Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware.Look2Me & Assorted Problems


  • Please log in to reply

#1
JAC1

JAC1

    New Member

  • Member
  • Pip
  • 2 posts
Hi. So I think I have Adware.Look2Me and something involving many Tracking.Cookies that have persistenly stayed on my system. Let me go through what I've done so far. Prior to the steps below, I installed Prevx1 and its currently running on my computer. It has not interrupted with any alerts or errors.

**Random Windows Explorer Error** Address bar is checked as being visible, but its invisible. I never noticed this before...but the address bar in IE is missing too. Address bar in Firefox is unaffected.

1. Ran Ad-aware SE
As instructed in the "Before You Post."
Results: 0 New Critical Objects

2. Ran CWShredder
In safe mode, as instructed.
Reported removing CWS.Msconfig varient

Upon restarting normally, ewido reported "wuadefui.dll" as an infection of Adware.Look2Me from C:windows\system32. Chose "Clean" as the action.
Had to restart again and ewido reported "wfdrmsdk.dll" as an infection of Adware.Look2Me from C:\Windows\system32. Chose "clean."

3. Ran Spybot S&D
As instrcuted.
Reports removing registry entries for "Windows Security Center.AntiVirusDisableNotify" and "WindowsSecurityCenter.FirewallDisableNotify". Fixed selected problems. (But Spybot has repeatedly said it cleared these problems and they keep reappearing.)

4. Attempted to run TrendHousecall. Page would not load. Perhaps this could be the result of higher security settings that I installed in response to the infection(s)?

5. Ewido scan
Attempted to update in regular mode. No update was available.
Ran in safe mode
Results: Finds infected files. Most of them are *.dll's. Most are cleaned. "C:\windows\system32\dqwave.dll" has an "error" and cannot be deleted. I tried to delete with Windows explorer and that doesn't work. Also noted pvp.dll and o4nsle571h.dll and 04pqle751h.dll. Cannot delete these process!
Scan log from most recent running is below:
[804] C:\WINDOWS\system32\pVp.dll -> Adware.Look2Me : Error during cleaning
[880] C:\WINDOWS\system32\pVp.dll -> Adware.Look2Me : Error during cleaning
:mozilla.7:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\akzixo1s.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\akzixo1s.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\akzixo1s.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.6:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.18:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.54:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.55:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.58:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.59:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.66:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.67:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.68:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.69:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.70:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.78:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.79:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.80:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.81:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.82:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.83:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.84:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.85:C:\RECYCLER\S-1-5-21-3880028103-2268992153-1497372460-500\Dc1.txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\system32\azamlij118o.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\lt4027hmg.dll -> Adware.Look2Me : Cleaned with backup


6. Ran Symantac Deep/Extended Scan in safe mode
Result: Found and deleted 1 threat. When it examined dqwave.dll, it did not pickup a threat (even though ewido did)

7. Trojan Hunter.
Attempted to install. At the last moment before complete installation, received following error message:
CoCreateInstance failed; code 0x80040154. Clicked ok. Error repeated five times. Then, installation reported as "complete."

Ran test. Found only one problem but indicated that it could not scan pVp.dll since it was in use by another program. This file was identified by ewido as containing the Adware.Look2Me infection.

REBOOT AND TEST
Random note: After several cleaning steps, my "Quick Launch" disappeared. After putting back the "quicklaunch" and choosing Firefox, computer takes a long time to advance. When Firefox has loaded, and a page is visited, a popup begins opening in another tab. Could the malware be doing this?
Also, Prevx1 interrupts once to ask if I want to allow mpas-fe.exe from C:\windows\softwaredistribution\... to be installed. I selected "Do not run."
Address bar still invisible in IE and Explorder

HIJACKTHIS LOG

Deleted files on reboot from HJT:
enjml1111.dll
__delete_on_reboot_mefted.dll
pvp.dll
o4pgle751h.dll
streamhlp.dll
sporder.dll
wpa.dbl

I wanted to remove another file that has been implanted in a Google directory but HJT couldn't tell me exactly where it was and I couldnt find it when I searched the available directories.

I'll reboot and repost if anything changes but ....any help? anyone?

I've REALLLY done myself in now and I'm hoping that someone, ANYONE out there can help me.

