Follwed directions in "Read & Run Me First" need logs reviewed please.

Welcome to Majorgeeks!

It would be a good idea for you to do the PandaActiveScan procedure but do it after doing the below.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Now after attaching the destroyer and new HJT logs, run Panda and attach the log when it finishes.

 

That Bitdefender log is not useful. It must be obtained exactly as indicate in step 6 for it to be helpful.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

Did you follow the steps exactly as written in the READ & RUN ME to fix the Spybot bugs???? Make sure you did!

Also give the below a run!

http://www.purityscan.com/uninstall.html

Now run the below and attach the Ewido log:

Running Ewido Anti-Malware

Then attach a new HJT log. You still have a load of problems. I just need to get more info before we can get them all fixed.

 

It looks fine to me! I quote from the READ ME:

 

It is installed and enabled by default as long as no options are changed while installing. Although I have seen cases where it seemed like something (like another malware blocking tool or maybe having IE running) causes it not to be enabled.

 

Note:
That is still the wrong way to get the Bitdefender log. It is supposed to be an HTML file.

But this one is at least a log not a summary. It is just a lot more time consuming to read since it is not formatted properly like the HTML file would be. It also requires more steps on your part to edit it this way. It the steps are followed you get an HTML file with a .txt file extenstion to be uploaded.

 

Always.....I repeat Always check the online copy. Just like malware changes daily and tools have to change daily.......so does the READ ME.

 

Yes! Rename it to a .txt extension. HTML files cannot be uploaded as they are a security risk! Then attach the renamed file.

Please complete what I gave you in message # 5.

 

Don't worry about the Bitdefender log now. Also skip the PurityScan stuff. They probably realized everyone was using it to remove their crap and broke it on purpose. Just complete the stuff from message # 5 and attach the Ewido log and a new HJT log. Yes it was a bad idea to stop Ewido and not saving the log, because now I will not know what has already been fixed. Thus any instructions I give you later to delete various things may result in them not being found.

 

You need to install the current version of Sun Java from http://java.com/en/
and then use Add/Remove programs to uninstall the below outdated version:
J2SE Runtime Environment 5.0 Update 4

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\errorhandler.exe
C:\Documents and Settings\Roger\My Documents\?racle\attrib.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Search - {7264DB02-89A8-6AA7-36BA-0695F96D0ABB} - C:\WINDOWS\wusiyxql.dll (file missing)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [ms060097-52449] C:\WINDOWS\ms060097-52449.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [win320897-5244900] C:\WINDOWS\win320897-5244900.exe
O4 - HKLM\..\Run: [ms0590097-5244] C:\WINDOWS\ms0590097-5244.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [wxlteglA] C:\WINDOWS\wxlteglA.exe
O4 - HKLM\..\Run: [sys10-524490097] C:\WINDOWS\sys10-524490097.exe
O4 - HKLM\..\Run: [sys01524490097-] C:\WINDOWS\sys01524490097-.exe
O4 - HKLM\..\Run: [ms04490097-524] C:\WINDOWS\ms04490097-524.exe
O4 - HKLM\..\Run: [w00251dc.dll] RUNDLL32.EXE w00251dc.dll,I2 00003ac8000251dc
O4 - HKLM\..\Run: [win32097-52449009] C:\WINDOWS\win32097-52449009.exe
O4 - HKLM\..\Run: [ms034490097-52] C:\WINDOWS\ms034490097-52.exe
O4 - HKCU\..\Run: [Pcuh] "C:\WINDOWS\system32\CROSOF~1.NET\spoolsv.exe" -vt yazr
O4 - HKCU\..\Run: [Canoucb] C:\Documents and Settings\Roger\My Documents\?racle\attrib.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\l6l6lg3s16.dll (file missing)
O20 - Winlogon Notify: satmmc - satmmc.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon <--- the whole folder
C:\Program Files\outlook <--- the whole folder
C:\Program Files\SurfSideKick 3 <--- the whole folder
C:\Program Files\AdwareAlert <--- the whole folder
C:\Documents and Settings\Roger\My Documents\?racle <--- the whole folder
C:\WINDOWS\system32\CROSOF~1.NET <--- the whole folder
C:\Documents and Settings\Roger\rar.exe
C:\Documents and Settings\Roger\Local Settings\Temporary Internet Files\Ssk.log
C:\iexplore.exe
C:\Setup.exe
C:\WINDOWS\system32\w00251dc.dll
C:\WINDOWS\uniq
C:\WINDOWS\elos.exe
C:\WINDOWS\errorhandler.exe
C:\WINDOWS\Um9nZXI\oA6BtrK.vbs
C:\WINDOWS\keyboard61.dat
C:\windows\newname9.exe <--- delete any files using the starting with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad9.EXE <--- delete any files using the starting with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\KEYBOARD9.EXE <--- delete any files using the starting with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\windows\GIMMYSMILEYS9.EXE <--- delete any files using the starting with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too
C:\WINDOWS\ms034490097-52.exe
C:\WINDOWS\ms04490097-524.exe
C:\WINDOWS\ms0590097-5244.exe
C:\WINDOWS\ms060097-52449.exe
C:\WINDOWS\sys10-524490097.exe
C:\WINDOWS\sys01524490097-.exe
C:\WINDOWS\win32097-52449009.exe
C:\WINDOWS\win320897-5244900.exe
C:\WINDOWS\wxlteglA.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your HJT log is now clean! I'm not sure what is up with the Desktop icons all being selected. You may want to ask about that one in the Software Forum.

When you boot in safe mode and there is not Start button, are there any Desktop icons?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

My personal preference for a firewall is ZoneAlarm. Any of the three antivirus applications will work fine with it. Give AVG a try, I think you will like it.