PDA

View Full Version : I think I have Look2Me and I have printed my Hijack This log and pasted



Wheezylady
2006-09-22, 03:12
I have a computer that I think has Look2Me virus. I can't go online because it has too many popus. So I downloaded and updated spybot on a jumpdrive and ran it under each user on XP. I also ran AVG and CCleaner. Can anyone help me get rid of whatever is on here?

hijacthis:Logfile of HijackThis v1.99.1

Scan saved at 6:58:06 PM, on 9/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\V2VuZHkgSGludG9u\command.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\WINDOWS\ms040602846-194.exe
C:\WINDOWS\Duce6.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\win3208846-1940602.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\WINDOWS\CROSOF~1.NET\winspool.exe
C:\Program Files\Batty2\Batty2.exe
C:\WINDOWS\cfg32a.exe
E:\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{D6A8B28A-0468-7C90-1074-2CF00BCB61E3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\2.tmp
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\2.tmp
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: ATLDistrib Object - {83A5F7B7-DC75-44CE-9195-264F41709FA9} - C:\WINDOWS\System32\sstqn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: (no name) - {F76B8E3F-72AB-4E96-87FC-778B469BC334} - C:\WINDOWS\System32\awtrpno.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [ms040602846-194] C:\WINDOWS\ms040602846-194.exe
O4 - HKLM\..\Run: [fzw772ef] RUNDLL32.EXE w002648c.dll,n 004772eb00000003002648c
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [win3208846-1940602] C:\WINDOWS\win3208846-1940602.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\CROSOF~1.NET\winspool.exe" -vt yazr
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_EN_XP.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_games/tikgames/cinematycoon/cinematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://www.errorprotector.com/free/cab/Install-Errorprotector-Free.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - C:\Program Files\Batty2\Batty2.dll
O20 - AppInit_DLLs: BattyRun2.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\q068laju1do8.dll
O20 - Winlogon Notify: sstqn - C:\WINDOWS\System32\sstqn.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\V2VuZHkgSGludG9u\command.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe (file missing)
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: SYS MANAGER (system) - Unknown owner - C:\WINDOWS\SYSWIN32.EXE (file missing)
O23 - Service: wkssvc (Windows Kernel Serivce) - Unknown owner - C:\WINDOWS\AIMClient.exe (file missing)
O23 - Service: Winlogin messenger - Unknown owner - C:\WINDOWS\system\svchost.exe


I have no idea what this all means and I am not totally computer illerate but I know just enough to be dangerous!

teacup61
2006-09-24, 12:40
Hello Wheezylady,

Welcome to Safer Networking Forums :)

This computer is in horrible shape. :( It is unpatched and unprotected. There are more bad entries than good.:sick:

There is probably quite a bit of damage done here, and while I can help you clean it I can't promise all the damage can be undone. :(

I would suggest a reformat and reinstall of your XP, then install an AntiVirus program and make sure IE and XP are completely updated to SP2. You cannot update it with the condition it's in right now.

Please let me know what you decide to do.

Regards,
tea

tashi
2006-10-01, 04:53
This topic has been archived.

So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)

You and Windows, a joint effort (http://forums.spybot.info/showpost.php?p=25290&postcount=4)