Spyware Removal

Welcome to Majorgeeks!

Look to me is covered in our sticky thread procedures which are mentioned in the READ & RUN ME. In particular, see the below:

Look2Me VX2 Removal

Attach the requested log afterwards!


You have HijackThis running like below:
C:\Documents and Settings\Ranjith Shetty\Local Settings\Temp\Temporary Internet Files\Content.IE5\Z9J2UM5X\hijackthis[1]\HijackThis.exe

This is exactly how step 7 of the READ ME specifies not to run. Please follow the instructions in step 7 exactly as written and get HijackThis install correctly. Do this now before continuing.


Run the below procedure and attach the runkeys.txt log.

Using GetRunKey



Note: The below method of installing programs is a bad idea.

C:\Spyware Tools\sunserver.exe

You should install programs into the default folders as recommened by the installation program when you install it. This is normally a folder within C:\Program Files. This makes it look like malware posing as the program.

 

This could be happening due to the other infections that you have. Let's work on them first. In order to do that, I need some more info from the below procedure.

Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

 

Okay! It great that you got Look2Me Destroyer to run. It fixed your Look2 Me problems. But now we need to continue with the other fixes.

Now download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Program Files\Windows\wWinUpdate.exe
C:\WINDOWS\system32\yqunncv.exe
C:\WINDOWS\SYSTEM32\XLWFDV.EXE
C:\WINDOWS\SYSTEM32\OUNJD.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsigj.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Common Files\??crosoft\d?xplore.exe
C:\PROGRA~1\ASEMBL~1\wowexec.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,yqunncv.exe
O4 - HKLM\..\Run: [wdbwdt] C:\WINDOWS\system32\xlwfdv.exe reg_run
O4 - HKCU\..\Run: [tahye] C:\WINDOWS\system32\xlwfdv.exe reg_run
O4 - Global Startup: qsigj.exe


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):

C:\Program Files\Windows <--- the whole folder
C:\WINDOWS\system32\yqunncv.exe
C:\WINDOWS\SYSTEM32\XLWFDV.EXE
C:\WINDOWS\SYSTEM32\OUNJD.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qsigj.exe



Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Looks like your malware problems are all gone!

However you have an old remnant service running from having Symantec Antivirus installed at some time. Let's fix this!

What I'm referring to can be seen in the below line in your HJT log:
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

To remove it requires special steps given below.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Network Drivers Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

SNDSrvc

If you receive any error messages just ignore them and continue.

Now exit HJT but and reboot when it tells you it needs to.

After reboot just verify for yourself that the O23 line no longer appears in your HJT log. Also delete the below folder if it exists:
c:\Program Files\Common Files\Symantec Shared


How is everything working?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!