Remove Look2Me Adware. Removal instructions

You can reach the Look2Me.com people (same as NicTechNetworks.com) at (952) 432-7749. Be sure to let them know how much you "appreciate" their trash. Ask for Tim Nichols. These guys are jerks.

Just found a new piece of adware from these scumbags. Because it loaded a DLL that protected itself quite handily, I actually had to remove the HDD from the computer to delete the files. The file was AD3API.DLL .

more files from look2me - agtiveds.cpy.dll and msg121.cpy.dll
Follow the registry instructions above and delete these files.

I'd like to kick that Tim Nichols dude in the head!

These files should be classfied as a malcious virsus and persecuted by the law as such! What law enforcement agency should we report these destructive thieves to?!!!

i'm infected by that look2me virus. it is in a file that i cant delete: "6no4svc.cpy.dll" even when i close the explore prosses... plz help.... this keys are not in the regedit. how do i kill this look2me basterd ???

Phone shut off. No contact with these criminals. Does anyone know which spyware program will get rid of this trash?

Look2Me has these 2 new files also.. mqprint.dll and mqprint.cpy.dll It ttok me a week to get rid ofthis bugger and I finally used the Kill2Me program and it fixed everything! This thing completely took over my computer...NicTechNetworks should be banned from internet access!!!!

DAMNIT!! I still cant get rid of this aosnt.cpy.dll and aosnt.dll, tried going through the XP recover console...but they didnt exist ?!? wtf and nothing yet can remove the friggen things!!

they are fucking cunts im gunna root them and launch ddos attack from there pcs

Here's how I fixed this on my XP machine:

Used Ad-Aware to clean as much as it could, which was all but these two files:
c:windowssystem326no4svc.cpy.dll
c:windowssystem326no4svc.dll

Then I rebooted, cleared my IE cache and history and emptied my recycle bin.

Then I downloaded a utility called "MoveOnBoot" from: http://www.gibinsoft.net/gipoutils/fileutil/index.htm
Look down at the bottom for the MoveOnBoot freeware version:
GiPo@MoveOnBoot 1.9.5 (English), EXE-setup (644 Kb)

And used this utility to remove both files. I rebooted, cleared my cache and history and recycle bin again, and then reran Ad-Aware and it's gone!

Cheers,
~K

From the looks of this board, these slims have started a whole new trick with two random named files (both the same name) with one ending .dll and the other .cpy.dll
Registry Keys vary very widly as well.
A program called VX2Finder.exe will locate the files and their keys just fine.
I downloaded it from:
http://www.pchell.com/support/look2me.shtml
even if the rest of their instructions are too old to work now.
I'm going to try 'kaeli's idea in a few minutes.

Bastard made an add.cpy.dll its hard to get rid of... can we sue

I download an unstaller from their site to get rid of it: www.look2me.com/cgi-bin/UnInstaller

The "uninstaller" is bullsh*t. It just d/l's the latest version and renames its dll's/relocates its reg keys.

I have yet to successfully remove this POS. I consider it a trojan as it executes code and programs independent of the will of the user. I've been advising my clients (who've paid dearly for its removal) to pursue legal action.

Ad-aware, Spybot and McAfee are able to ID the software (McAfee spots it when it tries to launch a popup ad) but none have been able to eradicate it completely. Disabling "System Restore" in XP before running the above software seems to have helped to some degree as spybot and AA no longer spot the offending reg keys, but McAfee still catches the popups. It claims to move/clean the virus each time, but i still get popups.

Does anyone know where this came from? Kazaa spyware bundle?


PS - Look2me sucks balls.

NicTech Networks, Inc.
General Information
Contact: Timothy Nichols
Phone: 612-720-4674
Email: tim@nictechnetworks.com

http://quickstart.clari.net/qs_se/webnews/wed/bl/Bprofile_mn-nictech.RzY7_DSC.html
I did a reverse look up by address & found this phone number-
(952) 997-6502

So what if the number was disconnected. Here's another.

alrite guys i got rid of mine and this is how i did it....
i closed expoler.exe and the rundel stuff... then i went in an deleted all the reg keys for the program, and then i was able to delete the .cpy of the bad dll then i restarted my comp and could delete the other dll hope it works for you

Even after doing all the uninstalls (couldn't find any msg***.dlls or those registry values, Sygate Firewall detected Rundll32.exe connecting to look2me using various dlls on first run of IE, with rundll32 running. In the system32 folder - sorted by modification date -there were several new a****eds.dlls all 309Kb in size, but only aativeds.dll was in the dllcache. Deleting them didn't hurt, I left aativeds alone. Trouble is, it'll probably reload next reboot. But where from?

