spyban removal in win2k

[six3077]

win2k machine which somebody installed some program called spyban. I couldn't get much information on this program except that it is a PIA to remove, although no information on how to do it.
Anyone have any experience with this?
I have tried spybot search and destroy, and about to try ad-aware, but apparently those things do not remove it.

Explorer.exe keeps trying to connect to some sight with the name look2me.com (ip: 69.20.20.161)
also, the computer seems to be tied up as if it were busy with some program, things seems really chunky and slow now, so something is obviously running in the background.

Need some info on how to remove this thing(s).

 

[bcastner]

Spybot with definition file beginning 11-2-2003 lists itself as able to remove SpyBan. Try SpyBot with a new set of definition files.

Are you sure this is the issue?

You might want to run Hijack This! and post the log here.

http://mjc1.com/mirror/hjt/

 

[six3077]

hey thanks for the response.
I downloaded the update for ad-aware and just through its log files I got much more information to surf for on the net.
Just finished cleaning the system, but everything is running fine now. Even got rid of that stupid double instance of quick launch (which was the biggest pain in the a**)
thanks and good luck to anyone that has to put up with that!

 

[dragom42]

Somehow out of stupidity i clicked on the wrong box one time and now i get the popups from hell every day. I have used high jack it and still can't get rid of all the pop ups. The one i get that comes up all the time is:: Your Internet Explorer has been upgraded with the latest search toolbar from web search. Do you want to keep it. I hit no but it still doesn't uninstall. Is there anyway to get rid of it. I don't have admin rights on this computer so i am stuck on what to do.

 

[bcastner]

Post your Hijack This! log here.

 

[dragom42]

i have tried adware spybot and cwshredder. here is the highjack it file
ogfile of HijackThis v1.97.5
Scan saved at 2:16:45 PM, on 12/12/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\winnt\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\ePOAgent3\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\vhaindedrind\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://vaww.indianapolis.med.va.gov/

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMS Application Launcher] C:\winnt\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\VHAIND~2\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\ePOAgent3\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -

http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -

http://ftp.us.dell.com/fixes/PROFILER.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37762.5465393519

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

The internet explorer has been upgraded with the latest search toolbar from web search. comes up everytime i reload the system. I can't find out where they are hiding this program that keeps running

 

[bcastner]

There is nothing suspicious in this log.
You might want to do the scan again, but enable all additional logging features.

 

[Aztex]

Here is how to remove VX2 and Look2me:
Since the program is ran by window you cannot delete it from Registy or files.

You can however delete it in Dos mode since windows isnt running. All you need is a start up disk for your operating system.

First boot up PC run Spybot to locate Look2me and delete any other programs spybot finds, go ahead and select "fix seleted problems". You will get a message that spybot will have to start up on reboot and fix certain selected prolems which is Look2me, click "Yes" and then immunitize all other program spybot found, Close spybot.

#2. Go to "My Computer" select "C:\" then "windows" folder then "system" folder, scroll down and find MSG files. There may be a few of them find the one that has Msg{bunch of interface numbers here}####.dll, right click and select "Properties" this will show a windows operating path and a Dos operating path looks something like (msg{41~4.dll, write that down.

#3.Close all programs, put in start up disc for your OS and restart your Computer. At start up Dos will ask if you want to start with CD-rom support or w/o select without. Once you get to your "A:\" type this -

C:\ (hit enter)to get to the C drive.
C:\cd:windows (hit enter)
C:\cd:system (hit enter)
Should look like this once done
C:\WINDOWS\SYSTEMthen type delenter the path you wrote down here)should look something like this.
C:\WINDOWS\SYSTEM\del:msg{41~4.dll (hit enter) You will not get a message once it is deleted, if you want do it again and Dos should say "File is not Found" hit Ctrl+alt+delete to exit Dos.

#4. Take start up disk out of PC and restart computer. Once you go into windows run spybot again it will find the registry but not the file because it was deleted, fix all problems then immunitize, you done.


You can Download spybot here for free if you need it

http://www.googleadservices.com/pag...5wS4LLEAoOBA8E6QABEAmWQqtR-_AAAAAAA#vbcrlf#//

Also if Look2me can be listed other than Msg file then find the file in C:\Windows/System and find the path to access it in Dos by right clicking select properties as listed above, Spybot will give you the path to Look2me.

Good Luck,
Jerry