Redirected Browser, Look2Me

[Haley]

My browser is continuosly being redirected. Keep seeing "spotresults.com" & having popups. Everytime I run spybot, it finds "look2Me". I remove it, reboot. But if I run spybot again, it is still there. I also ran adaware.

Here is my hijack this log:


Logfile of HijackThis v1.97.7
Scan saved at 9:11:10 AM, on 5/24/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BELLSOUTH\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...123.2613541667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

[Pieter_Arntz]

Hi haley,

Download:
http://download.broadbandmedic.com/V.../VX2Finder.exe

Click on the *Click to find VX2 files* button and post the contents please.

Regards,

Pieter

[Haley]

Hi, When I click on your link, I get an error message:

error 404: File not found


The document you requested is not found.

[Haley]

I went directly to the site to download it. After I downloaded & tried to open I get this message " This finder is currently forNT based systems"

What next?

Thanks

[Pieter_Arntz]

My mistake, I am sorry.

I should have given you this link:
http://www.downloads.subratam.org/VX2Finder9x.exe

Regards,

Pieter

[Haley]

Done. Here is the log:


Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\SYSTEM\CjGWIZ.DLL
C:\WINDOWS\SYSTEM\DaCNDI.DLL
C:\WINDOWS\SYSTEM\DbCNDI.DLL
C:\WINDOWS\SYSTEM\DcKMAINT.DLL
C:\WINDOWS\SYSTEM\DdKMAINT.DLL
C:\WINDOWS\SYSTEM\DeCNDI.DLL
C:\WINDOWS\SYSTEM\DeKMAINT.DLL
C:\WINDOWS\SYSTEM\DfCNDI.DLL
C:\WINDOWS\SYSTEM\DfKMAINT.DLL
C:\WINDOWS\SYSTEM\DhCNDI.DLL
C:\WINDOWS\SYSTEM\DiKMAINT.DLL
C:\WINDOWS\SYSTEM\DjKMAINT.DLL
C:\WINDOWS\SYSTEM\DkCNDI.DLL
C:\WINDOWS\SYSTEM\DkKMAINT.DLL
C:\WINDOWS\SYSTEM\DmCNDI.DLL
C:\WINDOWS\SYSTEM\DmKMAINT.DLL
C:\WINDOWS\SYSTEM\DoCNDI.DLL
C:\WINDOWS\SYSTEM\DoKMAINT.DLL
C:\WINDOWS\SYSTEM\DrKMAINT.DLL
C:\WINDOWS\SYSTEM\DtCNDI.DLL
C:\WINDOWS\SYSTEM\DtKMAINT.DLL
C:\WINDOWS\SYSTEM\DuCNDI.DLL
C:\WINDOWS\SYSTEM\DvCNDI.DLL
C:\WINDOWS\SYSTEM\DwCNDI.DLL
C:\WINDOWS\SYSTEM\DwKMAINT.DLL
C:\WINDOWS\SYSTEM\DyCNDI.DLL
C:\WINDOWS\SYSTEM\DyKMAINT.DLL
C:\WINDOWS\SYSTEM\EqABLE3.DLL
C:\WINDOWS\SYSTEM\LaEXPAND.DLL
C:\WINDOWS\SYSTEM\LbEXPAND.DLL
C:\WINDOWS\SYSTEM\LcEXPAND.DLL
C:\WINDOWS\SYSTEM\LdEXPAND.DLL
C:\WINDOWS\SYSTEM\LeEXPAND.DLL
C:\WINDOWS\SYSTEM\LiEXPAND.DLL
C:\WINDOWS\SYSTEM\LlEXPAND.DLL
C:\WINDOWS\SYSTEM\LnEXPAND.DLL
C:\WINDOWS\SYSTEM\LpEXPAND.DLL
C:\WINDOWS\SYSTEM\LrEXPAND.DLL
C:\WINDOWS\SYSTEM\LsEXPAND.DLL
C:\WINDOWS\SYSTEM\LvEXPAND.DLL
C:\WINDOWS\SYSTEM\LwEXPAND.DLL
C:\WINDOWS\SYSTEM\LyEXPAND.DLL
C:\WINDOWS\SYSTEM\MaPRINT2.DLL
C:\WINDOWS\SYSTEM\MbTCP.DLL
C:\WINDOWS\SYSTEM\MdPRINT.DLL
C:\WINDOWS\SYSTEM\MePRINT.DLL
C:\WINDOWS\SYSTEM\MiPRINT.DLL
C:\WINDOWS\SYSTEM\MiPRINT2.DLL
C:\WINDOWS\SYSTEM\MkPRINT2.DLL
C:\WINDOWS\SYSTEM\MlPRINT.DLL
C:\WINDOWS\SYSTEM\MmPRINT.DLL
C:\WINDOWS\SYSTEM\MoWEBNDI.DLL
C:\WINDOWS\SYSTEM\MpPRINT2.DLL
C:\WINDOWS\SYSTEM\MpTCP.DLL
C:\WINDOWS\SYSTEM\MqCN30.DLL
C:\WINDOWS\SYSTEM\MqPRINT2.DLL
C:\WINDOWS\SYSTEM\MrTCP.DLL
C:\WINDOWS\SYSTEM\MuPRINT2.DLL
C:\WINDOWS\SYSTEM\MuTCP.DLL
C:\WINDOWS\SYSTEM\MvPRINT.DLL
C:\WINDOWS\SYSTEM\MxPRINT2.DLL
C:\WINDOWS\SYSTEM\MzTCP.DLL
C:\WINDOWS\SYSTEM\NaTOS.DLL
C:\WINDOWS\SYSTEM\NdTOS.DLL
C:\WINDOWS\SYSTEM\NfTOS.DLL
C:\WINDOWS\SYSTEM\NgTOS.DLL
C:\WINDOWS\SYSTEM\NhTDI.DLL
C:\WINDOWS\SYSTEM\NnTDI.DLL
C:\WINDOWS\SYSTEM\NoNDS.DLL
C:\WINDOWS\SYSTEM\NqNDS.DLL
C:\WINDOWS\SYSTEM\NvTOS.DLL
C:\WINDOWS\SYSTEM\NyTDI.DLL
C:\WINDOWS\SYSTEM\NzTOS.DLL
C:\WINDOWS\SYSTEM\RpASETUP.DLL
C:\WINDOWS\SYSTEM\SxTUPX.DLL
C:\WINDOWS\SYSTEM\SzSDETMG.DLL
C:\WINDOWS\SYSTEM\WhNASPI.DLL


