Infernal spyware redux

My home PC running Windows 2000 is finally free of Look2Me spyware.
It’s very aggressive at staying alive.
It creates an ever-changing series of DLL files.
Removing or changing its registry entries causes it to immediately rewrite them.

As I noted last week, my first symptom was unwanted outgoing connections “phone home” connections caught by ZoneAlarm, resulting in eventual loss of TCP connectivity within about 20 minutes.

The tools at sysinternals
were very helpful in seeing exactly what was going on, specificly the process monitor, registry monitor, and network connection monitor.

The removal instructions that finally worked were found at at the bottom of
Removal required VX2Finder, regedit/regedt32 (significant key has name along the lines of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian*), and Windows Safe Mode.
Once you search for the right things it looks like there are a few ways to skin this cat.

I know, I’ve been “rooted” on a weak platform, and I should stop whining and do something about being less vulnerable.

The purveyors of this are as criminal as the virus-releasers. Their damage is diffuse so they are under the radar for now.

The fact that the present solution to this is cottage-industry homegrown hacks surprises me; I’d think that the anti-virus industry would be on this. It’s evidence that they’re running further behind than ever before.

Along the way I ran across the funny remark by Rob Leathern (one of the comments attached to
a John Battelle article:

Looking at the top downloads at is always interesting – typically two-thirds are adware/spyware-bundling music/video download programs, the other third are spyware removers.

I think the proportions are reversed now.

Leave a Reply