Sul PC di casa, per la 1a volta che installo qualcosa senza fargli 327 scansioni mi sono beccato 'sto rompicazzo....
In sostanza non fa nulla di particolarmente nocivo, salvo aprire 400 sessioni di explorer non appena si accorge che è attiva la connessione ad internet e cercare di installare altre porcate... Per il momento l'ho bloccato mettendo la password per l'accesso a internet, però, per vedere qualunque sito devo inserirla ad ogni cambio di pagina.
Ho già provato con :
- Norton Antivirus
- Spybot Seek & Destroy
- Ad-Aware SE
- Zone Alarm
- Ripristino configurazione di sistema
L'unico che lo vede è Ad-Aware, ma non riesce a toglierlo perchè lo trova residente in memoria, solo che se entro in modalità provvisoria non riesce a beccarlo perchè, evidentemente, non si attiva il file di origine e quindi, anche i .dll generati da 'sto rottinculo non si creano.
Avete in mente qualche altro sacramento da provare?
Vorrei evitare il "formattone rigeneratore" perchè ci rimetterei settimane e reinstallare tutto...
adware.look2me
-
Kappo
- Leggenda
- Messaggi: 3075
- Iscritto il: 03/12/2004, 7:18
Non esistono domande stupide. Solo le risposte possono esserlo.
-
Kappo
- Leggenda
- Messaggi: 3075
- Iscritto il: 03/12/2004, 7:18
P.S. : potrebbe anche bastarmi di scoprire come fare l'avvio di windows passo passo, in modo da vedere cosa va ad attivare di nascosto per trovare il file d'origine (in "avvio" di msconfig non risulta nulla di strano)
Non esistono domande stupide. Solo le risposte possono esserlo.
-
.ferro
- Moderatore
- Messaggi: 1470
- Iscritto il: 30/03/2003, 13:35
- Località: Milano
Technical Details
File names:
VT09.exe
VT09_Installer.exe
ffInst.exe
As of this writing, Symantec Security Response has received a submission of a .dll file that is one component of Adware.Look2Me. The file name appears to be random and may vary. We have not received a submission of the file that actually installs this .dll file.
If this .dll file is executed, it may install itself as a Browser Helper Object (BHO), or it may directly install itself. The CLSID key in the registry, which the BHO adds, will vary but it will always begin with {DDFFA75A-.
The adware component performs some or all of the following actions:
Creates the following files:
%System%\[RANDOM NAME].dll
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds one or more of the following registry keys and values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"ID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"Idex"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"[CLSID VALUE]"
May add the values:
"(Default)" = ""
"IDEX" = "AD"
"InProcServer32\(Default)" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"InProcServer32\ThreadingModel" = "Apartment"
to the registry subkey:
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID KEY]
May add the values:
"Asynchronous" = "0"
"DllName" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"Impersonate" = "0"
"Logoff" = "WinLogoff"
"Logon" = "WinLogon"
"Shutdown" = "WinShutdown"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run
so that it runs every time Windows starts.
Download executables from a Web site, and then runs them.
Note: These could be updates or components of other adware.
Opens advertisements in Internet Explorer.
May change the Internet Explorer home page by modifying the value of the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Deletes the following registry key, which prevents BHOs from running:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
May monitor user Web site traffic and send this information to Look2me.
May creates a Web page locally, and makes that particular page the default search page.
Removal Instructions
Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.
Update the definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as Adware.Look2Me.
Reset the Internet Explorer home page.
Reset the Internet Explorer search page.
For specific details on each of these steps, read the following instructions.
1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.
2. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode."
3. To scan for and delete the files
Start your Symantec antivirus program, and then run a full system scan.
If any files are detected as Adware.Look2Me, click Delete.
Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.
4. To reset the Internet Explorer home page
Start Microsoft Internet Explorer.
Connect to the Internet, and then go to the page that you want to set as your home page.
Click the Tools menu > Internet Options.
In the Home page section of the General tab, click Use Current, and then click OK.
