Jump to content


Photo

Look2Me Won't Go Away


  • Please log in to reply
8 replies to this topic

#1 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 01:40 PM

I've tried and tried to get rid of this problem but it continues to get worse. My work computer has been hijacked by adware and I'm now getting pop-ups at a rate of about 2 per minute. I can't just disconnect from the internet because my job requires that I be available by email and Instant Messenger at all times. This is really becoming a hindrance to my work so I hope one of you will please assist me in getting rid of this stuff.

I've run Adaware, spybot blaster, kill2me.exe, cwshredder and fix.reg but the pop ups are back within a few hours at most.

My Hijack this log is:
Logfile of HijackThis v1.97.7
Scan saved at 1:20:43 PM, on 6/9/04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\winhlp32.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Gretchen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

When I type in: java script:navigator.userAgent
I get: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; {F119E2FC-17D9-413D-B03C-07C8F3451EB9})

VX2_BetterInternet finds:
Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\system32\ibseng.dll
C:\WINDOWS\system32\ieseng.dll
C:\WINDOWS\system32\ifseng.dll
C:\WINDOWS\system32\izseng.dll
C:\WINDOWS\system32\meltus40.dll
C:\WINDOWS\system32\mhjtes40.dll
C:\WINDOWS\system32\mijtes40.dll
C:\WINDOWS\system32\mjltus40.dll
C:\WINDOWS\system32\mmltus40.dll
C:\WINDOWS\system32\mujtes40.dll
C:\WINDOWS\system32\mzltus40.dll
C:\WINDOWS\system32\pmdlib32.dll
C:\WINDOWS\system32\pqdlib32.dll
C:\WINDOWS\system32\psdlib32.dll
C:\WINDOWS\system32\pwdlib32.dll
C:\WINDOWS\system32\pzdlib32.dll
C:\WINDOWS\system32\sbmsg.dll
C:\WINDOWS\system32\semsg.dll
C:\WINDOWS\system32\slmsg.dll
C:\WINDOWS\system32\swmsg.dll
C:\WINDOWS\system32\WhLOADER.DLL
C:\WINDOWS\system32\Wj2Robo.dll
C:\WINDOWS\system32\WlVSYN32.DLL
C:\WINDOWS\system32\yccscom.dll
C:\WINDOWS\system32\yecscom.dll
C:\WINDOWS\system32\ykcscom.dll
C:\WINDOWS\system32\yrcscom.dll
C:\WINDOWS\system32\yscscom.dll
C:\WINDOWS\system32\ywcscom.dll
C:\WINDOWS\system32\zaib.dll
C:\WINDOWS\system32\zgib.dll


Guardian Key--- is called: GuardianCIHDN
Asynchronous 000
DllName C:\WINDOWS\system32\mjltus40.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {F119E2FC-17D9-413D-B03C-07C8F3451EB9}
IDex BM2

User Agent String---
{F119E2FC-17D9-413D-B03C-07C8F3451EB9}

#2 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 02:32 PM

Just wanted to add that I had to go into my system32/Drivers/Etc/hosts file for another reason and it was inexplicably blank. So my IT Director had me open another file called hosts.20040503.backup and it had 15 IP redirects in it. We deleted them all and resaved the file as hosts, deleted the hosts.20040503-112554.backup file and now look2me has a fatal error when it tries launch the pop up. Still have the problem with look2me window always popping up though.

What was deleted:

127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 status.qckads.com
207.36.196.189 auto.search.msn.com
207.36.196.189 search.netscape.com
207.36.196.189 ieautosearch
127.0.0.1 status.qckads.com

Edited by uyeahu, 09 June 2004 - 02:36 PM.


#3 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 10 June 2004 - 09:39 AM

bump

#4 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 11 June 2004 - 09:52 AM

Bump

#5 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 11 June 2004 - 03:31 PM

My IT guy has given me a new hosts file that seems to be blocking the pop-ups for now, but I'd still like any information you can provide me on how to get rid of this virus entirely.

Edited by uyeahu, 11 June 2004 - 03:34 PM.


#6 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 15 June 2004 - 10:05 AM

Bump

#7 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 23 June 2004 - 10:15 AM

Bump

#8 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 24 June 2004 - 04:59 PM

bump

#9 uyeahu

uyeahu

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 25 June 2004 - 03:17 PM

bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button