA.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\lihymgnA.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now run GetRunKey125b.bat again and attach a new runkeys.txt log. Yes, give IE a run.

 

Are you sure you clicked fix on the below line:
O4 - HKLM\..\Run: [lihymgnA] C:\WINDOWS\lihymgnA.exe

It is still in your log!. Try again and then reboot and look for yourself at a new log to see if it is gone. If it is not gone, do the below:

• Uninstall Spy Sweeper and MS Antispyware
• Reboot
• use HJT to fix that O4 line again
• reboot to safe mode and just double check to make sure the C:\WINDOWS\lihymgnA.exe does not exist. Delete if found
• reboot into normal mode and post a new HJT log. But look at it first yourself to see that the O4 line is gone.

 

Your last log was clean. What you need to do immediately is the below start from step 1 and work thru to the end. You must complete step 1 or you will keep having problems like the LSA shell message you got. Also you are very susceptable to a whole load of trojans and viruses right now. So start running the below now:

How to Protect yourself from malware!

 

Okay! When you complete all the steps, post a new HJT log so I can verify you have been updated properly.

 

Download the attached file and unzip to your harddisk (anyplace you can find it). You will see FixWinUpd.bat after unzipping. Double click on FixWinUpd.bat and in a few seconds a notepad windows will popup. This notepad file is already save at c:\winupd.txt

Upload winupd.txt as an attachment.

 

Okay! I did not see a particular registry key titled "RebootRequired" that I thought may be in there.

Try going to the below link and see you can manually download and install the Update for Background Intelligent Transfer Service :

http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=B93356B1-BA43-480F-983D-EB19368F9047&displaylang=en

 

When does it say this?

Where you able to download the file to your PC?

Note: You must make sure you have validate your OS to Microsoft first. Did you click on the below to run genuine Microsoft Windows validation. If you have not done this at any point, you must do this first or you cannot install updates.

 

Are you sure it is actually validating? Attach a new HJT log.

Access denied to what? What is the full message in the Window?

It is starting to sound like the OS is not legit or that Windows was never properly activated. If this is true, I cannot help you any further. You would have to get a legitimate licensed copy of Windows installed.

 

Well it does not appear to me that your OS is illegal. Based on the below line in your HJT log it would appear that Microsoft has validated that your OS is genuine.

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

Let's try something different. This will not get you up to SP2 but at least it will be better than where you are at. Download the Windows XP Service Pack 1a (SP1a) update from the below link and then install it. Post a new HJT log after it installs successfully.

http://www.softpedia.com/get/System/OS-Enhancements/Windows-XP-Service-Pack-SP1a.shtml

 

Instead of installing it while online with MS Update. Try downloading the whole SP2 package from the below link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&DisplayLang=en

Then at least you have it and can install it anytime. It will still take a long time to download with your connect speed. I'm not sure what you are referring to with programs and files getting messed up. At this point you would be better served discussing this in the Software Forum since it is really not a malware problem.

Your alternative to SP2 is to download SP1a from the link I gave you earlier and use it instead. While it is not as secure as SP2, it is a heck of a lot better then what you are using now and it may give you fewer compatibility issues (if that is what you are having with SP2).

 

Looks good.

You can have HJT fix the below left over from Spy Sweeper:

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Is everything running okay now? Have you completed the rest of the How to protect thread?

 

The how to protect thread gives you a link that explains how to disable the Windows XP SP2 firewall. It is pretty easy to do.

Note that Ad-Aware provides no blocking of malware. You need to keep Spybot install and use it's Immunize functions. You also should use the protection provided by SpywareBlaster.

Do you still have MS Antispyware installed?

 

Yes keep Ad-Aware, Spybot S&D, SpywareBlaster, and note that you should update to Microsoft Windows Defender as now shown in the How to protect thread (MS Antispyware has been discontinued and is replaced by Windows Defender.)
Ad-Aware uses no resource exept when scanning.
Spybot S&D with only SDHelper enable and Immunize enabled uses very little resources accept when scanning)
SpywareBlaster uses no resources
Microsoft Windows Defender will use resources and provides fulltime active protection from malware.

Based on how much surfing you do, weekly should be good.