So, I was surfing the web today and I had like 9 windows open and a popup came up. The popup was one of those ones that is made to look like a WinXP window. So without thinking I clicked the false winXP looking "X" close button by accident, instantly causing a chain reaction. In my momentary lapse of concentration my comp downloaded somewhere between 15-20 spyware programs before I was able to end all the tasks. Instantly I started ending tasks and closing windows like crazy to contain the outbreak. It was pretty much a spyware bomb contained in a single popup. So, I spent the last 3 hours tracking down and killing all these programs. Then I was left with one.....an evil piece of software called "Look2Me" that causes mass popups. I tried 5 different tools specifically designed to take it out and all have failed. I was able to locate it with HiJack this and I have figured out that it operates off a .dll in a certain group and every time I restart the comp the .dll changes names to something else in the C:\windows\system32 folder. Everytime I try to get rid of it with hijack this it comes back again. However it cannot be killed by any other means because its "in use". So I boot in Safe mode with command prompt and still cant kill it because its "in use". So now in my efforts to destroy this spyware I am confronted with a new problem. After my adventure in safe mode I restarted the comp in normal mode. Now whenever I try to start IE or firefox I get "Page cannot be displayed" errors. Now here comes the strange part. The computer has an IP and I can play online games, use Teamspeak or whatever just fine but for some reason whenever I try to access a webpage I get the same error. For some reason however, it still lets me access the router settings screens. This leads me to believe that there is some kind of block preventing me from using port 80 outside my network. I have never seen this before and I'm out of ideas. I cant kill this god forsaken piece of spyware with Norton, Spybot, Adaware, or the new Windows Defender and I cant access webpages anymore on my main machine. Anyone have any ideas? BTW, no its not a firewall issue. That was the first thing I thought to disable when I couldnt view pages.
Tried system restore? That should solve the problem, then run all the antivirus/spyware programs again to be sure.
I disabled system restore. Stupid...I know, but I needed the space it was taking up on my 60gig drive.
Have you tried deleting it from the command line (i.e. not booting into windows)? Because, in theory, you'd be able to delete by simply navigating to the folder and deleting the one that doesn't belong. Probably won't be in use if you're in straight DOS. Alternatively, you could boot Windows from a CD and delete it that way.
Unless you manually cleanse your system32 folder out and try all the spyware programs, there isn't a lot you can do since a lot of them will still be hidden somewhere. Personally I would reformat. However try creating a new user account, hopefully your problem is confined to just one account. Likewise check your services and startup programs to ensure theres nothing nasty there. Lastly try reinstalling your network drivers. Daft as it might sound it has corrected a spyware problem for me before in browsers.
I cant delete it just from the command line because I need HiJack this to figure out which .dll its created for itself since I restarted. The only thing I havent tried yet is dropping in my BartPE disk and trying to get it that way. Wonka: I'll try that out and keep everyone posted. I should note that I'm using Synergy to type on my 2ndary comp over the network from my main station further proving it doesnt appear to have effected anything but my website related programs. EDIT: Creating another account has no effect...getting drivers to test that...
Holy %$#! It worked Wonka I reinstalled the drivers and I can access websites again! On the downside I still have this terrible Look2Me spyware on here that I can't get rid of, but thank you for helping me fix my website access problem.
Write down file names in the system32. Restart. Write down the names again. Compare the lists. The one that isn't on the list as before is the bad file name, which will also give you a known good configuration (the list of DLL's that are on both lists). Resart in command line mode, go through the list of files in the folder and delete the one that isn't on any of the lists. If I'm not mistaken, that'll work.
Thanks for the support! I found another util for removing that spyware that actually worked. I believe it was called look2me destroyer if anyone else has a similar problem.
My saga: There is something seriously wrong with me.... about 15 mins ago (Just after 2am) I was surfing the net and one video link opened up but although the sound was playing, it suggested to install the codec.... Hmm I though... The text in the video windows convinced me that it was a scam and most likely spyware. Well what the hell I said... I had no experience with spyware since last year, so I kinda missed it. I downloaded... YES and .EXE file... I hesitated for quite few seconds and then Duble Clicked it (C) (Microsoft Corporation)... The installer lauched and I laughed from EULA of that stupid spyware... but I clicked NEXT... Oh nooooo what are these icons on my Desktop.... Where did they come from?! As the installer finished I began my saga though the .DLL and auto relaunching processes. First I deleted the Shortcuts... then went to msconfig and cleaned it from autolauching stuff for the next reboot. Then to the Program Files, "Media-Codec" folder... Hmm most files there were Undeletable... Well unless you go to Command Line, Kill Explorer.exe and then delete manually. Hey but one service was still alive, and one .DLL was not associated with Explorer.exe.... What shall I do?! I was lost... confused and petrifies. However deep down in my heart I wanted to resintall Windows... But no, I had to figh! I then lauched Sysinternals Process Explorer, and HijackThis. I killed and killed the process but it kept spawning again.... Symantec by now notified me politely about intruder Trojans... Fu*k you Symantec, I know it already... I feel the spyware in my gut. Not sure what exactly I did, but after the long fight the service no longer reappeared. I quiclky deleted the folder and rebooted. No sign of pop-ups or unknown services.... I won this round. I won another round in this great but never ending game that comes included with Windows. Try it... it's just a click away.
You could ID the file this way then use a Linux boot disk to delete that file (I always keep a Linux boot disk handy)
I've been having this very same problem, with the fact that firefox, IE and Opera won't allow me to browse, but yet I can still use MSN and all my other internet services. I did find a work around however, if I open My Computer and use the address bar in it to go to a website, that works fine, however I'm stuck dealing with IE. I'm going to reinstall my network drivers and hope that works for me.
