I have seen your post. I think I have the same problem as you and I have just submitted a message in order to ask for help. If you want we can help each other. Please let me know if you get any help, I will tell you in case somebody can help me. I hope we could fix it as soon as possible.
HijackThis analysis is highly complex, and
individualized in nature.
While you both may be experiencing similar symptoms, they can come from completely separate sources.
You should NOT simply apply HJT advice offered in one log, to any other log.
Most WinAntiVirus and Amaena popup problems result from a Vundo trojan.
However,
neither of your logs shows a vundo trojan, so we need to consider alternative sources.
Rose, I believe yours may be the result of a "
Look2Me" infection. However, that is not my field of expertise, so i would strongly suggest you wait, patiently, until an expert responds to you, in YOUR thread.
Deuce:
follow directions at the following link to download/setup and run
rootkitrevealer from:
Search the results, to see if it finds a file called
wingenerics.dll.
If you do
N'T find
wingenerics.dll , then
STOP here, and just report back to us.
If you DO find wingenerics.dll, then we have a fix from Mike Burgess for this stealth version [which I'm sharing, c/o RKinner... who i'll be asking to continue working with you, after you apply this fix]
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.
When the tool is finished, please reboot back into normal mode, run rootkitrevealer again and see if things look any better now.
Did rootkit revealer find a lot of files or just a few registry entries?
download and run blacklight F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml leave scan through windows explorer checked, click > scan then > next, If any items show have blacklight rename them except for wbemtest.exe" Do not rename "wbemtest.exe" it's a windows file The tool will ask if you want to reboot (restart) choose yes.
Do the popups by any chance say Messenger Service at the top?
ya rootkit only came up with like two things, and it seems like the popups have stopped at least for now so i cant really tell you, but all i do is run blacklight and rename all the files it comes up with except for that one, will that fix it permanently?
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
Blacklight doesnt give me the option to leave the scan through windows explorer checked, but i ran it and it wouldnt let me change the names of anything after i clicked next
I also upgraded to the newest version of java, sorry if this is difficult im pretty much a novice with computers
Message Edited by deucestarkey02 on 04-18-200609:16 PM
Not your fault. The programs change all the time and I don't always notice when something changes in the way they work. What files did the program find? Can you get it to give you a log?
Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode.
when you entered this thread (on page 1), and i indicated to you that my
belief was that you had a "look2me" infection, i did not offer any specific advice/tools on how to proceed, telling you, explicitly, that was
not my field of expertise... and strongly suggesting you wait, patiently, until an expert responds to you, in YOUR thread.
distractedRose
10 Posts
0
April 18th, 2006 21:00
ky331
3 Apprentice
•
15.6K Posts
0
April 18th, 2006 22:00
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.
When the tool is finished, please reboot back into normal mode, run rootkitrevealer again and see if things look any better now.
Message Edited by ky331 on 04-18-200607:29 PM
deucestarkey02
6 Posts
0
April 18th, 2006 23:00
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 00:00
Did rootkit revealer find a lot of files or just a few registry entries?
download and run blacklight
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave scan through windows explorer checked,
click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
Do the popups by any chance say Messenger Service at the top?
Ron
deucestarkey02
6 Posts
0
April 19th, 2006 00:00
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 00:00
if blacklight finds anything, renaming what it finds will remove it.
You need to update your java and remove the old one. The old one has weaknesses that let winfixer in.
Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
http://www.java.com/en/download/help/uninstall_msvm.xml
The automated removal tool is no longer available on Microsoft's site but can be obtained here:
Download the MSJVM Removal Tool from:
http://www.majorgeeks.com/download4158.html
and run it.
Ron
deucestarkey02
6 Posts
0
April 19th, 2006 01:00
Blacklight doesnt give me the option to leave the scan through windows explorer checked, but i ran it and it wouldnt let me change the names of anything after i clicked next
I also upgraded to the newest version of java, sorry if this is difficult im pretty much a novice with computers
Message Edited by deucestarkey02 on 04-18-200609:16 PM
deucestarkey02
6 Posts
0
April 19th, 2006 01:00
it said there were no hidden items, and it only gives me the option to show all processes, i cant copy it either
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 01:00
Not your fault. The programs change all the time and I don't always notice when something changes in the way they work. What files did the program find? Can you get it to give you a log?
Ron
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 13:00
Have you seen any popups lately?
Let's try the wingenerics fix anyway just in case it's hiding from rootkitrevealer.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.
When the tool is finished, please reboot back into normal mode.
Ron
distractedRose
10 Posts
0
April 19th, 2006 17:00
Hello again,
Thank you very much for your information. I followed your advice and I looked for some tool to remove Look2Me virus. I found one in the following address: http://www.symantec.com/avcenter/venc/data/spyware.look2me.html
I did the scan and this is what I got:
Symantec Spyware.Look2Me Removal Tool 1.0.1
Spyware.Look2Me has not been found on your computer.
So now I am completely lost. Do you know about some other tools I can use?
Thank you very much for your help
RKinner
2 Intern
•
5.9K Posts
0
April 19th, 2006 18:00
ky331
3 Apprentice
•
15.6K Posts
0
April 19th, 2006 19:00
Message Edited by ky331 on 04-19-200604:50 PM
distractedRose
10 Posts
0
April 19th, 2006 19:00
Hello again,
Thank you very much for your information. I followed your advice and I looked for some tool to remove Look2Me virus. I found one in the following address: http://www.symantec.com/avcenter/venc/data/spyware.look2me.html
I did the scan and this is what I got:
Symantec Spyware.Look2Me Removal Tool 1.0.1
Spyware.Look2Me has not been found on your computer.
So now I am completely lost. Do you know about some other tools I can use?
Thank you very much for your help
deucestarkey02
6 Posts
0
April 19th, 2006 19:00