Lockx.exe problem

[sig75]

My daughter managed to get this worm or what ever the other night. I guess Norton did not know what to do with it, so here I am. I have been reading everything I can and have tried to follow the instructions. I am super novice at these types of problems and computers in general, but i am always willing to learn. Below is the log from HJT. If some one could look it over and let me know how it looks I would be greatly appreciative.

 

[sig75]

I will try to attach the log again. I do not know what happened?? Did I do it right?? It came up as an attachment like "Realblackstuff" directed. Most of the other posts look like they were cut and pasted. Did I do something wrong?? Thanks in advance for your help.

 

[urbandragon]

go to symantec http://securityresponse.symantec.com and do an online virus scan.

you may have the W32/SDBOT-ADD WORM! chances are if it is a virus your current antivirus definition files have been deleted or overwritten so that your AV will not recognize it.

 

[RealBlackStuff]

No LOCKX to be seen.

Follow these instructions EXACTLY
How to remove Begin2Search/Coolwebsearch and Other Nasties

Then post a fresh Hijackthis log-file as an attachment.

 

[sig75]

Realblackstuff
I have followed your directions up to posting the HJT log. As a novice I do not know where to go from here. See HJT attachment: Can you tell me exactly which ones to fix, Can you explain the part about deleting " any of the "bold directories" ie \AUTOUPDATE, as explained in your directions. Also how do I go about deleting all the individual files/ programs that were fixed? Thanks for all of your help.

 

[RealBlackStuff]

If something is bold like this word, that is the filename or folder you need to delete, using Windows Explorer or your own substitute.
Rightclick on the subject and select Delete. Confirm.
When you are finished, empty your Recycle Bin.

First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/U/ UNinstall anything to do with this
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions in SEQUENCE, and in HiJackThis tick/fix ALL lines!
...................................................................................................
/P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)
Fix ALL your O16 - DPF: entries
...................................................................................................

STOP using that crappy IE (other than for Windows-updates) and install Firefox from www.getfirefox.com

 

[sig75]

Please forgive me in advance for asking stupid questions. I think I am starting to understand a little. I was going to walk through the steps and ask questions as I go if that is OK.

I have been able to do the basics like disable restore, veiw hidden files etc. The first step I run into is the task manager.
When i open the process tab the following is listed:
explorer.exe Admin
svchost.exe Local Service
svchost.exe Network Service
svchost.exe System
svchost.exe Network Service
svchost.exe system
lsass.exe system
services.exe system
winlogon.exe system
csrss.exe system
smss.exe system
taskmgr.exe admin
system system
system Idle processs system

I suspect these are all ok, because none of this was listed in the previous post between the dotted lines. Is this true???

The next step is where I do not know how to proceed.

I understand the start/run part, REGSVR32 /U[but this part I do not understand] ......( full Path name.dll here) Can you give me an example. In the above posts I do not see anything in bold /R/ Is it the extra button line or extra Tools Line? for example would I type, REGSVR32 /U ......09 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5- etc. ?????
or
Do I not do this because in the above post you did not mark anything /R/ or /S/.

I apologize again for my very basic novice questions.

 

[RealBlackStuff]

You ONLY do something special with the lines that have e.g. /P/ marking in front of them.

My instructions are universal; if you don't have e.g. an /R/ marker between the dotted lines, you don't do any /R/ stuff.
Example would be: REGSVR32 /U C:\windows\system32\abmmxc.dll

You ONLY follow instructions for the file that has a MARKING in front of it's line, you do NOT touch anything else!

 

[sig75]

I think I have this stuff cleaned up. I want to thank you for all the help. I have attached an HJT log, which I hope is my last for a while. Please let me know if you see something out of place. Next stop is firefox.

 

[RealBlackStuff]

Apart from that HUGE 'pest' Norton/Symantec, your log is clean.