I used KillBox! -- without the explicit instruction of this board's staff -- and now I am paying for my stupidity.

I used KillBox! to "delete on reboot" a variety of DLLs that were causing problems.
I chose "End Explorer Shell While Killing" or some option like that.

KillBox rebooted and everything started normally (Normal XP graphic. Normal XP login screen.)

I clicked on my name, "Jason" and the standard music sounded up but the page didn't advance to the normal windows screen. It was stuch on "loading your personal settings" for a much longer time than ever happened before.

When that screen went away, I saw the standard XPS windows background. But no start menu. No desktop icons of any kind.

I hit CTL ALT DEL and started up task manager, which listed 47 processes working but no programs.

I launched a "New Task" for explorer.exe and the start briefly appeared on the bottom on the screen....and then immediately disappeared.

I went back into KillBox to attempt to restore the files I had deleted, but when I chose File>Open Backups the start menu briefly appeared, and then disappeared again.

I have no idea what to do...my system appears to exist and my files all appear to be there ...but I cannot get any of my original settings, my start menu, or anything.

I'm using my backup (very old) computer....and I need help asap!

INCLUDED IN THE HJT LOG FROM AFTER THE KILLBOX INCIDENT.
(I retyped this from the screen of my target computer.)

Logfile of HijackThis v1.99.1
Scan saved at 3:57:38PM, on 24-Mar-06
Platform: Windows ZP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SPT (6.00.2900.2180)

Running processes:
C:\WiNDOWS\system32\smss.exe
C:\WiNDOWS\system32\winlogon.exe
C:\WiNDOWS\system32\services.exe
C:\WiNDOWS\system32\lsass.exe
C:\WiNDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpeng.exe
C:\WiNDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EVMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\CCSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCEvtMgr.exe
C:\WiNDOWS\system32\spoolsv.exe
C:\WiNDOWS\system32\netdde.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WiNDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\rhSched.exe
c:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WiNDOWS\system32\svchost.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
c:\Program Files\Prevx1\PxAgent.exe
c:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Symantec Client Security\Symantec Antivirus\Rtvscan.exe
c:\Program Files\Symantec Client Security\Symantec Client Firewall\SySPort.exe
C:\WiNDOWS\system32\MsPMSPSv.exe
C:\WiNDOWS\system32\taskmgr.exe
C:\WiNDOWS\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O3 - Toolbar: Adobe PDF {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [PreVxOne] c:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [Windows Defender] "c:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [THGuard] "c:\Program Files\TrojanHunter 4.5\THGuard.exe
O4 - HKLM\..\Run: [SynTPEnh] c:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "c:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "c:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "c:\Program Files\Roxio\Easy CD Creater 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "c:\Program Files\QuickTime\qttask.exe" - atboottime
O4 - HKLM\..\Run: [nmapp] "c:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [iTunesHelper] "c:\Program Files\iTunes\iTunersHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" - start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\updateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] c:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "c:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] c:\Program Files\ehome\ehtray.exe
O4 - HKLM\..\Run: [efax 4.1] "c:\Program Files\eFax Messenger 4.1\J2GD11Cmd.exe" /R
O4 - HKLM\..\Run: [DVDLauncher] "c:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] c:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "c:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Dell Support] "c:\Program Files\Dell Support\DSAgent.exe" /startup
O4 - HKLM\..\Run: [AIM] c:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0DA1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0218AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menutiem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O18 - Protocol: pure-go - {4745C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" - win32service (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccevtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\GW\GBUSSNet Client 4.6\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Sumantec AntiVirus\Defwatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anit-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anit-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Maccrovision Corporation - C:\Program Files\InstallShiefld\Driver\11\Intel 32\IDriveT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - DELL Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Netowrks Network magic Service (nmserivce) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PreVX agent (PREVXgent) - Unknown Owner - C:\Program Files\Prevx1\PXAgent.exe -f (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S23EventMonitor) - Intel Corporation - C:\Program files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Smantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirys - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort *SYmSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Edited by JAC1, 24 March 2006 - 04:36 PM.

  • 0

Advertisements


#2
JAC1

JAC1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Edited First Post instead of the rpely

Edited by JAC1, 24 March 2006 - 04:43 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP