View Full Version : lookfor.cc removal
Dazzer
11-28-2005, 06:15 PM
My Microsoft Antispyware blocks what this tries to do, but how can I stop lookfor.cc (I think it is) trying to alter the search bar and default search url?
It succeeded in altering the search bar. It seemed to temporarily switch off McAfee antivirus. I don't know what the correct entry in the registry should be?
I have a hijackthis log. Any idea what I should be looking for?
Dazzer
rspassey
11-28-2005, 06:18 PM
If you follow the directions on posting a Hijack This log in the security section, then go ahead and post it hear and we can take a look at it.
You might want to take a look at THIS (http://www.pchell.com/support/lookfor.shtml).
Dazzer
11-29-2005, 08:00 AM
Thanks to SGS. I found the PCHell page before I posted this new thread and there was nothing in that registery folder, nor did any of the mentioned files exist on my machine. Could it be because I've W2K and the PCHell info seems to relate to Windows (not WINNT)?
Dazzer
If that link didn't help you out, go back to plan A (Ryan's advice) and post a HijackThis log.
Dazzer
11-29-2005, 06:11 PM
Microsoft Antispyware found nothing and neither did Macafee Antivirus. Spyware doctor and Registry Mechanic found loads, but nothing frightening and not the lookfor.cc, though RM found a CWS which I just reset in the registry.
Dazzer
The hijackthis log is listed below.
Logfile of HijackThis v1.99.0
Scan saved at 23:10:40, on 28/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\csrss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\acs.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\CTsvcCDA.EXE
D:\WINNT\System32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\ASUS\Probe\AsusProb.exe
D:\Program Files\McAfee.com\VSO\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Creative\VoiceCenter\AndreaVC.exe
D:\WINNT\system32\Rundll32.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
D:\Program Files\McAfee.com\VSO\oasclnt.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\dvd43\dvd43_tray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINNT\system32\internat.exe
D:\DOCUME~1\DAZZER~1\LOCALS~1\Temp\clclean.0001
D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
D:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
D:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
D:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\NETGEAR\WG311T\wlancfg5.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Soft2005\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MBpatch] C:\program files\Creative\MBsetup\RemoveKey.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] D:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [VSOCheckTask] "D:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] D:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VoiceCenter] "D:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] D:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dvd43] D:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] D:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = D:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = D:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = D:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT\web\related.htm
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cab
O23 - Service: Atheros Configuration Service - Unknown - D:\WINNT\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - D:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - McAfee Inc. - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler - McAfee, Inc - d:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - D:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: PC Tools Spyware Doctor - Unknown - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
rspassey
11-29-2005, 06:26 PM
This is added by a trojan you may need to boot in safe mode to remove it
you can verify that Here (http://www.sysinfo.org/startuplist.php?filter=internat.exe)
O4 - HKCU\..\Run: [internat.exe] internat.exe
you should also remove O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime and you can check it Here (http://www.sysinfo.org/startuplist.php?filter=QuickTime+Task)
To fix it you will probably have to end this running application with the task manager D:\Program Files\QuickTime\qttask.exe
You can have HJT this one because it is not needed (it isn't bad, but a waste of space)
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
And for the 09's if you do not recognize or don't use them anymore, have HJT fix it. Otherwise they check out and can be left.
This goes for the 016's too, if you don't use them regularity them have HJT fix it, and the next time you go to the site you will be asked to re-install the Active X required.
If http://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay is not your homepage, then have HJT fix it.
Nothing else stands out to me right away, I will browse over it more closely a little later... but as far as I can tell you are pretty well
clean. Also you have an older version of HJT, there is an updated one available.
I am sure someone can check out the running programs for you, those aren't my specialty, but I will try to take a look over those too.
Gee Dazzer, that looks like a pretty clean log. I don't see lookfor.cc or any of the other cws variants. Even the internat.exe file could be legit. Do you have a language selection icon in system tray? If you do, that's what that internat.exe entry is leading to.
CWS is often hidden after running anti-spyware programs and comes back after a few reboots. Run HJT again in a day or two and see if the log changes. If it does, post the new log.
You might want to run the free version of Ewido (http://www.ewido.net/en/). It's a popular anti trojan scanner. Let it fix anything that it finds. Make sure to shut off the MS Antispyware program before running it though. It can stop some fixes from taking hold.
And on second look, there is this entry:
D:\DOCUME~1\DAZZER~1\LOCALS~1\Temp\clclean.0001
Do you know what it is? I can't find any info on it and that is strange. It's also strange to have anything running from a temp folder. I'd suggest you clean out that folder, in safe mode. Unless you know what that file is, it could be the source of your troubles.
Dazzer
11-30-2005, 05:35 AM
Do you have a language selection icon in system tray?
D:\DOCUME~1\DAZZER~1\LOCALS~1\Temp\clclean.0001
Do you know what it is?
What's a language selection icon in system tray - where can I check this? The PC is set to UK English not US.
I've no idea waht that cclean.0001 is.
I'll act on all the good advice this evening,
thanks to Ryan and SGS.
Dazzer
vBulletin® v3.7.0, Copyright ©2000-2008, Jelsoft Enterprises Ltd.