Hi. So I think I have Adware.Look2Me and something involving many Tracking.Cookies that have persistenly stayed on my system. Let me go through what I've done so far. Prior to the steps below, I installed Prevx1 and its currently running on my computer. It has not interrupted with any alerts or errors.
**Random Windows Explorer Error** Address bar is checked as being visible, but its invisible. I never noticed this before...but the address bar in IE is missing too. Address bar in Firefox is unaffected.
1. Ran Ad-aware SE
As instructed in the "Before You Post."
Results: 0 New Critical Objects
2. Ran CWShredder
In safe mode, as instructed.
Reported removing CWS.Msconfig varient
Upon restarting normally, ewido reported "wuadefui.dll" as an infection of Adware.Look2Me from C:windows\system32. Chose "Clean" as the action.
Had to restart again and ewido reported "wfdrmsdk.dll" as an infection of Adware.Look2Me from C:\Windows\system32. Chose "clean."
3. Ran Spybot S&D
As instrcuted.
Reports removing registry entries for "Windows Security Center.AntiVirusDisableNot
ify" and "WindowsSecurityCenter.Fir
ewallDisab
leNotify".
Fixed selected problems. (But Spybot has repeatedly said it cleared these problems and they keep reappearing.)
4. Attempted to run TrendHousecall. Page would not load. Perhaps this could be the result of higher security settings that I installed in response to the infection(s)?
5. Ewido scan
Attempted to update in regular mode. No update was available.
Ran in safe mode
Results: Finds infected files. Most of them are *.dll's. Most are cleaned. "C:\windows\system32\dqwav
e.dll" has an "error" and cannot be deleted. I tried to delete with Windows explorer and that doesn't work. Also noted pvp.dll and o4nsle571h.dll and 04pqle751h.dll. Cannot delete these process!
Scan log from most recent running is below:
[804] C:\WINDOWS\system32\pVp.dl
l -> Adware.Look2Me : Error during cleaning
[880] C:\WINDOWS\system32\pVp.dl
l -> Adware.Look2Me : Error during cleaning
:mozilla.7:C:\Documents and Settings\Jason\Application
Data\Mozilla\Firefox\Profi
les\akzixo
1s.default
\cookies.t
xt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jason\Application
Data\Mozilla\Firefox\Profi
les\akzixo
1s.default
\cookies.t
xt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jason\Application
Data\Mozilla\Firefox\Profi
les\akzixo
1s.default
\cookies.t
xt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.6:C:\RECYCLER\S-1
-5-21-3880
028103-226
8992153-14
97372460-5
00\Dc1.txt
-> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\RECYCLER\S-1
-5-21-3880
028103-226
8992153-14
97372460-5
00\Dc1.txt
-> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.54:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Statcounter
: Cleaned with backup
:mozilla.55:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Statcounter
: Cleaned with backup
:mozilla.58:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Tribalfusio
n : Cleaned with backup
:mozilla.59:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Tribalfusio
n : Cleaned with backup
:mozilla.66:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.67:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.68:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.69:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.70:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.78:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.79:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.80:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.81:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.82:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.83:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.84:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
:mozilla.85:C:\RECYCLER\S-
1-5-21-388
0028103-22
68992153-1
497372460-
500\Dc1.tx
t -> TrackingCookie.Reliablesta
ts : Cleaned with backup
C:\WINDOWS\system32\azamli
j118o.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lt4027
hmg.dll -> Adware.Look2Me : Cleaned with backup
6. Ran Symantac Deep/Extended Scan in safe mode
Result: Found and deleted 1 threat. When it examined dqwave.dll, it did not pickup a threat (even though ewido did)
7. Trojan Hunter.
Attempted to install. At the last moment before complete installation, received following error message:
CoCreateInstance failed; code 0x80040154. Clicked ok. Error repeated five times. Then, installation reported as "complete."
Ran test. Found only one problem but indicated that it could not scan pVp.dll since it was in use by another program. This file was identified by ewido as containing the Adware.Look2Me infection.
REBOOT AND TEST
Random note: After several cleaning steps, my "Quick Launch" disappeared. After putting back the "quicklaunch" and choosing Firefox, computer takes a long time to advance. When Firefox has loaded, and a page is visited, a popup begins opening in another tab. Could the malware be doing this?
Also, Prevx1 interrupts once to ask if I want to allow mpas-fe.exe from C:\windows\softwaredistrib
ution\... to be installed. I selected "Do not run."
Address bar still invisible in IE and Explorder
HIJACKTHIS LOG
Deleted files on reboot from HJT w/ Killbox. Chose to "End Explorer Shell while Killing" and did NOT choose "Keep Dummy File":
enjml1111.dll
__delete_on_reboot_mefted.
dll
pvp.dll
o4pgle751h.dll
streamhlp.dll
sporder.dll
wpa.dbl
I used KillBox! -- without the explicit instruction of this board's staff -- and now I am paying for my stupidity.
I used KillBox! to "delete on reboot" a variety of DLLs that were causing problems.
I chose "End Explorer Shell While Killing" or some option like that.
KillBox rebooted and everything started normally (Normal XP graphic. Normal XP login screen.)
I clicked on my name, "Jason" and the standard music sounded up but the page didn't advance to the normal windows screen. It was stuch on "loading your personal settings" for a much longer time than ever happened before.
When that screen went away, I saw the standard XPS windows background. But no start menu. No desktop icons of any kind.
I hit CTL ALT DEL and started up task manager, which listed 47 processes working but no programs.
I launched a "New Task" for explorer.exe and the start briefly appeared on the bottom on the screen....and then immediately disappeared.
I went back into KillBox to attempt to restore the files I had deleted, but when I chose File>Open Backups the start menu briefly appeared, and then disappeared again.
I have no idea what to do...my system appears to exist and my files all appear to be there ...but I cannot get any of my original settings, my start menu, or anything.
I'm using my backup (very old) computer....and I need help asap!
Start Free Trial