This virus is such a pain in the butt to remove. I can't even delete the registry value {DDFFA75A-E81D-4454-89FC-B9FD0631E726} I keeps reinstalling itself (Yes, I ended explorer.exe). The website for the uninstaller won't let me on, stating that my IP has already accessed the site twice (I have never, to my knowledge, been on their website). It was detected by Bazooka Spyware Scanner (which is a nice program but you have to delete everything manually). I am so frustrated. Timothy Nichols and anyone else associated with this program now have a reserved place in hell.

Hey zsport, could you be a bit more er...exact?

I got rid of it! (Well, from what I can see) I was having trouble deleting the msg118.dll and the reg file. Everytime I tried to delete the msg118 file I was told "Access Denied," so I know that meant the file was using one of the running processes. I tried ending explorer.exe but that did no good, the reg value kept reinstalling itself and I think I tried every program known to man to get rid of msg118. It turns out that the msg118 and the reg value {DDFFA75A-E81D-4454-89FC-B9FD0631E726} were using the process winlogon.exe. When I ended the process I was able to delete both files and they haven't reinstalled themselves. Now if you try and end winlogon.exe, the task manager will tell you that it is a critical process and will not be ended. To terminate the process I used a program called TuneUp Utilities 2004, which you can download at download.com, just type TuneUp in search box and it will come up. When you get to the menu for the program, click on Administer Control. Then go to TuneUp Process Manager. It will then show you a list of all your running processes and you can end winlogon.exe. The TuneUp program is also useful because it allows you to see what files the processes are using, which is how I figured out where that evil msg118 file was running from (at the top of the process manager window there should be three tabs, Process, Open Files and Performance, go to Open Files) Did anyone else have this problem? If so, I hope I helped!

here is url with more detailed instructions on how to get rid of this pest... its not exactly how i did it but works all the same.
http://computercops.biz/postt31253.html
its about half way down the page, and just use it for your .dll good luck

Thanks,dude! That seems to have done it! :)

Before, the only way to stop it per WinXP session was to closeRUNDLL32 with Taskkiller and delete the 309 Kb a****s.dll in /SYSTEM32. Had none of the msg***.dlls or DDFF reg entries at all..?

Will be sending NicTech some 5Mb emails now...

This is a clear invasion of privacy. I was able to delete previous look2me versions (msg118, msg121) in XP by going to recovery on bootup, then to Windows (3rd choice), and finally use DOS prompts. However, with their newer junk, it doesn't work. I can temporarily kill them by ending the rundll32 process and then deleting them in Ad-Aware, but when I re-boot, it's back and usually with a different name. I wonder how this Nichols guy would like it if I installed a hidden camera in his house to spy on him? I guess he never learned "Do unto others as you would have them do unto you."

I think I got a new version of look2me on my PC. I found activeds.dll in my system directory (win2k). Now the problem is, somehow this junk managed to have many more services other than winlogon running it such as services.exe and lsass.exe. And in the registry there is no gaurdian under winlogon->notify so I guess it must changed the name of the process. Anybody has had the same problem and knows how to identify the morphed guardian?

This stupid look2me crap is eating up all my resources, and I have to reboot like every 10 minutes. This is ridiculous. I hope Tim Nichols burns in hell!

I still haven't gotten rid of this bastard POS, look2me, but here is a quick and dirty way to defeat it. Edit your hosts file and add the following line
127.0.0.1 www.look2me.com
it doesn't get rid of it, but at least when the pop-up launches it doesn't do anything.
DIE TIM NICHOLS YOU FUCKING BASTARD!!!!

If anyone lives in Minneapolis, stop by and pay this fucker a visit!

Corp Headquarters
14551 Europa Way
Apple Valley, Minnesota 55124

Private Residence
Tim Nichols
(952) 884-5664 - 9149
Colfax Ave S, Minneapolis, MN 55420

This outfit is hosted by Rackspace. I have written to them to complain about the scum they do business with. If they get enough complaints, maybe they would drop these people, although I know they will just go somewhere else. Write to abuse@rackspace.com

Look2Me hosts at Rackspace. So does one of my clients that got this nasty stuff. I would be interested in knowing if anyone else who got it either hosts at Rackspace or visits sites hosted at Rackspace. I ask this because I fear Rackspace may have an internal issue that allowed these nuts to spread this via other sites.

I got the latest variant of this Look2Me spyware and I couldn't get rid of it.
I finally found out how the damned thing worked and got removal instructions which absolutely cleaned my system. The cleansing routine is here:
http://www.computerelvis.com/SquashingBugs.htm

Look2Me is using up all my machines resources and I have to restart every 15 minutes cause I am warned via a pop-up that "The system is dangerously low in resources!" This is wasting great amounts of my time and many other peoples.

