View Single Post - Infected With Look2me;Popups include:Dofact,Yourtruths,Drivecleaner.Here is HJT Log.

edifier · 09-04-2006, 06:10 PM

Some of the infections were removed but others still remain.

Just wanted to make sure those drivers are legit.

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Update Ewido.

Next, download, install and update 'A-squared' here http://www.emsisoft.com/en/software/free/

Download 'Killbox' here http://www.softpedia.com/progDownloa...oad-27315.html to your desktop.You will need it later in safe mode.

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode.

Reboot your computer in Safe Mode by doing the following.

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Completely disable all security programs- Norton, Ewido, Defender, etc.

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [bvu82401] RUNDLL32.EXE w0481b98.dll,n 002823ff0000000a0481b98
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [komq] C:\PROGRA~1\COMMON~1\komq\komqm.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...aseInstall.cab

Exit Hijack This but remain in safe mode.

Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines if still present one at a time.

C:\Program Files\Common Files\{4854784E-070C-2057-1119-04090604002c}\Update.exe
C:\Program Files\outlook\outlook.exe
C:\PROGRA~1\COMMON~1\komq\komqm.exe

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.

Navigate to and delete the following folders.

C:\Program Files\Common Files\{4854784E-070C-2057-1119-04090604002c}
C:\PROGRA~1\COMMON~1\komq

Continuing from safemode, begin running your scans in this order.

A-squared
Ewido

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot into normal windows and if everything appears okay, disable 'System Restore'. Go to Control Panel/ System/System Restore and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'. Reboot your computer, run ATF Cleaner, and then turn 'System Restore' back on and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'. Proceed here and run this dianogstic scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html

Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop.If any infections remain, post a copy of it here along with a new 'HijackThis' log.

09-04-2006, 06:10 PM	#8 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Some of the infections were removed but others still remain. Just wanted to make sure those drivers are legit. Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay. Update Ewido. Next, download, install and update 'A-squared' here http://www.emsisoft.com/en/software/free/ Download 'Killbox' here http://www.softpedia.com/progDownloa...oad-27315.html to your desktop.You will need it later in safe mode. Download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ You will need it later in safe mode. Reboot your computer in Safe Mode by doing the following. After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Completely disable all security programs- Norton, Ewido, Defender, etc. From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file) O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [bvu82401] RUNDLL32.EXE w0481b98.dll,n 002823ff0000000a0481b98 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [komq] C:\PROGRA~1\COMMON~1\komq\komqm.exe O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/si...aseInstall.cab Exit Hijack This but remain in safe mode. Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines if still present one at a time. C:\Program Files\Common Files\{4854784E-070C-2057-1119-04090604002c}\Update.exe C:\Program Files\outlook\outlook.exe C:\PROGRA~1\COMMON~1\komq\komqm.exe Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Navigate to and delete the following folders. C:\Program Files\Common Files\{4854784E-070C-2057-1119-04090604002c} C:\PROGRA~1\COMMON~1\komq Continuing from safemode, begin running your scans in this order. A-squared Ewido Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Reboot into normal windows and if everything appears okay, disable 'System Restore'. Go to Control Panel/ System/System Restore and check the box ' Turn off system restore on all drives' click 'apply' and 'okay'. Reboot your computer, run ATF Cleaner, and then turn 'System Restore' back on and create a 'New Restore Point' by going to 'Start/Programs/Accessories/System Tools/System Restore'. Proceed here and run this dianogstic scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html Click Accept When the updates are finished downloading, click Next, Scan Settings Under Scan using the following antivirus database:, select extended Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK Click My Computer and wait for the scan to finish Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop.If any infections remain, post a copy of it here along with a new 'HijackThis' log.