Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Look2Me

Adware.Look2Me

Updated:
February 13, 2007
Risk Impact:
High
File Names:
VT09.exe VT09_Installer.exe ffInst.exe
Systems Affected:
Windows

Behavior


Adware.Look2Me:
  • Is an adware program that displays advertisements in your Web browser
  • Downloads and executes its components and updates.
  • Makes many changes to the registry.


Symptoms


The files are detected as Adware.Look2Me.

Behavior


This adware component must be manually installed or installed as a component of another program that you install.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version July 18, 2017 revision 006
  • Initial Daily Certified version April 20, 2004 revision 002
  • Latest Daily Certified version July 18, 2017 revision 007
  • Initial Weekly Certified release date April 20, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

As of this writing, Symantec Security Response has received a submission of a .dll file that is one component of Adware.Look2Me. The file name appears to be random and may vary. We have not received a submission of the file that actually installs this .dll file.

If this .dll file is executed, it may install itself as a Browser Helper Object (BHO), or it may directly install itself. The CLSID key in the registry, which the BHO adds, will vary but it will always begin with {DDFFA75A-.

The adware component performs some or all of the following actions:
  1. Creates the following files:

    • %System%\[RANDOM NAME].dll

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds one or more of the following registry keys and values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"ID"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\"Idex"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"[CLSID VALUE]"
  3. May add the values:

    "(Default)" = ""
    "IDEX" = "AD"
    "InProcServer32\(Default)" = "[PATH TO %System%\[RANDOM NAME].DLL]"
    "InProcServer32\ThreadingModel" = "Apartment"


    to the registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[RANDOM CLSID KEY]

  4. May add the values:

    "Asynchronous" = "0"
    "DllName" = "[PATH TO %System%\[RANDOM NAME].DLL]"
    "Impersonate" = "0"
    "Logoff" = "WinLogoff"
    "Logon" = "WinLogon"
    "Shutdown" = "WinShutdown"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run

    so that it runs every time Windows starts.

  5. Uses HTTP or FTP to download executables from a Web site, and then runs them.

    Note: These could be updates or components of other adware.

  6. Opens advertisements in Internet Explorer.

  7. May change the Internet Explorer home page by modifying the value of the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

  8. Deletes the following registry key, which prevents BHOs from running:

    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  9. May monitor user Web site traffic and send this information to www.look2me.com.

  10. May creates a Web page locally, and makes that particular page the default search page.



Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.
  1. Update the definitions.
  2. Restart the computer in Safe mode.
  3. Run a full system scan and delete all the files detected as Adware.Look2Me.
  4. Reset the Internet Explorer home page.
  5. Reset the Internet Explorer search page.
For specific details on each of these steps, read the following instructions.
    1. To update the definitions
    To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

    2. To restart the computer in Safe mode
    Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode ."

    3. To scan for and delete the files
    1. Start your Symantec antivirus program, and then run a full system scan.
    2. If any files are detected as Adware.Look2Me, click Delete.

      Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.

    4. To reset the Internet Explorer home page
    1. Start Microsoft Internet Explorer.
    2. Connect to the Internet, and then go to the page that you want to set as your home page.
    3. Click the Tools menu > Internet Options.
    4. In the Home page section of the General tab, click Use Current, and then click OK.

    For additional information, or if this procedure does not work, read the Microsoft® Knowledge Base article, "Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page Setting, Article ID 320159 ."

      5. To reset the Internet Explorer Search page
      Follow the instructions for your version of Windows

      Windows 98/Me/2000
      1. Start Microsoft Internet Explorer.
      2. Click the Search button on the toolbar.
      3. In the Search pane, click Customize.
      4. Click Reset.
      5. Click Autosearch Settings.
      6. Select a search site from the drop-down list, and then click OK.
      7. Click OK.

      Windows XP
      Because Windows XP is set by default to use animated characters in the search, how you perform this procedure this can vary. Read all the instructions before you start.
      1. Start Microsoft Internet Explorer.
      2. Click the Search button on the toolbar.
      3. Do one of the following:
        • If the pane that opens looks similar to this picture:





          click the word Customize. Then skip to step h.

        • If the pane that opens has the words "Search Companion" at the top, and the center looks similar to this picture:





          click the "Change preferences" link as shown above. Proceed with step d.

      4. Click the "Change Internet search behavior" link.
      5. Under "Internet Search Behavior," click "With Classic Internet Search."
      6. Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
      7. Start Internet Explorer. When the search pane opens, it should now look similar to this:





        Click the word Customize, and then proceed with the next step.

      8. In the Search pane, click Customize.
      9. Click Reset.
      10. Click Autosearch Settings.
      11. Select a search site from the drop-down list, and then click OK.
      12. Click OK.
      13. Do one of the following:
        • If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
        • If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.

      14. Click the word Customize again.
      15. In the "Customize Search Settings" window, click "Use Search Companion," and then click OK.
      16. Close Internet Explorer. The next time you open it, it will again use the Search Companion.