For additional information, or if this procedure does not work, read the Microsoft® Knowledge Base article, "Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting, Article ID 320159."
5. To reset the Internet Explorer Search page
Follow the instructions for your version of Windows
Windows 98/Me/2000
Start Microsoft Internet Explorer.
Click the Search button on the toolbar.
In the Search pane, click Customize.
Click Reset.
Click Autosearch Settings.
Select a search site from the drop-down list, and then click OK.
Click OK.
Windows XP
Because Windows XP is set by default to use animated characters in the search, how you perform this procedure this can vary. Read all the instructions before you start.
Start Microsoft Internet Explorer.
Click the Search button on the toolbar.
Do one of the following:
If the pane that opens looks similar to this picture:
click the word Customize. Then skip to step h.
If the pane that opens has the words "Search Companion" at the top, and the center looks similar to this picture:
click the "Change preferences" link as shown above. Proceed with step d.
Click the "Change Internet search behavior" link.
Under "Internet Search Behavior," click "With Classic Internet Search."
Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
Start Internet Explorer. When the search pane opens, it should now look similar to this:
Click the word Customize, and then proceed with the next step.
In the Search pane, click Customize.
Click Reset.
Click Autosearch Settings.
Select a search site from the drop-down list, and then click OK.
Click OK.
Do one of the following:
If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.
Click the word Customize again.
In the "Customize Search Settings" window, click "Use Search Companion," and then click OK.
Close Internet Explorer. The next time you open it, it will again use the Search Companion.
File names:
VT09.exe
VT09_Installer.exe
ffInst.exe
As of this writing, Symantec Security Response has received a submission of a .dll file that is one component of Adware.Look2Me. The file name appears to be random and may vary. We have not received a submission of the file that actually installs this .dll file.
If this .dll file is executed, it may install itself as a Browser Helper Object (BHO), or it may directly install itself. The CLSID key in the registry, which the BHO adds, will vary but it will always begin with {DDFFA75A-.
The adware component performs some or all of the following actions:
Creates the following files:
%System%\[RANDOM NAME].dll
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds one or more of the following registry keys and values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"ID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"Idex"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"[CLSID VALUE]"
May add the values:
"(Default)" = ""
"IDEX" = "AD"
"InProcServer32\(Default)" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"InProcServer32\ThreadingModel" = "Apartment"
to the registry subkey:
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID KEY]
May add the values:
"Asynchronous" = "0"
"DllName" = "[PATH TO %System%\[RANDOM NAME].DLL]"
"Impersonate" = "0"
"Logoff" = "WinLogoff"
"Logon" = "WinLogon"
"Shutdown" = "WinShutdown"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run
so that it runs every time Windows starts.
Download executables from a Web site, and then runs them.
Note: These could be updates or components of other adware.
Opens advertisements in Internet Explorer.
May change the Internet Explorer home page by modifying the value of the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Deletes the following registry key, which prevents BHOs from running:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
May monitor user Web site traffic and send this information to Look2me.
May creates a Web page locally, and makes that particular page the default search page.
Removal Instructions
Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.
Update the definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as Adware.Look2Me.
Reset the Internet Explorer home page.
Reset the Internet Explorer search page.
For specific details on each of these steps, read the following instructions.
1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.
2. To restart the computer in Safe mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode."
3. To scan for and delete the files
Start your Symantec antivirus program, and then run a full system scan.
If any files are detected as Adware.Look2Me, click Delete.
Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.
4. To reset the Internet Explorer home page
Start Microsoft Internet Explorer.
Connect to the Internet, and then go to the page that you want to set as your home page.
Click the Tools menu > Internet Options.
In the Home page section of the General tab, click Use Current, and then click OK.
For additional information, or if this procedure does not work, read the Microsoft® Knowledge Base article, "Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting, Article ID 320159."
5. To reset the Internet Explorer Search page
Follow the instructions for your version of Windows
Windows 98/Me/2000
Start Microsoft Internet Explorer.
