Just last week I encountered a nasty strain of VX2 Look2Me. None of the
major or minor spyware programs could get rid of it. Many were able to
identify parts of it but the evil just kept recreating itself. Ultimately I
did a google search on the words "nothing removes look2me". Even then it was
difficult to clean. I little program called VX2finder was able to help to
defeat this infestation. I started out, though running every kind of Spyware
product that I trusted (SpySweeper, Ad-Aware, Spy-Bot S&D and the new beta
MS AntiSpyware Beta1) in every possible combination of SafeMode and so on.
My luck began to turn when I ran Ad-aware from the UltimateBootDisk for
Windows (based on Bart P.E.) Still that was not enough. VX2Finder did it. It
is not easy to use but it is faster than re-formatting. Below are the
directions I found for using VX2Finder. They are not real easy to follow but
you can struggle through and get it done. The key to winning this battle was
deleting the registry key that the program identifies. If you are not
successful on the first try go through again. In the end you will have to
delete all the entries it finds. You will be successful when you have dleted
the part of it that controlls the recreation of the bad .dll files. As far
as I am concerned we are all in big trouble if the bad guys are progressing
this rapidly and radically to create this kind of havoc. Look2Me was even
able to hijack Firefox, almost to the same extent that it took over IE.
QUOTE]version 1.0.0.13 Available from
http://www.downloads.subratam.org/VX2Finder.exe
This will only work on Win2K, XP
-Finds all files created by Look2Me (although it is possible an error
could occur detecting and listing files, but skilled eyes looking at
filenames can decide that fairly quickly.. it hasn't been wrong yet)
Also confirmation needed for every file to delete.(safety)
1.)Delete all files found(VX2Finder will "End Task" on up to 2
instances of Rundll32.exe automatically)
You will get a message about "cannot delete this one" matching the
same name in the Guardian Key.
2.)Click
"Open regedit" will take you right to the Guardian
Key(no need to search for it)
Guide user through procedure of
Hilite "Guardian", RightClick and choose
Security/permissions, you'll get another
window with 'advanced'..
DE-select (uncheck) the lower box with
"inheritable permissions"
hit 'ok' and 'remove' on the following security prompts.
Restart computer.
3.)On restart use VX2Finder again, select + delete the last file,
click
"User Agent$" will remove that entry from the registry.
4.)Click
"Open regedit" again, this time restoring the
checkmark in "inheritable permissions"
5.)Click
"Guardian.reg" Deletes the Guardian Key.
6.Use Find again should produce a clean log of blank values.
7.)Click
"Restore Policy" to restore the Debug policy altered
in the look2Me installation.(requires reboot to apply, but not immediatley
neccessary)
'Purpose of this so far is to keep the user out of the system
directory, and out of the registry where they will get themselves into
trouble.
Using VX2Finder buttons limits them to "one click" operations and an
unfortunate but neccessary regedit of the "inheritable permissions" . Again
using the VX2Finder Regedit button opens directly on whatever Guardian key
they have, limiting the user to the correct area instead of trusting them to
find it on their own.
*If the Guardian Key does not exist, regedit will open one level up on
the Notify key.
The total fix to remove all Look2Me components listed only requires 1
reboot.[/QUOTE]
