系統過一會就彈出一個IE視窗去訪問一個站點

[psac]

Q:

系統過一會就彈出一個IE視窗去訪問一個站點

即使一個IE也不開，它過一會就出來一個IE視窗，去訪問69.20.62.53的一個站點。 ft
用了木馬剋星也不行。只找到了一個inetadpt.dll. 用google找了一下，用LSPFix.exe把它幹掉了，但是問題還是存在。


A:
似乎FlashGET沒有註冊就會談出一個IE視窗

Q:
沒有裝flashget. 而且系統裡面基本沒有可疑行程了。用taskinfo檢視，IE是winlogon.exe 起的。
但是我把有問題的電腦上的winlogon.exe和正常電腦上的比較，一模一樣的。
其中一個廣告在http://www.look2me.com/


A:
不幸的事情發生了，中了look2me
在電腦上不慎安裝了間諜程序 Look2Me (vx2.betterinternet)後 很難清除 。

在國外某軟體論壇上對這個間諜程序有比較多的深入討論和相關工具下載。
http://forums.broadbandmedic.com/cgi.../ikonboard.cgi


Look2me Removal Instructions and Help


What is Look2Me?
Look2Me is an advertising and information network that uses a shell extension to attach itself to Windows and display pop up advertising for its clients. It monitors visited web sites and submits this information to a server.

How do I Remove Look2Me?

Because the software highly integrates itself with Explorer, it can be hard to remove. Included below is a basic manual removal method for Look2Me as well as an excellent Visual Basic Script that can be run to help remove it.

Automatic Removal Program from Look2Me


Follow the instructions below to manually remove Look2Me

Click on Start, Run, and type REGEDIT and click Ok to start the Registry Editor
Now open the Windows Task Manager

On Windows 95/98/ME, Press CTRL+ATL+DEL
On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab

In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)
Select the Registry Editor (you may have to press ALT + Tab)
Delete the following registry keys if they exist

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}

Close the Registry Editor
Restart your computer
Now open My Computer and Drive C, open the Windows directory, and then the System directory
Note: %SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Delete all files that look similar to the following, where * represents a letter or number

msg{********-****-****-****-************}****.dll

The known variants of Look2Me are associated with the following files:

msg{*.dll
msg116.dll
msg117.dll
msg118.dll
msg119.dll
msg120.dll
msg121.dll
msg122.dll

Open Internet Explorer
Click Tools, Internet Options
Click the Programs tab and then click Reset Web Settings to restore default settings for home page, search page, and other settings.
If Look2Me remains or popups from NicTechNetworks remain, then proceed with the following extra instructions

1) Download and run VX2.BetterInternet Finder which will search for files that are tied to Explorer and very tough to remove. These files usually are .dll files found in the Windows\System32 directory with backup files similar to *.cpy.dll

2) Write these files down for later removal

3) To remove these files, you'll need to boot into the Recovery Console. Reboot your computer with your Windows XP or 2000 cd now. If your computer does not boot from the CD-ROM disk, you'll have to change settings in your BIOS to do this to boot from the CD-ROM first.

During the loading of the Windows XP or Windows 2000 CD, you'll eventually be given the choice to load the "Recovery Console" by pressing R.

Next, Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password, if you dont know the password try leaving it blank. Once logged into the Recovery Console, you'll be at a C:\WINDOWS> prompt.

If the system does not let you in because of a bad password or you cant access the recovery console from the CD-ROM, you'll have to use the alternate instructions below to access the Recovery Console.

4) At the C:\WINDOWS> prompt type CD SYSTEM32 and press Enter

5) At the C:\WINDOWS\SYSTEM32> prompt, use the DEL command to delete the files you wrote down previously.

Ex: DEL AYMPARSE.DLL and press Enter
DEL AYMPARSE.CPY.DLL and press Enter

6) After you have deleted the files, type EXIT and restart your computer in normal mode. Look2Me and the files that were previously unable to be deleted should be removed.


--------------------------------------------------------------------------------

FIX FOR BAD OR UNKNOWN ADMINSTRATOR PASSWORD

1) In Windows, click on Start, Run, and Type REGEDIT
2) Click on the plus signs (+) next to the following keys

HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS NT
CURRENTVERSION
SETUP
RECOVERY CONSOLE
3) Double-click on the option SECURITYLEVEL in the right-hand column and change the Value Data number to 1 then press OK

4) Restart the computer in Recovery Console mode using the Windows XP or Windows 2000 CD or by the option below.


--------------------------------------------------------------------------------

ALTERNATE ACCESS TO RECOVERY CONSOLE

If you have Internet access still, place your Windows XP or Windows 2000 CD in the Drive and cancel out of any autostart menus.
1) Log onto the Internet
2) Click on the Start button
3) Click on Run
4) Type the following in the RUN line and Press Enter

D:\I386\WINNT32.EXE /CMDCONS

Make sure you use your CD Drive letter in place of the letter D above

5) The computer will start to install the Recovery Console and add it as a boot option.
6) Once installed, you'll be able to restart your computer and press F8 to start the Boot Menu. Press the ESC key and you should have the following option available to choose

MICROSOFT WINDOWS RECOVERY CONSOLE

7) Choose your Windows Installation, usually by pressing 1 and pressing Enter.

You'll have to enter the Administrator password, or you'll be logged in automatically if you used the option shown above.


--------------------------------------------------------------------------------

For Automatic Removal of Look2Me (option 1)

Download and run the program Killbox created by Option^Explicit Software Solutions.
or
Download and run the program Kill2Me from Merijn.
For Automatic Removal of Look2Me (option 2)

Download the following Visual Basic script provided by Mosaic1, a member of Spywareinfo, and save it to c:\removel2me.vbs

Look2Me Removal Program

This is a Visual Basic Scripting file, so you'll have to have the Windows Scripting Host installed. You can download the following file to disable or reenable the Windows Scripting Host.

noscript.exe

Now open the Windows Task Manager

On Windows 95/98/ME, Press CTRL+ATL+DEL
On Windows NT/2000/XP, Press CTRL+ALT+DEL, Select the Task Manager if needed, and click on the Processes tab

In the list of programs, click on EXPLORER.EXE and select End Task or End Process. Repeat this procedure until no explorer.exe process is running (The Start Menu, Task Bar, and System Tray will disappear)

Click the Applications tab, click the New Task Button, and type the path to the script you saved.

c:\removel2me.vbs

Click Ok

Click Shutdown on the Task Manager toolbar and scroll down to Restart your computer.