Hijack Help Please

Hi. After quite a few attempts at following the instructions in the stickies I'm at my wits end. Some notes on my progress:

After Ad-Aware, an error message:

Some objects could not be removed

C:\WINDOWS\system32\fp2q03f5e.dll

Spybot could not touch Look2Me.Topconverting

And Bitdefender simply crashes mid-scan.

I will post my HJT logfile for your seasoned eyes to let me know how the hell to get rid of this junk. Thank you.

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_10650.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move xfire_lsp_10650.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
(Note: If the file farlsp.dll is already in the remove section, then just click FINISH.)

Now run HijackThis and fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Using the Search funstion in the Start menu search for ibm000?.*. Delete every instance found.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running WinPfind by OldTimer.

Post the WinPFind.txt and a fresh HijackThis log.

 

Ok, followed above and still getting popups in IE.

 

Folow the directions for the following:
Running Hoster
Look2Me VX2 Removal

In Safe Mode, delete the following:

Start -> Run
type regedit
'OK'

Regedit will open, navigate to the following registry keys:

Reboot to Normal Mode.

Download to your Desktop
- getrunkey.zip

Extract getrunkey.bat from the zip file and run getrunkey.bat by double clicking on it. This will create a file named c:\runkeys.txt.

Post runkeys.txt as an attachment.

Post teh Look2Me-Destroyer.txt from earlier, and the GetRunKeys log.

 

Shadow -

Ran through the above. Many of the .dll files and keys to be deleted seemed to have already been removed. After restarting in normal mode and establishing an internet connection I no longer have random browser openings. I downloaded getrunkey but the program didn't run to completion. The message had something to do with "grep".

At any rate, I will attach the L2Me log and see what is going on.

 

Look2Me-Destoryer did a very though job of removing the Look2Me infection you had on your computer; that is why you couldn't find the dll files and some of the registry keys.

I need the exact error messege you get when you run GetRunKeys. That tool is written by Chaslang and I'm pretty sure he would like to know what problems you are having with it.

Post a fresh HijackThis log.

 

Getrunkey returned this message:

'grep' is not recognized as an internal or external command, operable program or batch file.

HJT log follows.

 

Unzip the zip file to your desktop. There should be 2 files GetRunKey.bat and grep.exe. Run GetRunKey.bat from the desktop.

 

Gotcha.

 

Copy the contents of the below quote box to notepad and Save As, FixXP.reg, to your Desktop. Make sure that you select 'All Files' before saving.

Double-click FixXP.reg and answer 'Yes' when asked if you want to merge with the rigistry.

Open ExplorerXP, navigate to and delete the following files; if they exist.

REBOOT

Things you must do:
Install SP2 for Windows XP and Update the system.
Update Java to the latest version.

Things you should consider.
Stop Windows Messenger from running, by using Shoot the Messenger.
Uninstall WeatherBug, unless you have the paided version.
Uninstall everthing by Viewpoint.
Uninstall Wild Tangent.

Post a fresh GetRunKey log.

 

Shadow -

Followed the above except for updating Java. I don't really know how to go about doing that. I've since installed Mozilla Firefox, a friend tells me it is less vulnerable than IE.

 

Woops, got you the wrong logfile.

 

Yes, Firefox is less vulnerable then IE, but using an out-dated version of Java leaves your system vulnerable.

This is the download page for Java. http://www.java.com/en/download/index.jsp

After you have updated, make sure you uninstall your old version, 1.5.0_04, using Add or Remove Programs in the Control Panel.

Your logs are clean.