• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
gary_stanley_uk

How do you remove Look2ME.com ??

16 posts in this topic

Hello,

How do you remove the look2me.com malware. I have adaware, hijack this, CW Shredder, Spybot search and destroy, noadware and many more but nothing seems to get rid of it. I know how do use the registry keys so if it is a case of just removing something there I would much appreciate a resolution.

 

Thanking you in advance.

 

Gary Stanley

Share this post


Link to post
Share on other sites

Thanks Here is my log.....

 

Logfile of HijackThis v1.98.0

Scan saved at 13:51:49, on 18/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\VetMsgNT.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Pop up Blocker\pd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBE9ACC-382D-4547-9B3A-5E26F49C2086}: NameServer = 194.72.9.38 194.74.65.68

O20 - AppInit_DLLs: msvsres.dll

Share this post


Link to post
Share on other sites

Yes, MrCharlie, go ahead and continue. Just want to know if I need to continue on that other thread. Sorry for the confusion.

Share this post


Link to post
Share on other sites

There's a couple of programs to deal with a L2M infection.

 

If you copy and paste this into your Internet Explorers address bar and hit go and look at the results:

 

javascript:navigator.userAgent <---copy and paste this

 

if it looks like this, you're OK

 

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) <---OK

 

if it looks something like this, you are infected:

 

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {A0FEB296-2284-4C71-BAD2-943CC1A381B0}) <---infected

 

As mentioned, here one program to deal with it, you may have to try a couple of times to download it.

http://www.spywareinfo.com/~merijn/files/kill2me.zip

 

Download and unzip it to a folder and then run the program.

 

If you have no luck downloading the program Kill2me.zip, try this:

 

Download the latest version of Ad-Aware at (we will use this later)

http://www.lavasoft.de/software/adaware/

 

Download the following tool and install it in its own folder:

http://tools.zerosrealm.com/VX2Finder.exe

 

Press 'Click to Find VX2.BetterInternet.

Press 'Make Log' and post it in this thread for review.

 

*** Do Not Delete Any Files At This Time ***

 

 

I also see evidence of a virus/trojan.

O20 - AppInit_DLLs: msvsres.dll <--this is what caught my eye.

 

If you have an anti virus, update and run it.

 

If not - here's three links to free scans, use them and let them delete what they find, and also one to a free trial of a trojan program.

 

http://www.misec.net/products/TrojanHunter.exe

 

http://housecall.trendmicro.com/housecall/start_corp.asp

 

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

http://www.bitdefender.com/scan/licence.php

 

 

When you're done, reboot and post a fresh HJT log and let me know if any of the programs found and delete anything. MrC

Share this post


Link to post
Share on other sites

I have this Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {3360251B-67BD-4877-AE1A-668D873BF3B6}; .NET CLR 1.1.4322) when i put in the first part.

 

On VX2 I have Files Found---

 

 

Guardian Key--- is called:

 

User Agent String---

{3360251B-67BD-4877-AE1A-668D873BF3B6}

 

I am just running an anti virus now I have run adaware already and it says its clear and kill2me is saying it doesnt exist but i clicked to scna anyway and it said its clean if it was there...

Edited by gary_stanley_uk

Share this post


Link to post
Share on other sites

Lets run the VX2 finder again to completion.

 

 

Select all the files found.

Press 'Delete These Files'.

 

The program will delete all files but one that will be deleted on reboot.

Allow program to reboot.

 

Once Restarted:

Press 'Guardian.reg'.

Press 'User Agent'.

Press 'Restore Policy'.

 

Reboot, post a fresh log and let me know how it is. MrC

Share this post


Link to post
Share on other sites

This is the result of my hijack this profile now....

 

Logfile of HijackThis v1.98.0

Scan saved at 18:27:23, on 18/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\VetMsgNT.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\TrojanHunter 3.9\THGuard.exe

C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O20 - AppInit_DLLs: msvsres.dll

Share this post


Link to post
Share on other sites

How is it now and did the scans find and delete anything?

 

msvsres.dll

CheckHere for info on removing msvsres.dll if it's still there, you didn't say if the scans found anything.

 

Now please move HJT ino its own folder (suggest C:\Documents and Settings\Scotty B\Desktop\HJT\HijackThis.exe) and with it only running fix these:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

 

O20 - AppInit_DLLs: msvsres.dll

 

Reboot and post a fresh HJT log and let me know how it's running. MrC

Share this post


Link to post
Share on other sites

I had some virus that were removed sorry by the scan i did with trojanhunter the system has no pop ups right now!!!

 

 

Logfile of HijackThis v1.98.0

Scan saved at 21:09:22, on 18/07/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\VetMsgNT.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\Program Files\TrojanHunter 3.9\THGuard.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBE9ACC-382D-4547-9B3A-5E26F49C2086}: NameServer = 194.72.9.38 194.74.65.68

Share this post


Link to post
Share on other sites

Good Job!!

 

Once you feel the system is running OK, you should delete the system restore files and create a new restore point.

Link below will help:

 

http://www.pchell.com/virus/systemrestore.shtml

 

 

Some preventive maintenance:

 

Visit Windows Update and install all the lastest critical updates.

 

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked. Check for updates weekly.

 

SpywareBlaster

 

SpywareGuard

 

Need a free anti virus?

AVG*free

(check for updates - daily)

 

How about a firewall?

ZoneAlarm*free

DirectDownload ZA 4.5.594.000 <---use this version for now

 

Free spyware removal programs:

 

SpyBot

 

AD-Aware

 

DSO Exploit Protection:

DSO Exploit Protection

 

Pop-up stoppers:

GoogleToolBar

Pop-upStopperFree

 

Don't open e-mail attachments without first scanning them with an up-to-date

anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.

Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

 

Good luck and thanks for using the forum - MrC

Edited by MrCharlie

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0