Redirected Browser, Look2Me

Discussion in 'adware, spyware & hijack cleaning' started by Haley, May 24, 2004.

Thread Status:
Not open for further replies.
  1. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    My browser is continuosly being redirected. Keep seeing "spotresults.com" & having popups. Everytime I run spybot, it finds "look2Me". I remove it, reboot. But if I run spybot again, it is still there. I also ran adaware.

    Here is my hijack this log:


    Logfile of HijackThis v1.97.7
    Scan saved at 9:11:10 AM, on 5/24/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\3CMLNKW.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
    C:\PROGRAM FILES\BELLSOUTH\CORRECTCONNECT ENGINE\CCD.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe files\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38123.2613541667
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  3. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    Hi, When I click on your link, I get an error message:

    error 404: File not found


    The document you requested is not found.
     
  4. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    I went directly to the site to download it. After I downloaded & tried to open I get this message " This finder is currently forNT based systems"

    What next?

    Thanks
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  6. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    Done. Here is the log:


    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\SYSTEM\CjGWIZ.DLL
    C:\WINDOWS\SYSTEM\DaCNDI.DLL
    C:\WINDOWS\SYSTEM\DbCNDI.DLL
    C:\WINDOWS\SYSTEM\DcKMAINT.DLL
    C:\WINDOWS\SYSTEM\DdKMAINT.DLL
    C:\WINDOWS\SYSTEM\DeCNDI.DLL
    C:\WINDOWS\SYSTEM\DeKMAINT.DLL
    C:\WINDOWS\SYSTEM\DfCNDI.DLL
    C:\WINDOWS\SYSTEM\DfKMAINT.DLL
    C:\WINDOWS\SYSTEM\DhCNDI.DLL
    C:\WINDOWS\SYSTEM\DiKMAINT.DLL
    C:\WINDOWS\SYSTEM\DjKMAINT.DLL
    C:\WINDOWS\SYSTEM\DkCNDI.DLL
    C:\WINDOWS\SYSTEM\DkKMAINT.DLL
    C:\WINDOWS\SYSTEM\DmCNDI.DLL
    C:\WINDOWS\SYSTEM\DmKMAINT.DLL
    C:\WINDOWS\SYSTEM\DoCNDI.DLL
    C:\WINDOWS\SYSTEM\DoKMAINT.DLL
    C:\WINDOWS\SYSTEM\DrKMAINT.DLL
    C:\WINDOWS\SYSTEM\DtCNDI.DLL
    C:\WINDOWS\SYSTEM\DtKMAINT.DLL
    C:\WINDOWS\SYSTEM\DuCNDI.DLL
    C:\WINDOWS\SYSTEM\DvCNDI.DLL
    C:\WINDOWS\SYSTEM\DwCNDI.DLL
    C:\WINDOWS\SYSTEM\DwKMAINT.DLL
    C:\WINDOWS\SYSTEM\DyCNDI.DLL
    C:\WINDOWS\SYSTEM\DyKMAINT.DLL
    C:\WINDOWS\SYSTEM\EqABLE3.DLL
    C:\WINDOWS\SYSTEM\LaEXPAND.DLL
    C:\WINDOWS\SYSTEM\LbEXPAND.DLL
    C:\WINDOWS\SYSTEM\LcEXPAND.DLL
    C:\WINDOWS\SYSTEM\LdEXPAND.DLL
    C:\WINDOWS\SYSTEM\LeEXPAND.DLL
    C:\WINDOWS\SYSTEM\LiEXPAND.DLL
    C:\WINDOWS\SYSTEM\LlEXPAND.DLL
    C:\WINDOWS\SYSTEM\LnEXPAND.DLL
    C:\WINDOWS\SYSTEM\LpEXPAND.DLL
    C:\WINDOWS\SYSTEM\LrEXPAND.DLL
    C:\WINDOWS\SYSTEM\LsEXPAND.DLL
    C:\WINDOWS\SYSTEM\LvEXPAND.DLL
    C:\WINDOWS\SYSTEM\LwEXPAND.DLL
    C:\WINDOWS\SYSTEM\LyEXPAND.DLL
    C:\WINDOWS\SYSTEM\MaPRINT2.DLL
    C:\WINDOWS\SYSTEM\MbTCP.DLL
    C:\WINDOWS\SYSTEM\MdPRINT.DLL
    C:\WINDOWS\SYSTEM\MePRINT.DLL
    C:\WINDOWS\SYSTEM\MiPRINT.DLL
    C:\WINDOWS\SYSTEM\MiPRINT2.DLL
    C:\WINDOWS\SYSTEM\MkPRINT2.DLL
    C:\WINDOWS\SYSTEM\MlPRINT.DLL
    C:\WINDOWS\SYSTEM\MmPRINT.DLL
    C:\WINDOWS\SYSTEM\MoWEBNDI.DLL
    C:\WINDOWS\SYSTEM\MpPRINT2.DLL
    C:\WINDOWS\SYSTEM\MpTCP.DLL
    C:\WINDOWS\SYSTEM\MqCN30.DLL
    C:\WINDOWS\SYSTEM\MqPRINT2.DLL
    C:\WINDOWS\SYSTEM\MrTCP.DLL
    C:\WINDOWS\SYSTEM\MuPRINT2.DLL
    C:\WINDOWS\SYSTEM\MuTCP.DLL
    C:\WINDOWS\SYSTEM\MvPRINT.DLL
    C:\WINDOWS\SYSTEM\MxPRINT2.DLL
    C:\WINDOWS\SYSTEM\MzTCP.DLL
    C:\WINDOWS\SYSTEM\NaTOS.DLL
    C:\WINDOWS\SYSTEM\NdTOS.DLL
    C:\WINDOWS\SYSTEM\NfTOS.DLL
    C:\WINDOWS\SYSTEM\NgTOS.DLL
    C:\WINDOWS\SYSTEM\NhTDI.DLL
    C:\WINDOWS\SYSTEM\NnTDI.DLL
    C:\WINDOWS\SYSTEM\NoNDS.DLL
    C:\WINDOWS\SYSTEM\NqNDS.DLL
    C:\WINDOWS\SYSTEM\NvTOS.DLL
    C:\WINDOWS\SYSTEM\NyTDI.DLL
    C:\WINDOWS\SYSTEM\NzTOS.DLL
    C:\WINDOWS\SYSTEM\RpASETUP.DLL
    C:\WINDOWS\SYSTEM\SxTUPX.DLL
    C:\WINDOWS\SYSTEM\SzSDETMG.DLL
    C:\WINDOWS\SYSTEM\WhNASPI.DLL


