close

I visited different punter next to a spyware pollution... This female uses a dialup connection & at the end of the day couldn't do any web reading.

Funnily enough, she had Norton internet collateral (and anti virus) running, but this malware ran exerciser circa it... the second machine in 2 weeks near Norton weak at stopping spyware.

Anyway, I put in 90 minutes doing the usual: disenable malware startups within the registry, beginning folder, etc. but all few minutes, a web page would impromptu pop up anyhow... At tiniest the electronic computer was above all working, but if I vanished it as is, it would have gotten worse complete event at least.

The patron agrees I can return the computing machine & manual labour on it from the bureau.

After a lot of investigation, I insight I'm dealing near "look2me"... & all the forums are chockablock of useful suggestions, no of which appear to slog for my dedicated circumstances... run programs suchlike adaware, ewido, spybotSD, etc, kick off in windows innocuous mode, claptrap claptrap fustian.

No concern what I did, the spyware was re-appearing. I even knew which dll database was the culprit, but it was "in use by windows" from once windows starts, so it cannot be deleted, & it changes given name after all boot... so deleteing it at resuscitate instance is no use... and of class any deleted files or written record entries would get create (sometimes within a business of seconds)

I got a suitable cognitive content of what was going on by victimisation hijackthis ([http://www.spywareinfo.com]), regedit, l2mfix, killbox, and the symantec page on look2me.

I even side XP from SP0 to SP2, but it didn't really help

I as well recovered that within are so several variants of this tiny animate being... no phenomenon anti-spyware programs can't power it... antispyware trust on malware "signatures"... equal antivirus programs... the malware race can generate new variants faster than any anti-malware joint venture can hang on to up... perchance mortal should speak about them to espouse a heuristic detain... so that all in progress & approaching variants can be dealt with.

Anyway, I illustration out how to render the output from l2mfix, & relay the distinction concerning valid files & register entries, & bad ones.

It seems same L2M rotates linking 4 distinguishable (seemingly haphazard) filenames after all resuscitate. The written record entrance for the on-line busy dll data file can be deleted, but it gets recreated.

But near are 8 separate written record entries, which seem to "control" the 4 dll files... So I cancel these 8 entries while in unhazardous property (I wouldn't have been elated if within were 200 entries!). They don't reappear, so I blank out the temp, prefetch, & ie storage space folders. Then I programme killbox to take any undeletable "bad" dll at booot event.

I'm not confident what other I can do... it's 4am, & I'm a wee bit tired, so I prefer to resuscitate into undamaging fashion over again & see what happens... I see that my deleted entries have remained deleted, the "reappearing" register passageway is gone, and at hand are no bad dll files left-handed in the system32 wallet...

I run ewido, spybot & adaware, honourable to be sure, consequently I revive to mean windows manner. Still no signs of L2M, so I do a defrag & let the information processing system (with Maxthon running) go for the balance of the period. The next morning, in that are no signs of malware, so I aver the data processor exorcised of deamons, & return it to its family unit.

Summary:

There isn't any utility-grade to extricate all Look2me variants (at this display place). So here is no secondary but to swot up how L2M really behaves & next get out the related bits.

Stages for removal:

1) Download all the utilities you will condition early.
2) Boot into windows harmless style.
3) Run a few anti spyware utilities & profit as some as likely.
4) Run hijackthis (look at the O20 entrance for an belief of the at fault dll directory.
5) Run l2mfix & facade at the written record entries whatever will have empty content, but the designation will be a hex symbols for different antechamber that points to the bad dll's.
6) This is wherever you necessitate to transport acute work. if you don't think through what you are doing at this point, brainstorm organism who can sustain... I appropriate NO enterprise for what happens, as a howler inside regedit can gross your data processor utterly and utterly unserviceable.
7) Run regedit & get out the "guilty" entries.
8) Cleanup ie caches prefetch dirs, etc.
9) Reboot to not detrimental fashion over again.
10) Check for and uproot any rest.

arrow
arrow
    全站熱搜
    創作者介紹
    創作者 nzono3 的頭像
    nzono3

    nzono3的部落格

    nzono3 發表在 痞客邦 留言(0) 人氣()