Home > Here S My > Here's My HJT Log. I Have That Look2me Thing.

Here's My HJT Log. I Have That Look2me Thing.

Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page HKCU\Software\Microsoft\Internet Explorer\Main: Start Page HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL HKLM\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet Explorer\Main: Search Page HKCU\Software\Microsoft\Internet There is a program called SpywareBlaster that has a large database of malicious ActiveX objects. Example Listing 017 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175 If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers Files User: control.ini Example Listing O5 - control.ini: inetcpl.cpl=no If you see a line like above then that may be a sign that a piece of software is trying to make

If Look2Me-Destroyer Also can I need you to confirm one thing. These entries will be executed when any user logs onto the computer. Once the program is successfully launched for the first time its entry will be removed from the Registry so it does not run again on subsequent logons. A tutorial on using SpywareBlaster can be found here: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware. https://forums.techguy.org/threads/heres-my-hjt-log-i-have-that-look2me-thing.339889/page-2

The options that should be checked are designated by the red arrow. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we Restoring a mistakenly removed entry Once you are finished restoring those items that were mistakenly fixed, you can close the program. Figure 2.

All the "tools" we use are tried and true and they are to be trusted, and the best part they are free ! Each of these find different things and get ride of them. All Rights Reserved. You will now be asked if you would like to reboot your computer to delete the file.

Be sure to adhere to our posting rules. Let's break down the examples one by one. 04 - HKLM\..\Run: [nwiz] nwiz.exe /install - This entry corresponds to a startup launching from HKLM\Software\Microsoft\Windows\CurrentVersion\Run for the currently logged in user. Join our site today to ask your question. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - This entry corresponds to a program started by the All Users Startup Folder located at C:\Documents and Settings\All If you see UserInit=userinit.exe (notice no comma) that is still ok, so you should leave it alone. Registry Key: HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions Example Listing O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions These options should only appear if your administrator set them on purpose or if you used Spybots Home Page and Option Once it's done scanning, click the Remove L2M button.

To do so, download the HostsXpert program and run it. O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') - This particular entry is a little different. The hosts file contains mappings for hostnames to IP addresses.For example, if I enter in my host file: 127.0.0.1 www.bleepingcomputer.com and you try to go to www.bleepingcomputer.com, it will check the As of now there are no known malware that causes this, but we may see differently now that HJT is enumerating this key.

Open your task manager, by pressing the ctrl/alt/delete keys together. You can click on a section name to bring you to the appropriate section. If you need more instructions, use these: http://russelltexas....tehjtfolder.htm http://www.bleepingc...tutorial94.html Do this before you proceed! 2) Start > Control Panel > Add Remove Programs and uninstall webHancer Survey Companion if there. C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053236.dll Infected!

Many users understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant entries. The O4 Registry keys and directory locations are listed below and apply, for the most part, to all versions of Windows. but you tick what you want... Or is there a downloads page?

If you see another entry with userinit.exe, then that could potentially be a trojan or other malware. This is just another method of hiding its presence and making it difficult to be removed. Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053200.dll C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053200.dll Deleted successfully!

Figure 11: ADS Spy Press the Scan button and the program will start to scan your Windows folder for any files that are Alternate Data Streams.

Please be aware that when these entries are fixed HijackThis does not delete the file associated with it. It is important to note that fixing these entries does not seem to delete either the Registry entry or the file associated with it. Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will By default it will install to C:\Program Files\Hijack This.

Do not do anything with these yet! Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F94D252A-9DA5-41D5-9317-585EB5AECED9}" HKCR\Clsid\{F94D252A-9DA5-41D5-9317-585EB5AECED9} Restoring Windows certificates. When you are done, press the Back button next to the Remove selected until you are at the main HijackThis screen. Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed.