[dfb500]

Hello, I have a large problem. It seems a virus of some type got downloaded to my Win XP home computer, because I am networked with another machine at home (Win 98) that also has the virus. Basically, the malicious parasite has changed my Internet toolbar and attempts to bring up continuous Pop-ups....somehow this virus appears related to a site call allaboutsearching.com

I have run three separate spy removal software programs and although each seems to find and delete different files the problem is never eradicated. What can I do....I am almost to the point of reinstalling Windows on both machines and starting from scratch, is that a viable option?

Is my other networked machine reinfecting my computer as I run this software or do spy removal software suck?

I ran both Spyhunter (paid for it too) and Ad-aware to no avail.

Please, someone assist!!!!

[Advertisements]

It's probably not a virus, but adware, just as bad. To make sure, let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[Smokey]

It's probably not a virus, but adware, just as bad. To make sure, let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[dfb500]

Ok, here is the log as requested from one of the PC's......

David

[dfb500]

Whoops, sorry, here it is

Logfile of HijackThis v1.97.7
Scan saved at 7:12:20 PM, on 4/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: test anti dent - {4383F21C-1C95-1880-F4A3-41157EC5DB8D} - C:\PROGRA~1\MAGSDE~1\Log Rdr.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O6 "USB002" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} (Participant Class) - http://idx-care-cast...ext/IDXWFCC.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://idx-care-cast...xt/IDXTools.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bettingha...BettingHall.cab
O16 - DPF: {E0496809-4500-11D3-BEE1-00C04F559D73} (IdxLcjInstall Class) - http://idx-care-cast...etupBrowser.cab
O16 - DPF: {EE986640-0821-4482-B4A3-C41EB8A18597} (WebLocator Class) - http://idx-care-cast...contextlets.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx-care-cast.../IDXBrowser.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99342B20-50FC-448C-B384-28D4523A9292}: NameServer = 205.188.146.146

[admin]

First, try downloading and running this special tool to remove Link2Me infections:
http://www.spywarein...les/kill2me.zip

[dfb500]

Ok, I ran it as requested, it told me that I wasn't infected but I ran it anyway, no effect......

David

[ditto]

Download and run these two programs.

CLICK HERE to download Spybot S&D
CLICK HERE to download Ad-aware

Using Spybot: Start Spybot S&D using the "Spybot-S&D (easy mode)" link from your Start menu . Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button.

Using Ad-aware: Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed.



ditto

[dfb500]

Just to let you know I had already run these two (and other products) before posting here, I did run each agaim however, rebooted and here is the log.

The Ad-Aware product did say it could not delete this file:

C:\Windows\system32\6qo4svc.cpy.dll

Is that part of the problem?

Logfile of HijackThis v1.97.7
Scan saved at 7:27:13 PM, on 4/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: test anti dent - {4383F21C-1C95-1880-F4A3-41157EC5DB8D} - C:\PROGRA~1\MAGSDE~1\Log Rdr.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O6 "USB002" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} (Participant Class) - http://idx-care-cast...ext/IDXWFCC.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://idx-care-cast...xt/IDXTools.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bettingha...BettingHall.cab
O16 - DPF: {E0496809-4500-11D3-BEE1-00C04F559D73} (IdxLcjInstall Class) - http://idx-care-cast...etupBrowser.cab
O16 - DPF: {EE986640-0821-4482-B4A3-C41EB8A18597} (WebLocator Class) - http://idx-care-cast...contextlets.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx-care-cast.../IDXBrowser.cab


David

[Smokey]

Just a few more to clean up. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bettingha...BettingHall.cab

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.

[dfb500]

Ok, I did as you requested

Logfile of HijackThis v1.97.7
Scan saved at 10:30:15 AM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: test anti dent - {4383F21C-1C95-1880-F4A3-41157EC5DB8D} - C:\PROGRA~1\MAGSDE~1\Log Rdr.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O6 "USB002" /M "Stylus Photo 900"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {49727C2C-01F6-4F27-9D12-A877E77C82FF} (Participant Class) - http://idx-care-cast...ext/IDXWFCC.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A325C946-0C71-4098-AC94-46694E46CEB4} (TerminalID Class) - http://idx-care-cast...xt/IDXTools.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0496809-4500-11D3-BEE1-00C04F559D73} (IdxLcjInstall Class) - http://idx-care-cast...etupBrowser.cab
O16 - DPF: {EE986640-0821-4482-B4A3-C41EB8A18597} (WebLocator Class) - http://idx-care-cast...contextlets.cab
O16 - DPF: {EECF9899-FC3A-4841-986F-30B874921B36} (BrowserObj Class) - http://idx-care-cast.../IDXBrowser.cab

[admin]

The Ad-Aware product did say it could not delete this file:

C:\Windows\system32\6qo4svc.cpy.dll

Is that part of the problem?

