TechSpot

Look2me infection?

By Major_Victory
Jul 29, 2006
  1. Hello, i had the same problem as the first post but after i ran the third tool it never started up again. I ran it once check the checkbox and it gave me the message. i clicked ok andwaited, five minutes later it still didn't open. I tried it four time since then but with no luck. I know i have the look2me problem because ewido spotted it but didn't fix it.

    I'm including the report that Ewido gave me when it finished cleaning.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log as a .txt attachment into this thread, only after doing the above.

    I have moved you post to it`s own thread. This will save any confusion.

    Regards Howard :)

    This thread is for the use of Major_Victory only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Major_Victory

    Major_Victory TS Rookie Topic Starter

    i need help killing this look2me virus, the program you linked me to won't start up again after i click ok, ewido can't do a thing about it even thought it finds it, and spybot can't delete it either though it tells me where it is.

    The file is at "C:\WINDOWS\System32\gaurd.tmp", the process is "gaurd.exe"

    i have to type this fast because it keep making my winlogon.exe crash and therefore restarting the computer.

    i know it's the look2me virus because all of the other programs didn't help me.

    i can't post a log right now because ewido takes too long to produce a new one and i don't have much time left to type. i'll check back inthe morning or somethime tomorrow but until then let me know what i can do please!

    All i want is my system back :(

    i hope i gave you enough information....

    signed,
    -Major Victory
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Without seeing a fresh HJT log I can`t help you.

    Please post a fresh HJT log into this thread.

    Instructions for doing so can be found HERE.

    Regards Howard :)
     
  5. Major_Victory

    Major_Victory TS Rookie Topic Starter

    ok i booted up in safe mode to do all the scanning because in normal mode that virus makes my winlogin.exe crash after a certain time.
    I'm making this post from a different computer to avoid booting into normal mode.

    I used three scanners and then i ran HijackThis.

    First up i used Ad-Aware SE Personal
    next i used Spybot SD
    then lastly i used Ewido
    after all those scans i closed everything i could, emptied my recycle bin and temporary files, and ran HijackThis

    i'm attaching the Adaware log, the Ewido log and finally the HijackThis log
    btw in the adaware log there were about 70 some cookies i didn't have acces to to delete. they were in another account that had it's folders protected. Then spybot reported having found "C:\WINDOWS\System32\guard.tmp" and then deleted it, however in the log it also listed all the mru's that it found and some other program settings that are legit which made the logfile rather huge. if you want to see the spybot log let me know and i'll post it.

    and finally, here are the logfiles...
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, let`s get rid of the main nasties first.

    Download the Pocket Killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AWS/Weatherbug
    DAP

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Weather.exe
    rdgUS2404.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

    O4 - Startup: Xfire.lnk.disabled

    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)

    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: winxtx32 - C:\WINDOWS\SYSTEM32\winxtx32.dll

    O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\AWS\WeatherBug
    C:\PROGRA~1\DAP

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winxtx32.dll

    Once your system has rebooted, turn system restore back on and post a fresh HJT log from normal mode.

    Regards Howard :)

    This thread is for the use of Major_Victory only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Major_Victory

    Major_Victory TS Rookie Topic Starter

    Done...

    gaurd.exe is still showing up in the taskmanager btw

    here is the new log...
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry.

    O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

    Use Killbox to delete the guard.exe and guard.tmp files.

    This is the filepath for the guard.tmp file.

    C:\WINDOWS\System32\guard.tmp

    You will need to find the filepath for guard.exe.

    Follow these instruction for fixing your lsp problem.

    download and run LSPFix from http://cexx.org/lspfix.htm

    Use these instructions to remove the bad DLL:
    1. Run LSPFix.
    2. Check 'I know what I'm doing'.
    3. Select xfire_lsp_8742.dll.
    4. Click the right-pointing arrow (moves it to the "remove" page).
    5. Click 'Finished'.

    6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
    7. Delete the file: 'xfire_lsp_8742.dll' (or substitute with "your" missing file name). Do NOT delete ANY other files!
    8. Restart your computer and bring it up in normal mode.

    Once done, let us know how your system is running.

    Regards Howard :)
     
  9. Major_Victory

    Major_Victory TS Rookie Topic Starter

    ok i did your steps but i could not find either the gaurd.tmp file or the gaurd.exe file. the gaurd.tmp file is now missing however in normal mode guard.exe is still running. right now the computer is physically disconnected from the intenet and i havn't recieved any new popups yet.
    i noticed how killbox has an option to kill system processes, gaurd.exe is listed inside there, should i kill the process that way?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  11. Major_Victory

    Major_Victory TS Rookie Topic Starter

    ok i havn't run the two prorams yet but killbox was also unable to end the gaurd.exe process, just thought you should know...

    i'll edit later after i run the programs and i'll post the new log too

    :edit:
    Both programs found nothing

    here is my new log...
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    You`re not going to believe this, but after doing some research on the guard.exe file, it turns out it`s part of Ewido`s backgound guard. If you look at your HJT log, you`ll see it as this entry.

    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

    So nothing to worry about.

    As far as I`m concerned your system is now clean.

    Regards Howard :)

    This thread is for the use of Major_Victory only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Major_Victory

    Major_Victory TS Rookie Topic Starter

    wow i'm surprised i didn't realize that. now that i think about it it did only appear AFTER ewido was installed. lol well thank you very much for helping me with my problems and i'll let you know if anything pops up after i connect it the internet again.

    thank you,
    -Major Victory
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem mate. I`m just sorry I didn`t spot the guard.exe as being part of Ewido sooner. :eek:

    Your main nasty was the O20 - Winlogon Notify: winxtx32 - winxtx32.dll entry, which is now gone.

    If you ever have any other virus/spyware problems, please post them in this thread.

    Regards Howard :)

    This thread is for the use of Major_Victory only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...