Click the Search button on the toolbar.
In the Search pane, click Customize.
Click Reset.
Click Autosearch Settings.
Select a search site from the drop-down list, and then click OK.
Click OK.
Windows XP
Because Windows XP is set by default to use animated characters in the search, how you perform this procedure this can vary. Read all the instructions before you start.
Start Microsoft Internet Explorer.
Click the Search button on the toolbar.
Do one of the following:
If the pane that opens looks similar to this picture:
click the word Customize. Then skip to step h.
If the pane that opens has the words "Search Companion" at the top, and the center looks similar to this picture:
click the "Change preferences" link as shown above. Proceed with step d.
Click the "Change Internet search behavior" link.
Under "Internet Search Behavior," click "With Classic Internet Search."
Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
Start Internet Explorer. When the search pane opens, it should now look similar to this:
Click the word Customize, and then proceed with the next step.
In the Search pane, click Customize.
Click Reset.
Click Autosearch Settings.
Select a search site from the drop-down list, and then click OK.
Click OK.
Do one of the following:
If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.
Click the word Customize again.
In the "Customize Search Settings" window, click "Use Search Companion," and then click OK.
Close Internet Explorer. The next time you open it, it will again use the Search Companion.
I videogiochi non influenzano i bambini. Voglio dire, se Pac-Man avesse influenzato la nostra generazione, staremmo tutti saltando in sale oscure, masticando pillole magiche e ascoltando musica elettronica ripetitiva......
Kristian Wilson (Nintendo INC, 1989)
Kristian Wilson (Nintendo INC, 1989)
-
Kappo
- Leggenda
- Messaggi: 3075
- Iscritto il: 03/12/2004, 7:18
Anch'io ho fatto la ricerca attraverso Symantec.
Ho già provato con quel sistema lì, ma avviato in modalità provvisoria il Norton non rileva niente...
Altri suggerimenti?
P.S. : Cmq, grazie ferro
Ho già provato con quel sistema lì, ma avviato in modalità provvisoria il Norton non rileva niente...
Altri suggerimenti?
P.S. : Cmq, grazie ferro
Non esistono domande stupide. Solo le risposte possono esserlo.
-
.ferro
- Moderatore
- Messaggi: 1470
- Iscritto il: 30/03/2003, 13:35
- Località: Milano
Butta alle ortiche l'antivirus.
Pialla le chiavi dal registro.
Riavvia in modalità provvisoria.
Installa l'antivirus (possibilmente uno decente tipo Norton Corporate).
Riavvia in modalità normale.
Pialla le chiavi dal registro.
Riavvia in modalità provvisoria.
Installa l'antivirus (possibilmente uno decente tipo Norton Corporate).
Riavvia in modalità normale.
I videogiochi non influenzano i bambini. Voglio dire, se Pac-Man avesse influenzato la nostra generazione, staremmo tutti saltando in sale oscure, masticando pillole magiche e ascoltando musica elettronica ripetitiva......
Kristian Wilson (Nintendo INC, 1989)
Kristian Wilson (Nintendo INC, 1989)
-
Kappo
- Leggenda
- Messaggi: 3075
- Iscritto il: 03/12/2004, 7:18
!!!!!!!
HO Norton Corporate!!!!!!!
Forse ho risolto, ma devo ancora verificare (ho finito tutto il processo dopo mezzanotte con SOMMA gioia di mia moglie che nel frattempo stava già scrivendo la richiesta di separazione sul PC di mio figlio.... quindi ho preferito spegnere ed andare a letto....)
Se ci sono riuscito, poi posto come....
HO Norton Corporate!!!!!!!
Forse ho risolto, ma devo ancora verificare (ho finito tutto il processo dopo mezzanotte con SOMMA gioia di mia moglie che nel frattempo stava già scrivendo la richiesta di separazione sul PC di mio figlio.... quindi ho preferito spegnere ed andare a letto....)
Se ci sono riuscito, poi posto come....
Non esistono domande stupide. Solo le risposte possono esserlo.