If anybody is in the area would they PLEASE deliver a severe beating to this FUCKWAD, here is the address again:

Corp Headquarters
14551 Europa Way
Apple Valley, Minnesota 55124

Private Residence
Tim Nichols
(952) 884-5664 - 9149
Colfax Ave S, Minneapolis, MN 55420

In my efforts to remove Look2Me I have found a hidden dll in the WINNT/System32 directory. The dll name is the same as the dll name listed in the Guardian section of the Registry. Each time I reboot my W2K operating system, Look2Me renames the visable dll. The dll always starts with the number 3. For example it has appeared as 3FR.dll, 3ORABGR.dll, and 3YR,dkk. The hidden dll is named 3GR655.dll. The size of both dll's is 316,776 bytes. Norton and Ad-Aware both identify the visable dll as Look2Me. When I try to scan the hidden file, I receive an error message from Norton that it does not have permission to scan the file. Hopefully this information will be helpful in finding a way to remove this pest.

FINALLY got relief from this scourge by using Ad-Aware 6 Plus, then Kill2Me, then the AdAware again to get a couple of crapola things out of the registry. Thanks to those on this board who recommended Kill2Me! Tim Nichols -- and believe me, I don't use language like this at ALL -- Tim Nichols should eat shit and die. And Norton should start defining this damned Look2Me thing as malware, if not a virus. Grrrrrr. Anyway, looks like Kill2Me and Adaware together worked for me.

I have been working on a Win2k system for hours trying to remove look2me. I have been trying all sorts of tools and every time I clean the system then run NAV2004 it finds a new *.dll file related to look2me.
Why is this not classified as a virus, the people behind shit like this need to be prosecuted! I still have not been able to clean this, I do know that when I find these new dll files I have to end the rundll32 process first.

This program has totally screwed up my computer. It begins loading pop-ups until everything I am doing crashes. It should be illegal to force this kind of software on the public.

Did I miss something here? After trying various "fixes", to include fooling w/ the registry and recommended utilities, I located this address that appears to have solved the Look2me, zestyfind, and spotresults browser hijackings. http://www.look2me.com/cgi-bin/UnInstaller
Maybe all the hatemail got to em. I know I was ready to hop a flight.

Well i called, and (952) 884-5664 .. some lady answered, and she said that her husband had nothing to do with this, and said she's been getting phone calls for years about this.. she said she and her husband have nothing to do with this.. anyways.. i'm getting really fucking pissed that i can't get rid of this look2me thing, i'm about to jump in my truck and pay him a visit with my paintball gun... this is getting way out of hand, i have tried EVERYTHING.. i have nothing in my registry, when i try to use Kill2Me, it says it doesn't find a trace, and when i execute it.. it does what it's supposed to, but when explorer comes back, it opens up my documents again, just like before when you'd try to delete it, if anyone has any solutions.. please let me know.. btw the lady who answered the phone, sounded to be 80 years old, and started crying when i called... lol what the fuck ever.. she and her husband are going DOWN.

After trying just about every solution offered on the web, I still haven't gotten rid of it. I've repeatedly run Ad-aware, Spybot and NAV, but find that I can never delete the files they find, even in Safe mode. I tried Kill2Me, but it says that Look2Me is not on my machine. I can't use the boot to DOS solutions because I'm on XP. I can't even download the so-called uninstaller because I get some security access message, not that it would work anyway. I seem to have gotten rid of (or never had) the registry entries and don't have the msg*.dll files. My problem seems to be with 6*mo4svc.dll files in WindowsSystem32 but I can't delete them because the are in use by winlogon.exe, which can't be terminated, even with Tuneup Utilities 2004. I've tried deleting them on the next boot with MoveOnBoot, but it either isn't successful or they are getting regenerated. I downloaded the trial PestPatrol, but it didn't even detect Look2Me on my machine. I just e-mailed NicTech trying to get a removal solution, but I'm sure that was just a waste of time. Dell suggests I reformat and reload, but that's not one of my favorite things to do.

If anybody has any further suggestions or possible solutions, I'd be glad to hear them.

I seem to have gotten rid of it using their uninstaller at http://www.look2me.com/cgi-bin/UnInstaller. I had to first go into Internet Properties, Security tab, Custom button and enable all options that referred to ActiveX in order to download the uninstaller. Once you run it and key in the key they furnish you, you have to connect to the internet for it to complete. I considered that this might just be a way for them to do more damage, but was ready at this point to take the chance. After their uninstaller ran I ran NAV again and it found the same files as before (AAAAMON.dll and 6*o4svc.dll), but this time NAV was able to delete them.

