infected by look2me adware

[paul_007]

my pc is infected by look2me adware, flash animations, popups keep appearing, i have tried every software available in net but none of them helped me. i have tried following softwares, webroot spysweeper, adaware SE, spybotSand D, microsoft antispyware, norton antivirus, mcafee antivirus and antispyware,norton look2me removal tool

although every software detects it but none of them is able 2 remove it, they remove it temporarily but after restarting it appears again, webroot is somewhat effective as it stops the popups but adware is still there?

pls help me, is formatting is the only option??

[mako_123]

try this link

http://www.pchell.com/support/look2me.shtml

[paul_007]

no it is not working, tried the automatic method it says look2me not detected in r pc and i also tried manual method, the registries entries which they r asking me 2 delete is not present in my registry

thnx 4 help

[mako_123]

Try googling for the help , you will get a lot of sites .

[grinning_devil]

format your PC....backup your data and format it..

since you have tried almost all of the known spyware detection tools,and they are unable to remove it.you can though try hijackthis

[mehulved]

Have you tried running the anti-spwares in safe mode? It has worked in the past for me.

[Chindi_Chor]

install windowz Again...

[anandk]

Quote:

Originally Posted by tech_your_future

Have you tried running the anti-spwares in safe mode? It has worked in the past for me.

do this. run ur ant-spys in safe mode, or schedule boot-time scans, ver posbl.

[paul_007]

OK i'll try in safe mode

[paul_007]

yeah this has worked quite a lot

but popups still appear but very rarely , once in every 2 hours

thnx everyone

[mehulved]

Still that is not good enough. Have you tried out different anti-spywares or just one? If not, do a thorough scan with different anti-spywares and check out the results.
If this fails too, you can run hijackthis and post the results onwww.hijackthis.de for analysis. And remove the malware detected.

[__Virus__]

Quote:

Originally Posted by paul_007

yeah this has worked quite a lot

but popups still appear but very rarely , once in every 2 hours

thnx everyone

naaaah still not guud....scan in safe mode again and probably post ur hijackthis log so that someone can analyze and help u out.

[Ankur Gupta]

well the best thing is to format ur pc and install windows again if the adware is not being removed by the antivirus or anti-adware software.
and remember to backup!

[paul_007]

here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 9:58:32 PM, on 3/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
D:\softwares\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sify.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{548F1E1C-2F42-4AFF-966A-ABD5E203F2F5}: NameServer = 202.144.50.4,202.144.13.50
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\m2julc191f.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[QwertyManiac]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll

Remove NetPumper from yr sis and for best results use only one D/l-Manager

and perhaps these too...
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

W8 for more hlp

[anandk]

yes u need to remove the default search url : searchbar.
eif u use ms anti-spy, u can use it to restore all ie browsers default urls/pages, easily.

posting ur hijackthis logfile at www.hijackthis.de will give u a detailed analysis.

[paul_007]

hijack this is not able to remove these

O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll

it says use spybot to remove them and when i use spybot , although it removes them but after restarting these files appear again

[anandk]

idmmbc.dll could b a legit file or a malware. it cud b a part of 'Internet Download Manager' software. Idmmbc.dll is the LSP DLL. so check its properties first. http://www.spywaredata.com/spyware/m...idmmbc.dll.php

if u feel ur winsock lsp has been damaged see this
http://www.download.com/LSP-Fix/3000...-10417025.html

schedule boottime scan of spybot and restart pc, and c what happens. there is such an option in spybots settings. hope 4 d best !

[paul_007]

Quote:

idmmbc.dll could b a legit file or a malware. it cud b a part of 'Internet Download Manager' software. Idmmbc.dll is the LSP DLL. so check its properties first. http://www.spywaredata.com/spyware/m...idmmbc.dll.php

if u feel ur winsock lsp has been damaged see this
http://www.download.com/LSP-Fix/3000...-10417025.html

schedule boottime scan of spybot and restart pc, and c what happens. there is such an option in spybots settings. hope 4 d best ! Smile

thnx , thnx , thnx a lot finally this has worked 4 me

now no popups r appearing

the file idmmbc.dll was the cause and i removed it using winsock lsp fix but i think this was not a part of Internet Download Manager cause i am usin this since 4 months and it havnt creatd any problem 4 me, the problem started when i installed a software frm a warez site.