Help with spyware (followed directions)

Welcome to MG's

Let's beging by emptying your recyle bin and any quarantine folders.

And if you use Norton N-Protect, empty it too.

 

Why did you run L2MFix?

You did not follow the steps in the READ & RUN ME for disabling the below:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

You also seem to have skipped step 3 of the READ ME. I see AVG and Symantec.

Were you running multiple notepad sessions when running HJT? And also WinZip? Why?

 

After fixing what was mentioned in messages 2 & 3, continue with below. If you do not take care of those first, these steps may not work.

Look in Add/Remove programs and uninstall Limeshop if found.
Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{49A25301-7CAC-A4FA-B638-457843BA4CE2} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exer.dll
O2 - BHO: (no name) - {3BFF1355-B140-58C2-8753-60550DF3724E} - C:\WINDOWS\SYSTEM\LCXDHI.DLL (file missing)
O2 - BHO: (no name) - {69AF480D-E344-0D94-8753-60550DA6271C} - C:\WINDOWS\SYSTEM\DLJZ.DLL (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {CE61D270-DB62-F508-1353-4BEEC18131B8} - C:\WINDOWS\Wlwdqxku.dll (file missing)
O3 - Toolbar: Search - {44C7C79E-4DBD-4E1A-FD19-A424734AC5B9} - C:\WINDOWS\Wlwdqxku.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\LimeShop <--- the whole folder
C:\WINDOWS\SYSTEM\LCXDHI.DLL
C:\WINDOWS\SYSTEM\DLJZ.DLL
C:\WINDOWS\Wlwdqxku.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Deleting folders is not the correct way to uninstall. Using Add/Remove programs is. Did you use Add/Remove programs first? We will need to do some work later to remove the items still showing up.

The Look2Me infection that L2MeFix works on does not appear to be present. But yes Panda showed an EXE file and flagged it as Look2Me.

I only saw Limeshop in your log not Limewire. Do you also have Limewire? If so, what version is it?

 

Version number???

And do you use whatever Limeshop is supposed to be?

 

After doing all the other steps! Run HJT and Fix the below lines:
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

Then reboot and delete the below folder if found (unless you own other symantec software):
C:\Program Files\Common Files\Symantec Shared

If you do own other Symantec Software that you still use, then you should not delete the Symantec Shared folder. But instead just delete the below files that are in the folder:
symlcsvc.exe
ccApp.exe
ccEvtMgr.exe
ccSetMgr.exe
SBServ.exe

 

Hmmm! Isn't that the first version of Limewire which is very old. I thought they were on LimeWire current version: 4.10.0 now.

Older versions (before the latest ones) all contained malware.

 

Hmmm! I never noticed that you did not follow step 7 of the READ AND RUN ME properly. HJT is still installed incorrectly.
C:\Documents and Settings\Laur\Desktop\Comp Info\HijackThis.exe

The below process is not valid for a WinXP system. Did you upgrade from WinMe to WinXP?
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe

Fix these next O9 lines with HJT:
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
Unless you know for sure the below is clean, fix it.
O16 - DPF: {A1B09066-C95C-4EF6-8DFD-3DD0AFE610B6} - http://pak02.pictures.aol.com/ygp/aol/plugin/screensaver/YGPPicScreensaver.en-US.9.1.6.20.cab

 

So you were working on a PC that was not yours?

 

No! It just that you said

And we always have finishing things to do.

1) follow step 1 of the READ ME now to remove possible infected restore points

2) follow the steps in the below link to help keep the PC clean:

How to Protect yourself from malware!

​