Jump to content


Photo

Afware.Look2Me Problems


  • Please log in to reply
7 replies to this topic

#1 BillyBoy

BillyBoy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 31 May 2004 - 04:00 PM

I'm a new member & have read the FAQ.
I have a case of Adware Look2me that i can't eradicate.

I've installed & run Ad-Aware & Spybot and CWSshredder with the latest updates. I'm using ZoneAlarm ( recently had problems with Norton Internet Security) and Norton Antivirus 2004. Running these programs got rid of a lot of hits, but there's still one file I can't get rid of.

Norton shows the PC has Adware.Look2Me. I deleted the files that showed up & by going into safe mode & stopping the process Rundll.exe was able to delete the 3er.dll that Norton couldn't delete. But every time I reboot there's another file like that added to WINDOWS/system32 (e.g., 3er.dll, 3lreng.dll ...) All these files are the same size and have the same date & time of creation.

There is one file in WINDOWS/system32 (3fr.dll) that has the same size, creation date and time as the files detected by Norton that I can't delete because it's being used by a program. In safe mode, I stopped every process that Windows Task Manager would let me and I still couldn't delete that file because it's still be used by a program. It's interesting that Norton doesn't detect the 3fr.dll as a problem, but I'm sure it's part of it.

Here's my latest Hyjackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 4:11:41 PM, on 5/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Downloaded_Updates\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.n...t/comcast.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
O1 - Hosts: 207.36.196.189 ieautosearch
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap...loads/cpuid.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...oad.9.0.0.2.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} - http://install.anark...en/AMClient.cab


Thanks!

#2 BillyBoy

BillyBoy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 04 June 2004 - 05:57 PM

While I was waiting for help, I did some more reading of other posts and hopefully have fixed my problems. It's too early to tell, but I am optimistic.
:D
Even though I think I fixed things, I'm keeping this posting open because I don't know if I got everything. I had quite a few problems that AD-Aware, & Spybot and CWSshredder removed, but I suspect there are still droppings in my system from all the junk that had infected my PC. I would GREATLY apprciate it if an expert would check the Hyjackthis log (pasted below near the end of this post) & let me know if there's anything in it that I shoud remove. :wtf:

Here's what I did in case someone else has the problem.
Based on another Look2Me posting, I downloaded VX2Finder.exe, put it on my desktop and executed it. Here's the log

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\3crargb.dll
C:\WINDOWS\System32\3fr.dll


Guardian Key--- is called: GuardianJUQWZ
Asynchronous 000
DllName C:\WINDOWS\system32\3fr.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {62C064A0-C2DE-4097-A43D-BDEFBB2EEE9E}
IDex DS3

User Agent String---
{62C064A0-C2DE-4097-A43D-BDEFBB2EEE9E}

I put a checkmark next to the 2 file names and hit the Delete these files to get rid of the 3crargb.dll and 3fr.dll files.
(The 3fr.dll file was the one I knew was part of the problem but couldn't delete.)
One of the files was deleted, but I got a message to reboot to get rid of the other file. I did a restart and ran VX2Finder.exe again.

Then I hit the Guardian.reg button to get rid of the Guardian Key and then I hit the User Agent$ to get rid of the User agent string.

I ran VX2Finder again & got a clean scan Here's the log

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Now a new file 3fr.dll is in windows\system32. It's much smaller than the one I had been trying to get rid of and it isn't hidden. I opened it with notepad & the file contents are:
Look2Me trojan dummy file
It is safe to delete this file

I ran AD-Aware, & Spybot again and nothing was found. I rebooted in safe mode and ran Norton Anti-virus (it had previously told me about Look2Me being there but it didn't mention the 3fr.dll ) and everything was clean.

I restarted in normal mode and so far everything looks good.

However, I don't know if I got rid of everything ... I did my cleaning by reading other responses and I didn't remove anything that Hyjackthis found since I don't know enough to tell what is good and needed and what is bad and should be deleted.

Here is my current Hyjackthis log. I would GREATLY apprciate it if an expert would check this log & let me know if there's anything in it that I shoud remove.

Logfile of HijackThis v1.97.7
Scan saved at 5:18:32 PM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloaded_Updates\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.n...t/comcast.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap...loads/cpuid.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...oad.9.0.0.2.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} - http://install.anark...en/AMClient.cab

By the way, in the course of trying to fix my problems I found that there's a file called "RECYCLER" in each of my drives. I can't delete it - being used. I don't know if this is normal (like maybe Norton uses it to save files it quarantines) or not. :wtf:

Edited by BillyBoy, 05 June 2004 - 04:53 AM.


#3 BillyBoy

BillyBoy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 June 2004 - 08:14 AM

:wtf:
Wel I knew it was too good to be true. I did get rid of the Look2Me parasite, but I still have problems. I wanted to try to avoid future infectations so I downloaded the MVPS HOSTS file. Yesterday I went to connect to the internet and it was taking forever to get logged on. I have Zonealarm, which saves every site visited and it was full of porno URLs. I set the access to deny for all of them, and then promptly removed the Hosts file in case I didn't set it up right and some bug was going down the list of sites in there.

