look2me virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

scjetson

Thread Starter
Joined
Apr 22, 2004
Messages
1
:confused: Look2me has taken over my computer. I have tried to automatically, as well as manually remove it icw various recommendations. I do not see any of the files they tell me to look for in the registry. I am running xp home. It has attached itself to one of my windows\system32 files. The infected file is aud.cpy.dll. I can delete it if I "end process" (rundll32) in the task manager. I do a scan and it is clean. As soon as I re-boot windows it is back in the system32 folder. It will lock up the pc after about 10 mainutes. Is there any ideas short of an entire hard drive reformat?
 
Joined
Oct 9, 2001
Messages
9,396
Have you tried this:http://www.pchell.com/support/look2me.shtml

Or you could........
Do this:
go to http://www.lurkhere.com/~nicefiles/ , and download 'Hijack This!'.....
Unzip it to its own folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If you have anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post.

;)
 

scjetson

Thread Starter
Joined
Apr 22, 2004
Messages
1
I went again to the Look2me E-mail for help and they gave me the manual unistall directions (the auto unistall did not work). This is the problem, it has attached itself to this windows\system32 file: aud.dll. The Look2me infected file is: aud.cpy.dll. I can delete the aud.cpy file, but even using a command prompt with explorer process shut down it will not let me delete the aud.dll file. Being it is a system32 file I am sure it is a critical file for windows to work. Look2me said the cpy and the original must be deleted to totally make it gone. Anyone have any ideas short of a total reformat?
Here is the log from the hijack this scan:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephanie\Local Settings\Temp\Temporary Directory 2 for hijackthis1977.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchgateway.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O1 - Hosts: â
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O1 - Hosts: me.com/cgi-bin/SelectorV2?ID={4671DFC7-04E7-4D30-81DE-7609576563F4}&mSkip=1&rnd=31584", 180000, "FALSE");
O1 - Hosts: myRepeatArray[3] = "10";
O1 - Hosts: myRepeatArray[2] = "3";
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top