• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
AfroKrakr

www.lookfor.cc & search-to-find.com Hijack

2 posts in this topic

I am grateful to find a forum like to yours to help folks like me! I do not know if these symptoms are related or not…but I really hope one of you can help. I’ve read the FAQ and followed your instructions. I have tried to give you as much information about my system, the symptoms of this problem, and the results of all my testing. Please let me know if you need me to run any other tests. Thank you for your time, I know all this junk infecting people’s PC’s keep you very busy.

 

Symptom 1:

Spybot resident shows attempts to change start page, search page, and default_page_url to “res://mgqpp.dll/index.html#96676” any time I open, close, or change an internet browser window. I always click deny change.

 

Symptom 2:

When I try to use google I get a full-page IE browser popup from either www.lookfor.cc, search-to-find.com, or www.seeq.com. Also a small popup with title bar “Only the Best” advertising some sort of antivirus/antispyware (which will obviously install even more crap) appears with each browser window opening or change. This windows always close by clicking the close window “X” icon.

 

Symptom 3:

Periodically an entry will show up in windows taskbar titled “http://media6.fastclick.n...” It looks like an IE window but hen I click on the tab nothing happens. I can right-click and click on close to end the program. I not know if this is some popup attempt that is being blocked, something malicious, or just an annoyance.

 

General System Info:

MS Windows XP Pro, MS Office XP Pro, and Norton AV 2002 are all updated. Norton has ‘auto protect’ enabled. The XP firewall has all services (ports) unchecked. Spyware Blaster is also used and updated.

 

Adaware:

Scan finds CoolWebSearch files in the registry, \windows folder, and \windows\system32 folder. Adaware notes that the PC will need to be rebooted to clean but finds the same things each reboot, giving the same message to reboot.

 

CWShredder:

Scan finds no infected files

 

Spybot 1.3:

Scan, including yesterdays update, with all available checks selected, finds no immediate threats. The only entries were cache files, which I deleted. Also, I cannot check the ‘enable permanent blocking of known bad addresses in IE’ in the Immunize window.

 

Housecall (TrendMicro) Online:

Scan cannot be run. After clicking yes on security dialog box, browser window goes blank, windows error reporting dialog box pops up (so I click send report), and the browser window closes.

 

Panda Online:

Scan finds no infected files.

 

F-Secure Online:

Scan finds “TrojanDownloader.Win32.Agent.an” in c:\windows\system32 folder. The infected files are one .exe and two .dll files that I can delete. However, after rebooting, F-Secure will find infected files in the same folders, with the same appearance, but with different names.

 

RAV Online:

Scan finds TrojanDownloader:Win32/Agent.AN in C:\WINDOWS\system32\crmn.exe. If I delete this file, RAV (and only RAV) find it after reboot with a different name.

 

Trojan Hunter:

Scan finds and fixes four Trojans: Adware.Jdf.100, TrojanDownloader.Agent.102, TrojanDownloader.WinShow.104, and TrojanDownloader.WinShow.105.

 

HijackThis Log:

Logfile of HijackThis v1.97.7

Scan saved at 2:29:41 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\addef32.exe

C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe

C:\Program Files\Security Utilities\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\America Online 9.0f\aoltray.exe

C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\system32\crmn.exe

C:\Program Files\Security Utilities\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {F3E97395-5DF8-F801-BD53-B6C4EAAF3967} - C:\WINDOWS\system32\atlnp.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [addef32.exe] C:\WINDOWS\addef32.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\Security Utilities\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Security Utilities\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0f\aoltray.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for ôå : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet/mahjong/ma...g-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.4.24/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccommon/download/tgctlcm.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1251/ftp.../v6/brix6ie.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/078143512fb677495120/netzip/RdxIE6.cab

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/...eAutoLaunch.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7577.6950810185

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver...ic/wtwdinst.cab

O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8F65C816-DA3E-4392-8DEB-2857E79665FD}: NameServer = 205.152.37.23 205.152.144.23

 

Thanks in advance and I look forward to working with you!

Share this post


Link to post
Share on other sites

Hey guys...I know you are extremely busy, so I wanted to let you know I got this problem resolved. Keep up the great work!

Kevin

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0