Pretty sure I have VX2.. yay.

Did you run L2MeFix as written here: Look2Me VX2 Removal

You can post attach the logs from it, but do not post any HJT logs without following standard cleaning steps and the procedures for using HJT. These procedures are given below.

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

.

 

Yes I know that but my question was whether you ran it properly per the steps given in the link I gave you. From what I can see it does not look like it. In fact, the log from option 2 is not even a complete log. It looks like it never finished running. You may want to look at my link and try option 2 again. I have seen a few cases where for some reason after the forced reboot that the batch file does not continue to run and it needs to be run manually.

Make sure you complete all steps in the READ & RUN ME thread before doing a HJT scan. If you cannot run certain steps for some reason, just continue but explain what problems you had when you come back. After this follow the thread I gave you for properly using HJT.

 

When you run L2MeFix with option 2, does your PC reboot as it is supposed to?
After reboot another batch file is supposed to run to continue with the fix. Does it run?

If not, goto into the L2MeFix folder using Windows Explorer and double click on second.bat to run it and then post the log when it finishes. There maybe a new form of infection out there. You are not the first person having trouble with getting the L2MeFix program to run properly. It always ran fine in the past, so I suspect a new strain of malware.

 

Your still infected! It seems to be having a problem removing all of the infection since it is not automatically running on reboot. Also the malware DLL filenames are changing constantly (after each reboot). Try running it again. But this time make sure:
- there is no connection to the internet available at all during the process. Unplug your cable.
- never open a brower during the process.
- after the reboot run second.bat manually and save the log to a unique filename.
- run second.bat a second time and safe it to another unique filename.

Then reconnect to the internet and post those two logs.

Make sure you do not reboot at this point or it will mutate again!!!!

Do you know how to use regedit and are you comfortable with using it?

 

Run regedit and navigate to the below registry key and delete it:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Welcome

Then run second.bat again and post the log.

Afterwards look for the below file and tell me if you see it:

C:\WINDOWS\system32\guard.tmp

 

Perhaps you do not have viewing of hidden and system files enabled properly. If you look at the log from second.bat, you can see that it found it and it thinks it deleted it. But I can tell you right now it was not successful because I see a new L2Me DLL came right back at the same key I had you delete.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Welcome]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt0807due.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

Do you see C:\WINDOWS\system32\guard.tmp now!
What about this file: C:\WINDOWS\system32\jt0807due.dll

We are going to have to take a different approach to fixing this. But a couple things that are very important to remember while trying any fixes (even if it is not mentioned in the directions), ALWAYS make sure you have no connection to the internet possible by unplugging your cable and also make sure no browsers are open at anytime during the cleaning. Your browsers and connection you remain off until you are asked to come back here to post results.

Please run L2MeFix option 1 and post that log.

Download this: Find It NT/2000/XP

Unzip it to its own folder and then run "find.bat" by double clicking on it. Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it run.

The tool should generate a text file log. Normally it pops up as a notepad file named output.txt when it completes. Attach this log as an attachment to your next post.

Also please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Download these:

Pocket KillBox

VX2.BetterInternet Finder XP/2k - Version Msg126


Extract them to their own folders somewhere that you will be able to find them later.

We are going to be deleting a list of files using Pocket Killbox. I'll explain how further down. Here is the list of files:

Here is a list of files that we need to delete using Killbox.
C:\WINDOWS\flashax.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\NGTVideoFile.dll
C:\WINDOWS\System32\m2lslc371f.dll

and the last one is C:\WINDOWS\System32\jt0807due.dll

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\System32\jt0807due.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\flashax.exe

1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\System32\jt0807due.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

If you get a Pending File Operations error message, just reboot manually (but tell me later when you come back).


After it reboots continue with the below.
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixL2M.reg (yes overwrite the previous one) and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixL2M.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

Now Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot into normal mode again.

Now get another find.bat log and post it. Also post a new HJT log. Do not reboot after posting these logs!!!

 

Also post another WinPfind log in a second message.

 

It's from Pocket Killbox. Don't worry about it. It can be deleted when we are all done.

Are you running any other steps or programs other than what I mentioned? I'm curious as to why the below two items appeared in your C:\WINDOWS\SYSTEM32\drivers\etc\hosts file even after running Hoster:

127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com

See them in the Winpfind log. Run Hoster again.

Run HJT and fix the below line (but do not click fix until all browsers are closed):
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\m2lslc371f.dll (file missing)

Exit HJT, reboot, and then post a new HJT log.

 

Okay it appears like we got the Look 2 Me infection fixed. Your log is clean but I'm worried that your ZoneAlarm firewall does not seem to be working properly. You should uninstall it and then reinstall because it appears to be broken.

Also run this: Running Ewido Security Suite and post its log.

 

You should not do this. Leave ZoneAlarm running.

Reboot and findout. The IE popups that you mentioned do not show in your log and are not related to Look 2 Me.

You're welcome and yes you can shutdown! Run the scan after your get home from work.

 

You're welcome!