Jump to content


Photo

How do you remove Look2ME.com ??


  • Please log in to reply
15 replies to this topic

#1 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 06:46 AM

Hello,
How do you remove the look2me.com malware. I have adaware, hijack this, CW Shredder, Spybot search and destroy, noadware and many more but nothing seems to get rid of it. I know how do use the registry keys so if it is a case of just removing something there I would much appreciate a resolution.

Thanking you in advance.

Gary Stanley

#2 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 07:40 AM

Please post your HJT log so we can have a look.

Make sure you are using the latest version (1.98) of HJT, link below.

http://tools.radiosp.../HijackThis.exe <---direct download

MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#3 sardabay

sardabay

    Member

  • New Member
  • Pip
  • 4 posts

Posted 18 July 2004 - 07:51 AM

Go to merjin.org. They have a tiny program called "kill2me" for that purpose in the downloads section.

#4 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 07:53 AM

Thanks Here is my log.....

Logfile of HijackThis v1.98.0
Scan saved at 13:51:49, on 18/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBE9ACC-382D-4547-9B3A-5E26F49C2086}: NameServer = 194.72.9.38 194.74.65.68
O20 - AppInit_DLLs: msvsres.dll

#5 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 18 July 2004 - 08:51 AM

Hi gary_stanley_uk,

Does this post mean we can close your original thread, and all your original problems are resolved?

http://forums.spywar...topic=12899&hl=

#6 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 09:06 AM

Shall I continue or not??

Thanks, MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#7 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 18 July 2004 - 09:41 AM

Yes, MrCharlie, go ahead and continue. Just want to know if I need to continue on that other thread. Sorry for the confusion.

#8 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 09:50 AM

Sorry I didnt know how to close the original thread thanks. I foiund out how to use registry keys with tweaks and stuff thanks

#9 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 11:01 AM

There's a couple of programs to deal with a L2M infection.

If you copy and paste this into your Internet Explorers address bar and hit go and look at the results:

javascript:navigator.userAgent <---copy and paste this

if it looks like this, you're OK

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) <---OK

if it looks something like this, you are infected:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {A0FEB296-2284-4C71-BAD2-943CC1A381B0}) <---infected

As mentioned, here one program to deal with it, you may have to try a couple of times to download it.
http://www.spywarein...les/kill2me.zip

Download and unzip it to a folder and then run the program.

If you have no luck downloading the program Kill2me.zip, try this:

Download the latest version of Ad-Aware at (we will use this later)
http://www.lavasoft....ftware/adaware/

Download the following tool and install it in its own folder:
http://tools.zerosre...m/VX2Finder.exe

Press 'Click to Find VX2.BetterInternet.
Press 'Make Log' and post it in this thread for review.

*** Do Not Delete Any Files At This Time ***


I also see evidence of a virus/trojan.
O20 - AppInit_DLLs: msvsres.dll <--this is what caught my eye.

If you have an anti virus, update and run it.

If not - here's three links to free scans, use them and let them delete what they find, and also one to a free trial of a trojan program.

http://www.misec.net...rojanHunter.exe

http://housecall.tre.../start_corp.asp

http://www.pandasoft...n_principal.htm

http://www.bitdefend...can/licence.php


When you're done, reboot and post a fresh HJT log and let me know if any of the programs found and delete anything. MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#10 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 11:12 AM

I have this Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {3360251B-67BD-4877-AE1A-668D873BF3B6}; .NET CLR 1.1.4322) when i put in the first part.

On VX2 I have Files Found---


Guardian Key--- is called:

User Agent String---
{3360251B-67BD-4877-AE1A-668D873BF3B6}

I am just running an anti virus now I have run adaware already and it says its clear and kill2me is saying it doesnt exist but i clicked to scna anyway and it said its clean if it was there...

Edited by gary_stanley_uk, 18 July 2004 - 11:14 AM.


#11 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 11:38 AM

Lets run the VX2 finder again to completion.


Select all the files found.
Press 'Delete These Files'.

The program will delete all files but one that will be deleted on reboot.
Allow program to reboot.

Once Restarted:
Press 'Guardian.reg'.
Press 'User Agent'.
Press 'Restore Policy'.

Reboot, post a fresh log and let me know how it is. MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#12 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 12:30 PM

This is the result of my hijack this profile now....

Logfile of HijackThis v1.98.0
Scan saved at 18:27:23, on 18/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O20 - AppInit_DLLs: msvsres.dll

#13 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 01:23 PM

How is it now and did the scans find and delete anything?

msvsres.dll
CheckHere for info on removing msvsres.dll if it's still there, you didn't say if the scans found anything.

Now please move HJT ino its own folder (suggest C:\Documents and Settings\Scotty B\Desktop\HJT\HijackThis.exe) and with it only running fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

O20 - AppInit_DLLs: msvsres.dll

Reboot and post a fresh HJT log and let me know how it's running. MrC

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#14 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 03:11 PM

I had some virus that were removed sorry by the scan i did with trojanhunter the system has no pop ups right now!!!


Logfile of HijackThis v1.98.0
Scan saved at 21:09:22, on 18/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\TrojanHunter 3.9\THGuard.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scotty B\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Gary Stanley UK
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Pop-Up Stopper Free Edition.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PD - {7D5C7979-55EF-442B-AEC4-2A9CF8636AA8} - C:\Program Files\Pop up Blocker\pd.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBE9ACC-382D-4547-9B3A-5E26F49C2086}: NameServer = 194.72.9.38 194.74.65.68

#15 MrCharlie

MrCharlie

    Member

  • Helper Trainee
  • Pip
  • 25 posts

Posted 18 July 2004 - 03:51 PM

Good Job!!

Once you feel the system is running OK, you should delete the system restore files and create a new restore point.
Link below will help:

http://www.pchell.co...emrestore.shtml


Some preventive maintenance:

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked. Check for updates weekly.

SpywareBlaster

SpywareGuard

Need a free anti virus?
AVG*free
(check for updates - daily)

How about a firewall?
ZoneAlarm*free
DirectDownload ZA 4.5.594.000 <---use this version for now

Free spyware removal programs:

SpyBot

AD-Aware

DSO Exploit Protection:
DSO Exploit Protection

Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Don't open e-mail attachments without first scanning them with an up-to-date
anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC

Edited by MrCharlie, 18 July 2004 - 03:51 PM.

from - TomCoyote forum

anyone can buy a new one, but not everyone can fix the old one

Major & Lindsay

#16 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 18 July 2004 - 04:00 PM

Thanks Mr C much appreciated just downloading some of the programs now! I always come to you guys for help you always solve the problems!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button