Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups Look2me Infection?


  • This topic is locked This topic is locked
12 replies to this topic

#1 mo12

mo12

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 22 April 2006 - 12:34 AM

Hi. I have Windows XP home edition with Service Pack 2 installed. I keep getting annoying pop up ads from places like browser buy-out, 888.com, Golden Palace Casino, media purchases, Searchhound, and stuff like that. These pop-ups happen when I'm scanning and even pop up if I'm not connected to the Internet. They are especially bad as I close out programs in preparation for logging off. I have to click about 6 or 7 different url's and they keep changing from one to another. However , my home page is not affected and my computer works fine except for that. I have Windows Firewall, Norman Internet Protection, Ad-aware SE personal, Spybot Search and Destroy and have done many scans. The updated ad-aware Se always finds a dll file that it cannot remove. Norman finds tons of W32 Look2Me and puts them in the quarantine but they come back every time I log on. I have tried scanning in safe mode and disabling system restore but nothing has helped. Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:35 AM, on 4/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Norman\bin\ZLH.EXE
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Norman\bin\ZANDA.EXE
C:\Program Files\Cosmi\SpamBlocker\Universal\popproxy.exe
C:\Program Files\Cosmi\SpamBlocker\Universal\sc_daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\bin\NJEEVES.EXE
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca3.hpwis.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [xp] p2pnetworking.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6125E5-CD0D-48B5-BA43-B96E6DEDD3CB}: NameServer = 142.161.130.155 142.161.2.155
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\mv86l9ls1.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SpamBlockerUniversal - Unknown owner - C:\Program Files\Cosmi\SpamBlocker\Universal\popproxy.exe" -D "C:\Program Files\Cosmi\SpamBlocker\Universal\conf\\ (file missing)

Can you help me? thank you so much!

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:40 PM

Posted 22 April 2006 - 01:49 AM

Hello and welcome.. :thumbsup:

Please download Look2Me-Destroyer to your desktop.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#3 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 24 April 2006 - 08:19 PM

Hi, thank you very much. I am just waiting for a response from Microsoft and if it doesn't work I'm going to try your suggestion. I will let you know how it worked out. I really appreciate your help! Microsoft has asked me to send them a hijack this log as well but the dll I was supposed to delete wasn't there the next time my log was created. I think the dll keeps changing.

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:40 PM

Posted 25 April 2006 - 12:58 AM

Yes it does and you have more infections than this. If you want assurance, then just have a forum search with Look2Me-Destroyer and you'll see a load of logs with L2MFix & Look2Me-Destroyer success. Anyway, I wouldn't visit Microsoft for virus removal :thumbsup:
Hi there, stranger!

#5 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 25 April 2006 - 05:03 PM

Hi, I just followed your instructions to download Look2Me Destroyer. Everything seemed to work just as you said. I will now post the Look2Me text as you asked as well as a fresh hijack this log. Here goes:
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/25/2006 4:27:06 PM

Infected! C:\WINDOWS\system32\mvn6l95s1.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\mvn6l95s1.dll
C:\WINDOWS\system32\mvn6l95s1.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F3ED42B9-5123-4B0F-BF22-B3EF093C7683}"
HKCR\Clsid\{F3ED42B9-5123-4B0F-BF22-B3EF093C7683}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 4:59:56 PM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Norman\bin\ZLH.EXE
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Norman\bin\ZANDA.EXE
C:\Program Files\Cosmi\SpamBlocker\Universal\popproxy.exe
C:\Program Files\Cosmi\SpamBlocker\Universal\sc_daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\Norman\Nvc\BIN\nipsvc.exe
C:\Norman\bin\NJEEVES.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA6125E5-CD0D-48B5-BA43-B96E6DEDD3CB}: NameServer = 142.161.130.155 142.161.2.155
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SpamBlockerUniversal - Unknown owner - C:\Program Files\Cosmi\SpamBlocker\Universal\popproxy.exe" -D "C:\Program Files\Cosmi\SpamBlocker\Universal\conf\\ (file missing)

Can you check this for me? I will close this now and see if I get any more pop-ups!!! Thanks, thanks!!!!

#6 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 25 April 2006 - 05:48 PM

Oh, my God! You guys are geniuses!!! I haven't seen ONE pop-up since I followed your instructions!!!! wow, that is so great! I'm just thrilled!!!!

#7 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 25 April 2006 - 05:58 PM

So I have Norman Internet Protection Package, Ad-ware SE personal, Spybot Search and Destroy so do you think I need anything else? I have Windows Firewall. I do not do anything except Hotmail, Ebay, Google Searches on my computer. My daughters who were installers of music are the culprits I think. any other ideas on how to keep my computer clean?

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:40 PM

Posted 26 April 2006 - 12:31 AM

Where do you need McAfee?

Please post this. :thumbsup:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post

Hi there, stranger!

#9 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 26 April 2006 - 06:39 PM

Okay, here is the saved list from uninstall manager. Actually, I thought I had unistalled McAffee when I installed Norman Internet Protection package.
Ad-Aware SE Personal
CXP Plug-In
Detto Migration Kit
HijackThis 1.99.1
Homespun Collection
hp center
hp deskjet 640c series
HP Instant Support
HP Photo Printing Software
HP RecordNow
Inactive HP Printer Drivers (Remove only)
Inactive HP ScanJet Drivers (Remove only)
Kidspiration 2
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Shockwave Player
McAfee SecurityCenter
Microsoft Money 2001
Microsoft Office Standard Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Works 6.0
Microsoft Works and Money 2001 Setup Launcher
MSN Toolbar
My Photo Center
Norman Virus Control
PC-Doctor for Windows
PigPen
PopUp Ad Blocker
Print Artist 2003
PS2
Quicken Financial Center
S3 Gamma
SecureAlert SpamBlocker Universal OE
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SierraAddressBook 3.0
SpyWare Killer
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
War Games Virtual Warfare Demo
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

#10 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 26 April 2006 - 07:52 PM

So do you think my hijack this log looks good? Is my computer clean? I think it is! Can you reply after looking at my hijack this log? thank you

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:40 PM

Posted 27 April 2006 - 08:13 AM

Have a looksee here on SpyWare Killer: http://www.spywarewarrior.com/rogue_anti-spyware.htm

The 3rd item on the Rogue list. Very strongly recommended to uninstall it :thumbsup:

Then can you reboot into Safe Mode and uninstall:

McAfee SecurityCenter

Then it should be fine. :flowers:

==

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#12 mo12

mo12
  • Topic Starter

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 27 April 2006 - 07:19 PM

Hi! I uninstalled Spyware Killer (actually it came with Norman Internet Protection Package) that I bought. I think you're right about it being bad because after I used it, I couldn't click on my Windows Update history. It was greyed out with an error code. That is now fixed. Microsoft helped me with that. I also started my computer in safe mode and uninstalled McAffee Security Center. McAffee had been installed on my computer when I installed service pack 2 but my subscription had run out. Thank you again for all your help!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:40 PM

Posted 27 April 2006 - 11:49 PM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users