Remove Look2Me Adware. Description and removal instructions

I tried everything on this forum, the 'spysubtract' seems to be the only solution that worked for me (XP), only time will tell. Thanks Rbrunner!

But I know that Rackspace is the company that own the computer that send this code.
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US

NetRange: 69.20.0.0 - 69.20.127.255
CIDR: 69.20.0.0/17
NetName: RSPC-NET-4
NetHandle: NET-69-20-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.RACKSPACE.COM
NameServer: NS2.RACKSPACE.COM
Comment:
RegDate: 2003-01-24
Updated: 2004-04-28

Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.

If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.

Tried several several spyware removal software ( and days of frustration)but none would remove Look2Me. Finally downloaded free 30 day trial of SpySubtract by InterMute and that did the trick. Worked better than SpyBot, Adaware, SpyHunter, etc. I did a search on intermute to see if they were legit or just more spyware and they were legit...do your own serach for reassurance.
http://www.intermute.com/spysubtract/

Hey guys.. this is the most EVIL spyware/virus I've ever encountered. I'm contacting an attorney about the company responsible for this disease. This "software" is a serious and unacceptable invasion of privacy. Anyone care to go class action with this? ;) I'm actually a bit serious. email me (arcooke at gmail dot com).

Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml

Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.

Good luck!

-Adam

Hello.
Case solved. No problems now.

Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.

Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.

Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman

For me the problem was aotiveds.dll and aotiveds.cpy.dll ... I had norton internet security 2005 (paid $50 - no help! FYI), spyware blaster, spybot and adaware SE working on this problem and while they did find and remove it, it was temporary. I tried a million ways to Sunday to delete them, but they always ALWAYS returned. (including using move on boot and delete on boot, registry locker, vx2finder, and everything else you have already found and can think of.) 14 angry hours later, here is what finally worked for me (please note that at this point, I had the aotiveds.cpy.dll already deleted - I believe move on boot managed to delete it at some point - but the aotiveds.dll would not go away):

*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.

*You should now be CLEAN!!

Finally free!!! :D

Much of the info above pointed to this and that utility that will help. I got the malware on my computer when I dropped my firewall on a trusted site to test something and forgot to raise it before I went searching later. Started getting the "Spotresults.com" hijack and other fun stuff immediately. Norton 2003 could not combat it and AdAware and Spy-Bot would remove it but it would continually clone itself. This is what worked for me and was alluded to above.

1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.

What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.

Until a few days back I could avail of Symantec Security Check & Google/Search without any error messages.
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.

Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.

Both NOD32 and Housecall.trendmicro report NO Virus.

When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.

Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com

Well I finally got rid of it after 2 days of no help from any of the google suggestions. None of the reg entries or msg {xxx{.dll's were being found.

So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html

and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.

I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found

It hasn't been back since!

I forgot to mentioned, in the middle I once the host file ( DRIVERS/ETC ) is restored make sure its WRITE protected and add many of the offending sites into that file so even if you have popups for awhile, it will not try to connect.

127.0.0.1 registration.iwon.com
127.0.0.1 sa.windows.com
127.0.0.1 look2megg.com
127.0.0.1 www.look2megg.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.zestyfind.com
127.0.0.1 www.lowrateadvisors.com
127.0.0.1 66.102.131.19
127.0.0.1 webpdp.balance.gator.com
127.0.0.1 targetnet.com
127.0.0.1 *.targetnet.com
127.0.0.1 *.iwon.com
127.0.0.1 *.windows.com
127.0.0.1 *.look2megg.com
127.0.0.1 *.igetnet.com
127.0.0.1 *.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 *.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 *.qckads.com
127.0.0.1 *.zestyfind.com
127.0.0.1 *.lowrateadvisors.com
127.0.0.1 *.gator.com
127.0.0.1 *.targetnet.com

You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.

I finally got rid of the nasty buggers and thought I would add my two cents, 3 days later and alot of nasty things to say about that company.

In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.

I also used Spybot to clean as well.

Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.

After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).

I was able to delete all BUT two ( the active 6* and the adm.dll ) .

I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.

Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..

Hope that helps anyone who gets in the problem.

I have been clear for 12 hours :) and very happy.

