Hi,
Lots of spyware! Lets start by removing Look2Me! Download
WebRoot SpySweeper from
HERE (It is a 2-week trial version.):
- Click on Free Spy Scan.
- On the next page, click on Start Scan Now
- Save the Setup file to your Desktop>click OK.
- Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
- You will be prompted to check for updated definitions, please do so.
- Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
- Check "Local Disc C" and under "What to Sweep", check every box.
- Click on "Sweep" and allow it to fully scan your system.
- When the sweep has finished, click "Remove" to remove any items found.
- Exit SpySweeper and reboot your computer.
NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.
(If you cant perform the above scan in Normal Mode, do the same in Safe Mode.)
Next, reboot the PC to
Safe mode.
Go to Start > Run and type
services.msc and press ENTER. Here, navigate to the service named
Command Service and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".
Do the same process (of stopping and disabling) for these Services too:-
MAPI Mail Client
Run HijackThis and click
Do only a System scan. Then put a check mark infront of below listed entries:-
O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - *cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: URL - C:\WINNT\system32\l0n4la5q1d.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe
Close
all other open programs except Hijackthis and click the button
Fix Checked in HijackThis.
Make Windows to show all files:-
Go to Start > My Computer.
Go to
Tools menu, click
Folder Options. Uncheck
Hide protected operating system files. Then, click to select the option
Show hidden files and folders. Click Apply and then click OK to exit.
Delete these files:-
C:\WINNT\System32\
mapi32.exe
C:\WINNT\System32\
WMTX.exe
C:\
dm.exe
C:\windows\
winsysban3.exe
C:\WINNT\System32\
msappview32.exeb
C:\windows\
eee2.exe
C:\WINNT\
elitemediapop.exe
C:\windows\
winsysupd3.exe
c:\windows\
myupdates.exe
Delete these folders:-
C:\WINNT\
Z3VydQ
C:\Program Files\
Internet Optimizer
Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
winsi32.exe
Reboot to
Normal Mode. Perform an online virus scan at Kaspersky Online Scanner.
Save the log it gives after the scan.
Run HijackThis again, click
Do a System scan and save log, and post the
fresh log along with the
Kaspersky log.