    User Agent String---
    {17CAB53A-430C-4970-964B-29756A2CFF2A}
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    OK Nothing in there that looks necessary.

    1.) Scan again with the finder, this time select the files it finds and delete them.
    2.) During the deletion the utility will end both Rundll32 & explorer.exe processes, so when all files are gone:
    3.) Click the restore desktop button to get the desktop back.
    4.) Click UserAgent$ to delete last registry item.
    5.) Clear the contents of your C:\Windows\Temp folder
    6.) Reboot

    Regards,

    Pieter
     
  8. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    A couple of questions:

    in C:\Windows\Temp folder .... do I delete everything?

    There is a Win Tools Application - is that ok to delete?

    ~df1286.tmp
    ~df584e.tmp ... both of these say "Cannot delete access denied, make sure the disk is not full or write protected and that the file is not currently in use"

    Both were created this morning.

    Thanks for your help.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Yes. Everything in it, not the folder itself.

    Yes. Very much OK to delete. :)

    Are you in safe mode? In that case leave them.

    Regards,

    Pieter
     
  10. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    Just ran spybot & it found LOOK2Me again... Now what?
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Let it clean out what it finds. Hopefully this time it will be permanent.

    Regards,

    Pieter
     
  12. Haley

    Haley Registered Member

    Joined:
    May 15, 2004
    Posts:
    15
    It's GONE! Thank you!!!!
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.