I ran Spybot S&D, Adawrae, VX2Finder and Norton Antivirus. The only hits were from Spybot which found 2 General hijacker items and another one I can't remember. I just checked what Spybot removed and they were all Huntbar related.

That fixed the problem for now but I suspect there are still lingering items that will cause problesm again.

I would GREATLY appreciate it if an expert could look over my HijackThis log and advise me on what to remove. Thanks!!

Here's the Hyjackthis Log
Logfile of HijackThis v1.97.7
Scan saved at 9:55:19 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\KMaestro\KMaestro.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.n...t/comcast.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap...loads/cpuid.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...oad.9.0.0.2.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} - http://install.anark...en/AMClient.cab

Edited by BillyBoy, 06 June 2004 - 08:15 AM.


#4 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 06 June 2004 - 02:54 PM

BillyBoy,

Actually, your log looks pretty good except for a few minor things that we can easily fix.

I suggest that you take a look in Add/Remove Programs to see if anything HuntBar related shows. If so, remove it.

Also, it would probably be a good idea to do an online virus scan as well as an online Trojan scan. (See links in my signature below). Allow the programs to remove anything they may find.

Go to the Microsoft Windows Update site (link below) and scan to see if you have all needed updates installed. If not, please download and install ALL critical updates.

Next, please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.” Please note that the items in BLUE are optional suggested fixes that will not remove the programs, only keep them from running at start-up, and may have the added benefit of freeing up some of your system’s resources.


O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2E0099} - (no file)

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab

O16 - DPF: {1552B1CD-8CB7-4776-B6CB-16EA461928E5} (Cpuid Control) - http://www.powerleap...loads/cpuid.cab


Reboot, scan with HijackThis, and post your new log to this same thread.

While you're waiting for your log to be checked, please take a moment or two to read the article, "How did I get infected in the first place?" (Link below). It will give you valuable information on protecting your system in the future, and it also has links to excellent free anti-spyware tools.

#5 BillyBoy

BillyBoy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 June 2004 - 09:22 PM

:D
Many thanks for taking the time to help me out. I appreciate it!

I looked thru the Add/Remove Programs, but don't have any idea how I would be able to tell if anything was HuntBar related. I've listed some programs below that I'm not sure what they are for.

Active Disk
A-Prompt
Dead or Alive 2
Intel Application Accelerator
WexTech AnswerWorks
Win32 BI Application
WonSWAP

The virus scans didn't catch anything. I run Norton regularly & keep it updated.
Likewise I regularly look for Windows updates.

I ran HijackThis & removed everything you suggested.

Here is the Hijackthis Log.

Scan saved at 10:02:32 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.n...t/comcast.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\27tx9pnx.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\Symantec\LIVEUP~1\SNDWarn.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/s...tect/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/s...utodetectNT.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...oad.9.0.0.2.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} - http://install.anark...en/AMClient.cab


Thanks again!!!! :D

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 06 June 2004 - 11:01 PM

BillyBoy,

You're very welcome.

I see nothing in your Add/Remove Programs list to indicate HuntBar; however, you do want to get rid of this one: Win32 BI Application. The BI stands for BetterInternet, which is part of the Zestyfind and Look2Me gang. This may have been part of your Look2Me infection.

Otherwise, everything else looks good.

Here's some information about two free programs I use myself:

You can download IE-SPYAD here: http://www.staff.uiu...rce.htm#IESPYAD

It will place over 5000 sites in your restricted zone so that you don't accidentally visit innocent appearing sites that aren't really innocent.

There's also a small program, called RegistryProt that will warn you when a program attempts to make changes to your registry and will ask you if you want to allow the change. You'll find it here, under "freeware": http://www.diamondcs...p?page=products

Scan often with Spybot Search and Destroy and Ad-aware. Scan weekly with an online virus scanner as well as an online Trojan scanner in addition to your resident AV program. Keep using a good firewall. Add SpywareBlaster to your arsenal (see link below). It works well with SpywareGuard, which I see you have installed.

Do all of the above, be a frequent visitor to the Windows Update site, be careful about which sites you visit and what you download, and your system should remain clean.

#7 BillyBoy

BillyBoy

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 June 2004 - 04:57 AM

Thanks again. I still need help with your latest suggestion.

I see nothing in your Add/Remove Programs list to indicate HuntBar; however, you do want to get rid of this one: Win32 BI Application. The BI stands for BetterInternet, which is part of the Zestyfind and Look2Me gang. This may have been part of your Look2Me infection.



I tried to delete the Win32 BI Application as you suggested, but couldn't. When I open the Add/Delete Programs and hit the 'Change/Remove' button I get a Prompt titled 'Advanced INF Install' that says 'Error: could not locate INF file 'c:\WINDOWS\INF\payload.inf'.

How do I get rid of the remains of Win32 BI Application?

#8 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 07 June 2004 - 05:22 AM

BillyBoy,

Since you've run the VX2finder twice, it's possible that the file is not really there even though the entry still shows in Add/Remove Programs, and that's why you're getting the error message. (It's like a dead link). To make sure, reboot into safe mode and try again to remove the program through Add/Remove Programs.

If there's nothing remaining, don't worry about the dead entry.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button