Computer Elvis - The King of PCs xxxxHome

Getting Rid of VX, VX2, VX2.BetterInternet, ABetterInternet, Look2Me, and related variants.


Well, boys and girls, if you've found this page, you've probably gotten one of those nasty bugs listed above. Here's how to get them off your system.

First of all, these nasty parasites are produced by a sc*mbag company called Nictech Networks and distributed by another sc*mbag company called Look2me. Perhaps you would like to file a suit against the company in small claims court for the cost value of your time in getting rid of their undesired, unrequested installation of their profit-motivated seizing of your hard drive space and utilization of the bandwidth which you pay for. Just go down to your local courthouse and file a small claims suit for say... $500??? $1000??? $4999.99??? That'll send them a good message about how happy you are!

Anyway, getting rid of it... Here's how:

Basically, these bugs work by surreptitiously installing themselves on your hard drives as hidden system read-only files which install a registry entry hooking them to Explorer.exe. This causes them to be installed every time you start your computer. These s-bags then use that file to download other nasty bugs onto your machine and hide them in the various places like the Windows\System directory and on some machines the Restore directory. These files are installed as hidden system read-only files.

New variants of this worm causes the file to re-install itself on every reboot by searching to see if it's components are present and if not, re-installing them with new randomly generated names. Nice guys, these s-bags, huh?


FINDING THE FILES:
You need to get a spyware program to find the file names you need to eliminate. Ad-aware 6 is good at finding spyware (here is a link), but due to the nature of the hidden read-only attributes and hook on re-start, it cannot get this bug off your machine. An even better program is ScanSpyware, which finds alot more pests. It is definitely worth every penny of its $19.95 price. They do offer a free version which will find the bugs, (here is a link) but then you'll have to write down the offenders. ScanSpyware, however, will not get this bug off your machine because of the previously mentioned file attributes. But Ad-Aware and ScanSpyware will get everything else off so that by process of elimination you will only be left with the hidden s-bag files when you re-run the spyware program after a re-boot.

CONFIRMING THE FILES:
Go Windows Explorer and select Folder Options, View, and make sure you select "Show Hidden Files and Folder".

In Windows Explorer, you should find the bugs in the Windows\System folder. Make sure you write down the names and match them up with what your spyware program has turned up. It is REALLY IMPORTANT to note the details on when the files were installed.

Go up the Windows Explorer tree to the _Restore folder (if you have Windows Millennium or 98) and took to see if there are files with the extension .0 or .1, which are installed into the TEMP directory and used to re-hook your machine. You'll want to get rid of them too!

Now, having your list of files and their directory locations written down, shut down your machine.

Now, with the machine off, make sure you disconnect your machine from the internet if you have a broadband connection (DSL, cable, network, etc).

When you re-boot your machine, you will want to hit the appropriate key just as the machine comes on so that you can go into the BIOS SET-UP and adjust your start sequence. On start, you get a first momentary screen that usually says "To Enter Set-up Press DEL", or "To Enter Set-up Press F1" before the Windows screen comes on. Do it. Then on the appropriate configuration page, make sure that the first boot device is your floppy instead of your IDE (hard drive). Save that configuration.

Now boot from your Emergency Start-Up disk in the floppy (if you don't have one, then make it!). Start with or without CD-Rom support, but do not use the basic command prompt option because it may not load the necessary DOS files.

Now at the command prompt A:>
type: C:

Press ENTER

That brings you into the command prompt C:>

Now type: cd windows\system
Press ENTER

That centers you in the directory C:\windows\system

Your command prompt should look like this:

C:\WINDOWS\SYSTEM>

Okay???? Now, look at the list of bad files. The one which keeps coming back after repeated Ad-aware and ScanSpyware runs is going to be something like "DfGSIG.DLL", so what we want to do it change the attributes in order to be able to delete it. (Since Microsoft has rigged it so hidden read-only system files cannot be deleted.)

So type: attrib DfGSIG.DLL -s -h -r
Press Enter

That will remove the system file attribute (-s), the hidden file attribute (-h), and the read-only file attribute (-r).

Now type: del DfGSIG.DLL
Press ENTER

BINGO! It's gone!

Now repeat the routine for all the offenders and the bug is squashed.

Now that you are a smarter computer operator, you might want to get TuneUp Toolkit 2004 and run a registry clean-up, because if this bug has been on your machine, it could have installed other registry entries not picked up by the spyware programs. Take a free download and run it. Here's a link to get it.

********************* UPDATE OF JUNE 23, 2004************

News comes today of another variant of this pest which surrepticiously replaces the file MSXML3A.DLL (normally 24Kb) with its own version which is 24.5Kb. After you remove the hidden system files, you may find that Internet Explorer will not be able to connect to the internet.

Try repairing the Internet Explorer by going to the Control Panel, and then selecting Add/Remove Programs, select Internet Explorer and when you click on the Add/Remove button you'll get a window offering to "REPAIR" the program. When you try it, you might get the notice that the program can't be repaired and the "Details" reveal a problem with MSXML3A.DLL. This recent "screw-you" has been linked to the Look2Me website. May their flesh sear in the raging inferno of Hell!!!

Try to replace the file:

Go to Windows Explorer and you'll find the file in the Windows\System directory. Right-click on the file to show the "Properties" and under Version it will say "Dagbuild" or some other non-Microsoft drivel. You'll have to get out of Windows and back to a DOS prompt to be able to delete the file. Replace it with a clean version from your Internet Explorer installation disc and then run the Repair program again. You can also do a re-install on Internet Explorer without much bother.

HOWEVER - This new version also may also corrupt the Winsock files, damaging the registry entries as it rips into the registry to insert itself and impose the redirects to the scum sites. If that happens, you still will not be able to connect to the internet. If you're on a local network, you'll be able to access other machines locally, but internet will be interNOT. It will be frustrating, but it is relatively easy to correct.

Here's how to fix that:

Step 1: Delete the corrupted registry keys Winsock and Winsock2

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2

When you are prompted to confirm the deletion, click Yes.

Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows to create new shell entries for those two keys.

If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.

Step 2: Repair the TCP/IP configuration

Go to the Control Panel and open "Network"
Scroll down to TCP/IP and carefully note the names. If you are connecting through a dial-up, Fast Ethernet, LAN, or DSL connection, delete it by choosing "Remove".
Then click on "ADD", choose "Protocol" and select "TCP/IP" as the choice.
Click Install. If necessary, choose the same TCP/IP connection as you have before, which you would have carefully noted. Then click OK. This will re-install the same old files, but now re-configure them to your newly registered and uncorrupted Winsock entries.
Restart the computer.
It SHOULD work now.

Now don't you just love those spyware bastards?

******************************************************

 

If Computer Elvis has been helpful to you, you could show your appreciation by sending a donation.

Five dollars would be nice, since Computer Elvis has just saved you a whole lotta hassle.

Computer Elvis has been nice to you. So you should be nice to Computer Elvis.

Computer Elvis could have been selfish and kept this to himself, but he wanted to help you in a crisis.

Why not show your gratitude and buy Computer Elvis a drink to say "Thanks!"

 

????