TheSpywarePros NoAdware Logo

As Mentioned in:

TheSpywarePros Featured in Dallas News

TheSpywarePros Featured in Miami Today

TheSpywarePros Featured in WCNC

Over 35,000,000 Downloads and Counting!

Home   ::   About Us   ::   Download   ::   Testimonials   ::   FAQ   ::   Articles   ::   Newsletter   ::   Support   ::   Contact Us

Testimonials (unedited)
 
"I would like to thank you for your product. We had 18 parasites on our computer and after we ran your program our computer has operated so much smoother and the strange behavior and freezing has stopped. We are very happy."

- Phil Bates
 
"I was a bit dubious about noadware at first. let me tell you my computer is now zippier. perkier. it really helped. i had quite a few invasions by bad
parasites. my computer now zips through things.
Thank you!"

- Cynthia D'cruz
 
"After just purchasing your product, i couldn''t believe just how unintrusive it
is, the program simply zips through the system and detects files that most
internet users are totaly unaware off, it runs with a ''no mercy'' theme and
does a brilliant job of elimination."

-Tom Vinters
 
"I thank you with EXTREME thanks. My computer works perfectly once again."

- Pearl Hartman
 
"I have this evening got rid of parasites, which was driving me into an early grave!!! And I owe it all to NoAdware - THANKS!!!!!"

- Fredrick Simmons
 
 

 

#088 - "Look2me" Malware Removal

 

I visited another client with a spyware infection... This lady uses a dialup connection & eventually couldn't do any web browsing.

Funnily enough, she had Norton internet security (and anti virus) running, but this malware ran rings around it... the second computer in 2 weeks with Norton helpless at stopping spyware.

Anyway, I spend 90 minutes doing the usual: disable malware startups within the registry, startup folder, etc. but every few minutes, a web page would spontaneously pop up anyway... At least the computer was mostly working, but if I left it as is, it would have gotten worse over time anyway.

Client agrees I can take the computer & work on it from the office.

After a lot of investigation, I find I'm dealing with "look2me"... & all the forums are full of helpful suggestions, none of which seem to work for my particular situation... run programs like adaware, ewido, etc, start in windows safe mode, blah blah blah.

No matter what I did, the spyware was re-appearing. I even knew which dll file was the culprit, but it was "in use by windows" from when windows starts, so it cannot be deleted, & it changes name after every reboot... so deleting it at reboot time is no use... and of course any deleted files or registry entries would get re-created (sometimes within a matter of seconds)

I got a good idea of what was going on by using hijackthis, regedit, l2mfix, killbox, and the Symantec page on look2me.

I even upgraded XP from SP0 to SP2, but it didn't really help.

I also found that there are so many variants of this little critter... no wonder most anti-spyware programs can't control it... antispyware rely on malware "signatures"... similar antivirus programs... the malware people can generate new variants faster than any anti-malware company can keep up... maybe someone should tell them to adopt a heuristic approach... so that all current & future variants can be dealt with.

Anyway, I figured out how to interpret the output from look2mefix, & tell the difference between legitimate files & registry entries, & bad ones.

It seems like Look2Me rotates between 4 different (seemingly random) filenames after every reboot. The registry entry for the current active dll file can be deleted, but it gets recreated.

But there are 8 other registry enties, which seem to "control" the 4 dll files... So I delete these 8 entries while in safe mode (I wouldn't have been happy if there were 200 entries!). They don't reappear, so I empty out the temp, prefetch, & ie cache folders. Then I schedule killbox to delete any undeletable "bad" dll at booot time.

I'm not sure what else I can do... its 4am, & i'm a wee bit tired, so I decide to reboot into safe mode again & see what happens... I notice that my deleted entries have remained deleted, the "reappearing" registry entry is gone, and there are no bad dll files left in the system32 folder...

I run ewido, spybot & adaware, just to be sure, then I reboot to normal windows mode. Still no signs of Look2Me, so I do a defrag & let the computer (with Maxthon running) go for the rest of the night. The next morning, there are no signs of malware, so I declare the computer exorcised of all deamons, & return it to its family.

Summary:

There isn't any utility to remove all Look2me variants (at this stage). So there is no alternative but to learn how Look2Me actually behaves & then remove the relevant bits.

Stages for removal:

1) download all the utilities you will need beforehand.
2) boot into windows safe mode
3) run a few anti spyware utilities & cleanup as much as possible.
4) run hijackthis (look at the O20 entry for an idea of the guilty .dll file
5) run l2mfix & look at the registry entries some will have blank content, but the name will be a hex code for another entry that points to the bad .dll's.

Note: This is where you need to take great care. if you don't understand what you are doing at this point, find someone who can help... I take NO responsibility for what happens, as a mistake within regedit can make your computer totally and completely unusable.

6) run regedit & remove the "guilty" entries.
7) cleanup (ie caches prefetch dirs, etc)
8) reboot to safe mode again
9) check for and remove any leftovers.

Protect your investment - Download NoAdware 4.0 for FREE

 
Home   ::   About Us   ::   Download   ::   Testimonials   ::   FAQ   ::   Articles   ::   Newsletter   ::   Support   ::   Contact Us
Copyright © 2005  TheSpywarePros.com & NoAdware.net
This site is a Division of HoylesMedia.com