Jump to content


Photo

Look2Me on ME Giving Me Fits


  • This topic is locked This topic is locked
5 replies to this topic

#1 cinlynn

cinlynn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 01:15 AM

SpybotS&D always comes back with this line "Look2Me: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}" even after I've told it to fix it. How do I make this go away?

I've update SpybotS&D and AdAware as well as Aluria's SpyWare Eliminator.

Here's my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 12:59:46 AM, on 5/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\MEMRX.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [help] "C:\windows\system\helper.exe "
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Aluria's Pop-Up Stopper] C:\PROGRAM FILES\ALURIA SOFTWARE\EPS\EPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8038.8424074074
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab27571.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab27571.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab

Let me know if there's anything else that needs to be fixed. Something is bogging my system, making it even slower than normal.

ThanX,

Cin

#2 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 23 May 2004 - 11:03 AM

Cinlynn

Have Hijack This fix the following lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [help] "C:\windows\system\helper.exe "
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_EN.cab

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

Download Kill2me, unzip it to a permanent folder and let it run.

Open regedit via Start > Run > 'regedit' (type or paste without quotes) and browse to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
(In the left pane click on the plus-sign in front of HKEY_LOCAL_MACHINE, then on the plus-sign in front of Software, etc. up to 'Notify'.)
Look whether there is a key under Notify with name 'Guardian'. If so, select it and look in the right pane for a filename with path 'C:\Windows\System32\'. If it is there take a note of the filename.
Report back here please.
_______
Wiskonst

#3 cinlynn

cinlynn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 01:00 PM

ThanX Wisconst, I followed your directions to this point, "browse to the following key:"
I got to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" but the only folders under that are "drivers.desc" and "Drivers32"

Here's my latest HJT Log:

Logfile of HijackThis v1.97.7
Scan saved at 12:57:36 PM, on 5/23/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\SYSTEM\HPZTSB02.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\EPS\EPS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Aluria's Pop-Up Stopper] C:\PROGRAM FILES\ALURIA SOFTWARE\EPS\EPS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8038.8424074074
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?312
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab27571.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab27571.cab

I ran it with everything that's in my startup going so I could get some input on which, if any of them are good or bad.

Cin

#4 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 23 May 2004 - 02:56 PM

Cinlynn

Could you in Explorer browse to the C:\Windows\System folder and do a search for *.cpy.dll files. If any turn up please report here.

Download VX2 Finder to a permanent folder and run it. Click 'Click to find VX2' and wait till the text in the upper pane changes. Then click 'Save log' (to the right), save the file and copy and paste it here.

Download Koolme.reg, save it to a folder and run it by doubleclicking on it. Confirm when asked.

Then run Spybot again and see whether the Look2me detection still occurs.

The RUN entries in the log are allright except for this one (if you don't use the update function of Realplayer):
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
_______
Wiskonst

Edited by Wiskonst, 23 May 2004 - 03:05 PM.


#5 cinlynn

cinlynn

    Member

  • New Member
  • Pip
  • 3 posts

Posted 23 May 2004 - 06:07 PM

Wiskonst,

ThanX so much.

I ran the search and came up with nothing for "*.cpy.dll"

I downloaded VX2 Finder, but got an error saying it is only for NT based sytems.

Downloaded Koolme.reg and told it okay.

Rebooted my system and ran Spybot, which came back clean. hopefully I can keep it this way until I get the firewall installed and set up.

ThanX.
Cin

#6 Wiskonst

Wiskonst

    Advanced Member

  • Helper
  • PipPipPip
  • 152 posts

Posted 24 May 2004 - 07:57 AM

Cinlynn

Glad we could help!
_______
Wiskonst

Donate to Spywareinfo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button