vx2.look2me problem

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. And you need to get HijackThis.exe extracted from the ZIP file you downloaded. You are currently running it directly from the ZIP file.

To get hijackthis.exe extracted from the ZIP File into the location we requested do the following.

The below will work for WinXP based system since it can deal with ZIP files.

You need to create the C:\Program Files\HJT folder. Do the following:

- Click START and select Explore.
- Select the drive where Windows is installed (normally C
- Navigate to the C:\Program Files folder and select it.
- Now click the on the top menu where it says File and then select New.
- Then select Folder
- A new folder is created and highlighted.
- Just type HJT to overwrite the default name (New Folder)


To extract hijackthis.exe:
- locate the HijackThis.zip file you downloaded and right click on it
- Select Extract All and click Next
- Browse your way to the C:\Program Files\HJT folder created above
- Select the folder and click Next

Using Winzip:
- locate the HijackThis.zip file you downloaded and right click on it and select Extract to. This will open Winzip.
- Use the Folders/drives navigation pane to locate and select the C:\Program Files\HJT folder you previously created. After selecting it, make sure it shows in th Extract to: box.
- Click the Extract button


Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

You also need to run the other tool given to Jazzy.

Download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log.

 

Post your BitDefender log. Quite often it just reports th Wheaterbug.A porblem in AOL or AIM files. I'm not sure that it is really a problem.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will be rebooting in safe mode in a few lines.



Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of pmkkk.dll once and then click the kill button. After you have killed all of the pmkkk.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of pmkkk.dll and kill it.

Now just look for the below process in Process Explorer and right click on it and Kill it.C:\WINDOWS\etb\pokapoka65.exe

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmkkk.dll
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: pmkkk - C:\WINDOWS\system32\pmkkk.dll
O23 - Service: CWShredder Service - Unknown owner - D:\cwshredder.exe (file missing) <--- this line should already be gone


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\SYSTEM32\kkkmp.ini
C:\WINDOWS\SYSTEM32\kkkmp.ini2
C:\WINDOWS\SYSTEM32\kkkmp.bak
C:\WINDOWS\SYSTEM32\kkkmp.bak2
C:\WINDOWS\SYSTEM32\kkkmp.tmp
C:\WINDOWS\system32\pmkkk.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Okay! We fix your Virtumundo problem but you still have the Elite Toolbar problem ( C:\WINDOWS\etb\pokapoka66.exe )

Run Process Explorer now in normal boot mode and select kill process tree.

Then look for the folder C:\WINDOWS\etb and delete it.

Then run HijackThis and have it fix:
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe

Then reboot and look at a new HJT log and see if this stuff remains fixed. If not, download and run the following:

EliteToolbar Remover

Then see how things look. Post a new HJT log.

 

Check a new HJT log yourself. Do you still see the process running? Do you see the O4 line ? If so, you need to fix it?

It's rather strange that it did not detect it before. Did you just update Norton or something?

 

Yes follow the steps in the previous message.

 

No the steps are in the right order. You cannot delete the etb folder if the process which is running from it (pokapoka66.exe) is still running. So you need to find the pokapoka66.exe process in Process Explorer and right click on it and select Kill process tree. Then immediately attempt to delete the C:\WINDOWS\etb folder by running Windows Explorer and navigating to the C:\Windows folder and locate the etb folder. Right click on it and select Delete (Note: You are not doing the delete of the folder from Process Explorer. You are using Windows Explorer).

Do you know what Windows Explorer is? Right click the Start button and select Explore. That's Windows Explorer.

Have you run EliteToolbar Remover yet. If not, please run it now!

 

There is no reason to remove any of them. Yes re-enable system restore. You should also work thru the steps in the below (some you may already have done so ignore the ones you have). Make sure you do check Windows Update (step 1):

How to Protect yourself from malware!

 

You're welcome Tom!

I'll let you in on a little secret. Many times people have come here to get problems fixed because a Tech Support person (who could not fix their problems) sent them here. Even Microsoft and Dell have sent people here.

 

You're welcome!

Send all your friends here!

 

Try Search which is one of the upper title bars and select Advanced Search. The select All Open Forums (which should be the default. It sounds like a Software Forum topic to me.