User Agent String---
{17CAB53A-430C-4970-964B-29756A2CFF2A}

[Pieter_Arntz]

OK Nothing in there that looks necessary.

1.) Scan again with the finder, this time select the files it finds and delete them.
2.) During the deletion the utility will end both Rundll32 & explorer.exe processes, so when all files are gone:
3.) Click the restore desktop button to get the desktop back.
4.) Click UserAgent$ to delete last registry item.
5.) Clear the contents of your C:\Windows\Temp folder
6.) Reboot

Regards,

Pieter

[Haley]

A couple of questions:

in C:\Windows\Temp folder .... do I delete everything?

There is a Win Tools Application - is that ok to delete?

~df1286.tmp
~df584e.tmp ... both of these say "Cannot delete access denied, make sure the disk is not full or write protected and that the file is not currently in use"

Both were created this morning.

Thanks for your help.

[Pieter_Arntz]

Quote:

Originally Posted by Haley

A couple of questions:

in C:\Windows\Temp folder .... do I delete everything?

There is a Win Tools Application - is that ok to delete?

~df1286.tmp
~df584e.tmp ... both of these say "Cannot delete access denied, make sure the disk is not full or write protected and that the file is not currently in use"

Both were created this morning.

Thanks for your help.

Yes. Everything in it, not the folder itself.

Yes. Very much OK to delete.

Are you in safe mode? In that case leave them.

Regards,

Pieter

[Haley]

Just ran spybot & it found LOOK2Me again... Now what?

[Pieter_Arntz]

Let it clean out what it finds. Hopefully this time it will be permanent.

Regards,

Pieter

[Haley]

It's GONE! Thank you!!!!

[Pieter_Arntz]

Cool

You did all the hard work.

Please read: http://www.wilderssecurity.com/showthread.php?t=27971

Regards,

Pieter