I Just noticed this earlier post. Yup, that's the problem.

You have to manually remove this one, although the average user should be able to do this, if you're unsure of your ability to perform this fix, please stop. I'm sure Ad-aware will issue a fix in one of their next reference files (I know they're actively working on it).

First run ad-aware to see the name of the .dll, as it varies (changes its name) for everyone. You will see a line like this in your ad-aware logs:

Deep scanning and examining files
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
VX2.BetterInternet Object recognized!
Type : File
Data : 6qo4svc.cpy.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\

I used the last name you provided in this example (aetiveds.cpy.dll). The name (Data) may be diferrent, just write it down. Disconnect from the internet (unplug is best so you wont connect on re-boot). Then empty all your temp files from within your browser (Tools, Internet Options, Delete Temporary Internet Files). Next, you'll need your Windows XP CD. Put the Windows CD in the tray and reboot the computer...

-You should get a "press any key to boot from CD" message, so do that.

-It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing R... press R.

-You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.

-Administrator password is next: it's probably blank, so just press enter. Unless you've created one, in which case enter it.

-With all that done you'll end up with a C:\Windows> prompt

Now to delete these files:

At the command prompt type del c:\windows\system32\6qo4svc.dll

and

del c:\windows\system32\6qo4svc.cpy.dll

(Remember, these dll names may be different for you. Also, ad-aware may have only seen the .cpy one, the other is there as well and needs to be removed)

Then when that is complete, remove the CD from the tray and type Exit and it will reboot.

Rescan with Ad-aware and let it remove the registry entry. When done, reconnect to the Internet, and let us know how it works. Hope this helps!

[dfb500]

One problem, I did not get recovery CD's with this computer, I think I was supposed to run some utility to create them through Compaq and I never did, does this mean I'm screwed?

David

[admin]

No problem, just download Windows XP boot disks from here:
http://www.bootdisk.com

[dfb500]

Before I do that I think my setup files are on a partitioned drive, is there a way to do what you are asking using that and if so how because the Recovery Console makes it sound like it will reinstall Windows in its entirety causing possible file and application loss.

Lastly, why isn't there some way on this computer to delete any file I want or kill the process that owns that suspect file?

David

[admin]

Before I do that I think my setup files are on a partitioned drive, is there a way to do what you are asking using that and if so how because the Recovery Console makes it sound like it will reinstall Windows in its entirety causing possible file and application loss.

It depends on your system, if you can enter the XP setup mode with out running the full system restore you should be able to. Recovery Console is the closest thing there is to DOS available in XP, it allows command line modifications.

Lastly, why isn't there some way on this computer to delete any file I want or kill the process that owns that suspect file?

This is a nasty pest. There's another solution that kills the DLL's and then fix the registry entries, however the recovery console method is easier. Here's the alternative method (put on your geek glasses ):

Steps to take:
You will need KillBox ver.2.00.0179, so download that and keep it handy, we will need it to remove the Look2Me files.(unzip the files to your Desktop)

1.) From Control Panel>>Administrative Tools>>Local Security Policy & Under Local Profiles>>User Rights Assignment...and on the right side look for Debug Programs>>Right Click>>Select Properties.

2.)Click Add User or Group and when the next Window opens, click the Object Types button, and now put a Check in the box for Groups. click OK

3.)That Window will close, and the one you are left with click Advanced and from the next Window Find Now
*Look under Name(RDN) for Administrators and select it & Click OK.

4.)Administrators should show up in the box beside "Check Names" just Click OK, then that Window will close..and the next Window under the only Tab "Local Security Setting" should have Administrators listed in it, if it does Click Apply then OK again.

A Screenshot of what you should have.
and
Screenshot of what an infected system looks like.

With a reboot that fixes that.
*Make sure you reboot!

After rebooting...
Close all open Windows, open KillBox and under Fix L2M>>Kill VX2.BetterInternet.
As before your Computer will Shut down..
On rebooting, the 2 files will be deleted.

*The Problem
Because we accessed these .dll files, they will have corrupted the User Rights Assignment again , but no big deal.
Repeat the Process of Adding the Administrators Group to the Debug Programs again, and since the offending files are gone, this time those settings will stay put.

Things to do with Killbox after removing these files:
1.)Click Find>>Find VX2.BetterInternet
*Nothing Should show up in the next window, if it does you are infected still. But if Clean then...

2.)Click Find>>User Agent String, click on the CLSID key, and under Action>>Delete User Agent String

3.)Click Fix L2M>>Import L2M.reg to remove various registry keys set by the software.

Run Ad-aware using an Updated reference file to remove anything else I missed.