Nice little program/trojan they have going for them. From what i can see from Sygate's log's it also tries to connect to www.look2me0.com (64.74.134.64) and when doing a traceroute from my linux box it dead end's at (you'll love this one) Newdotnet. Interesting no doubt. The other little fact that i find interesting is that all of these address have the same Mac address (00-20-E0-04-45-C6). Just wanted to add that nugget of information to the pile.

I finally got rid of the nasty buggers and thought I would add my two cents, 3 days later and alot of nasty things to say about that company.

In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.

I also used Spybot to clean as well.

Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.

After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).

I was able to delete all BUT two ( the active 6* and the adm.dll ) .

I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.

Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..

Hope that helps anyone who gets in the problem.

I have been clear for 12 hours :) and very happy.

I forgot to mentioned, in the middle I once the host file ( DRIVERS/ETC ) is restored make sure its WRITE protected and add many of the offending sites into that file so even if you have popups for awhile, it will not try to connect.

127.0.0.1 registration.iwon.com
127.0.0.1 sa.windows.com
127.0.0.1 look2megg.com
127.0.0.1 www.look2megg.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.zestyfind.com
127.0.0.1 www.lowrateadvisors.com
127.0.0.1 66.102.131.19
127.0.0.1 webpdp.balance.gator.com
127.0.0.1 targetnet.com
127.0.0.1 *.targetnet.com
127.0.0.1 *.iwon.com
127.0.0.1 *.windows.com
127.0.0.1 *.look2megg.com
127.0.0.1 *.igetnet.com
127.0.0.1 *.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 *.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 *.qckads.com
127.0.0.1 *.zestyfind.com
127.0.0.1 *.lowrateadvisors.com
127.0.0.1 *.gator.com
127.0.0.1 *.targetnet.com

You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.

Well I finally got rid of it after 2 days of no help from any of the google suggestions. None of the reg entries or msg {xxx{.dll's were being found.

So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html

and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.

I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found

It hasn't been back since!

Until a few days back I could avail of Symantec Security Check & Google/Search without any error messages.
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.

Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.

Both NOD32 and Housecall.trendmicro report NO Virus.

When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.

Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com

Much of the info above pointed to this and that utility that will help. I got the malware on my computer when I dropped my firewall on a trusted site to test something and forgot to raise it before I went searching later. Started getting the "Spotresults.com" hijack and other fun stuff immediately. Norton 2003 could not combat it and AdAware and Spy-Bot would remove it but it would continually clone itself. This is what worked for me and was alluded to above.

1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.

What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.

For me the problem was aotiveds.dll and aotiveds.cpy.dll ... I had norton internet security 2005 (paid $50 - no help! FYI), spyware blaster, spybot and adaware SE working on this problem and while they did find and remove it, it was temporary. I tried a million ways to Sunday to delete them, but they always ALWAYS returned. (including using move on boot and delete on boot, registry locker, vx2finder, and everything else you have already found and can think of.) 14 angry hours later, here is what finally worked for me (please note that at this point, I had the aotiveds.cpy.dll already deleted - I believe move on boot managed to delete it at some point - but the aotiveds.dll would not go away):

*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.

*You should now be CLEAN!!

Finally free!!! :D

Hello.
Case solved. No problems now.

Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.

Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.

Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman

Hey guys.. this is the most EVIL spyware/virus I've ever encountered. I'm contacting an attorney about the company responsible for this disease. This "software" is a serious and unacceptable invasion of privacy. Anyone care to go class action with this? ;) I'm actually a bit serious. email me (arcooke at gmail dot com).

Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml

Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.

Good luck!

-Adam

Tried several several spyware removal software ( and days of frustration)but none would remove Look2Me. Finally downloaded free 30 day trial of SpySubtract by InterMute and that did the trick. Worked better than SpyBot, Adaware, SpyHunter, etc. I did a search on intermute to see if they were legit or just more spyware and they were legit...do your own serach for reassurance.
http://www.intermute.com/spysubtract/

But I know that Rackspace is the company that own the computer that send this code.
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US

NetRange: 69.20.0.0 - 69.20.127.255
CIDR: 69.20.0.0/17
NetName: RSPC-NET-4
NetHandle: NET-69-20-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.RACKSPACE.COM
NameServer: NS2.RACKSPACE.COM
Comment:
RegDate: 2003-01-24
Updated: 2004-04-28

Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.

If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.

I tried everything on this forum, the 'spysubtract' seems to be the only solution that worked for me (XP), only time will tell. Thanks Rbrunner!