Jump to content


Photo

www.lookfor.cc & search-to-find.com Hijack


  • Please log in to reply
1 reply to this topic

#1 AfroKrakr

AfroKrakr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 24 June 2004 - 01:43 PM

I am grateful to find a forum like to yours to help folks like me! I do not know if these symptoms are related or not…but I really hope one of you can help. I’ve read the FAQ and followed your instructions. I have tried to give you as much information about my system, the symptoms of this problem, and the results of all my testing. Please let me know if you need me to run any other tests. Thank you for your time, I know all this junk infecting people’s PC’s keep you very busy.

Symptom 1:
Spybot resident shows attempts to change start page, search page, and default_page_url to “res://mgqpp.dll/index.html#96676” any time I open, close, or change an internet browser window. I always click deny change.

Symptom 2:
When I try to use google I get a full-page IE browser popup from either www.lookfor.cc, search-to-find.com, or www.seeq.com. Also a small popup with title bar “Only the Best” advertising some sort of antivirus/antispyware (which will obviously install even more crap) appears with each browser window opening or change. This windows always close by clicking the close window “X” icon.

Symptom 3:
Periodically an entry will show up in windows taskbar titled “http://media6.fastclick.n...” It looks like an IE window but hen I click on the tab nothing happens. I can right-click and click on close to end the program. I not know if this is some popup attempt that is being blocked, something malicious, or just an annoyance.

General System Info:
MS Windows XP Pro, MS Office XP Pro, and Norton AV 2002 are all updated. Norton has ‘auto protect’ enabled. The XP firewall has all services (ports) unchecked. Spyware Blaster is also used and updated.

Adaware:
Scan finds CoolWebSearch files in the registry, \windows folder, and \windows\system32 folder. Adaware notes that the PC will need to be rebooted to clean but finds the same things each reboot, giving the same message to reboot.

CWShredder:
Scan finds no infected files

Spybot 1.3:
Scan, including yesterdays update, with all available checks selected, finds no immediate threats. The only entries were cache files, which I deleted. Also, I cannot check the ‘enable permanent blocking of known bad addresses in IE’ in the Immunize window.

Housecall (TrendMicro) Online:
Scan cannot be run. After clicking yes on security dialog box, browser window goes blank, windows error reporting dialog box pops up (so I click send report), and the browser window closes.

Panda Online:
Scan finds no infected files.

F-Secure Online:
Scan finds “TrojanDownloader.Win32.Agent.an” in c:\windows\system32 folder. The infected files are one .exe and two .dll files that I can delete. However, after rebooting, F-Secure will find infected files in the same folders, with the same appearance, but with different names.

RAV Online:
Scan finds TrojanDownloader:Win32/Agent.AN in C:\WINDOWS\system32\crmn.exe. If I delete this file, RAV (and only RAV) find it after reboot with a different name.

Trojan Hunter:
Scan finds and fixes four Trojans: Adware.Jdf.100, TrojanDownloader.Agent.102, TrojanDownloader.WinShow.104, and TrojanDownloader.WinShow.105.

HijackThis Log:
Logfile of HijackThis v1.97.7
Scan saved at 2:29:41 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\addef32.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\Security Utilities\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0f\aoltray.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\crmn.exe
C:\Program Files\Security Utilities\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F3E97395-5DF8-F801-BD53-B6C4EAAF3967} - C:\WINDOWS\system32\atlnp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [addef32.exe] C:\WINDOWS\addef32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\Security Utilities\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Security Utilities\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0f\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ôĺ : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo...g-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fasta...oad/tgctlcm.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai..../v6/brix6ie.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7577.6950810185
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...ic/wtwdinst.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.1.../ACNePlayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F65C816-DA3E-4392-8DEB-2857E79665FD}: NameServer = 205.152.37.23 205.152.144.23

Thanks in advance and I look forward to working with you!

#2 AfroKrakr

AfroKrakr

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 01:06 PM

Hey guys...I know you are extremely busy, so I wanted to let you know I got this problem resolved. Keep up the great work!
Kevin




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button