Nice little program/trojan they have going for them. From what i can see from Sygate's log's it also tries to connect to www.look2me0.com (64.74.134.64) and when doing a traceroute from my linux box it dead end's at (you'll love this one) Newdotnet. Interesting no doubt. The other little fact that i find interesting is that all of these address have the same Mac address (00-20-E0-04-45-C6). Just wanted to add that nugget of information to the pile.

I seem to have gotten rid of it using their uninstaller at http://www.look2me.com/cgi-bin/UnInstaller. I had to first go into Internet Properties, Security tab, Custom button and enable all options that referred to ActiveX in order to download the uninstaller. Once you run it and key in the key they furnish you, you have to connect to the internet for it to complete. I considered that this might just be a way for them to do more damage, but was ready at this point to take the chance. After their uninstaller ran I ran NAV again and it found the same files as before (AAAAMON.dll and 6*o4svc.dll), but this time NAV was able to delete them.

After trying just about every solution offered on the web, I still haven't gotten rid of it. I've repeatedly run Ad-aware, Spybot and NAV, but find that I can never delete the files they find, even in Safe mode. I tried Kill2Me, but it says that Look2Me is not on my machine. I can't use the boot to DOS solutions because I'm on XP. I can't even download the so-called uninstaller because I get some security access message, not that it would work anyway. I seem to have gotten rid of (or never had) the registry entries and don't have the msg*.dll files. My problem seems to be with 6*mo4svc.dll files in WindowsSystem32 but I can't delete them because the are in use by winlogon.exe, which can't be terminated, even with Tuneup Utilities 2004. I've tried deleting them on the next boot with MoveOnBoot, but it either isn't successful or they are getting regenerated. I downloaded the trial PestPatrol, but it didn't even detect Look2Me on my machine. I just e-mailed NicTech trying to get a removal solution, but I'm sure that was just a waste of time. Dell suggests I reformat and reload, but that's not one of my favorite things to do.

If anybody has any further suggestions or possible solutions, I'd be glad to hear them.

Well i called, and (952) 884-5664 .. some lady answered, and she said that her husband had nothing to do with this, and said she's been getting phone calls for years about this.. she said she and her husband have nothing to do with this.. anyways.. i'm getting really fucking pissed that i can't get rid of this look2me thing, i'm about to jump in my truck and pay him a visit with my paintball gun... this is getting way out of hand, i have tried EVERYTHING.. i have nothing in my registry, when i try to use Kill2Me, it says it doesn't find a trace, and when i execute it.. it does what it's supposed to, but when explorer comes back, it opens up my documents again, just like before when you'd try to delete it, if anyone has any solutions.. please let me know.. btw the lady who answered the phone, sounded to be 80 years old, and started crying when i called... lol what the fuck ever.. she and her husband are going DOWN.

Did I miss something here? After trying various "fixes", to include fooling w/ the registry and recommended utilities, I located this address that appears to have solved the Look2me, zestyfind, and spotresults browser hijackings. http://www.look2me.com/cgi-bin/UnInstaller
Maybe all the hatemail got to em. I know I was ready to hop a flight.

This program has totally screwed up my computer. It begins loading pop-ups until everything I am doing crashes. It should be illegal to force this kind of software on the public.

I have been working on a Win2k system for hours trying to remove look2me. I have been trying all sorts of tools and every time I clean the system then run NAV2004 it finds a new *.dll file related to look2me.
Why is this not classified as a virus, the people behind shit like this need to be prosecuted! I still have not been able to clean this, I do know that when I find these new dll files I have to end the rundll32 process first.

FINALLY got relief from this scourge by using Ad-Aware 6 Plus, then Kill2Me, then the AdAware again to get a couple of crapola things out of the registry. Thanks to those on this board who recommended Kill2Me! Tim Nichols -- and believe me, I don't use language like this at ALL -- Tim Nichols should eat shit and die. And Norton should start defining this damned Look2Me thing as malware, if not a virus. Grrrrrr. Anyway, looks like Kill2Me and Adaware together worked for me.

In my efforts to remove Look2Me I have found a hidden dll in the WINNT/System32 directory. The dll name is the same as the dll name listed in the Guardian section of the Registry. Each time I reboot my W2K operating system, Look2Me renames the visable dll. The dll always starts with the number 3. For example it has appeared as 3FR.dll, 3ORABGR.dll, and 3YR,dkk. The hidden dll is named 3GR655.dll. The size of both dll's is 316,776 bytes. Norton and Ad-Aware both identify the visable dll as Look2Me. When I try to scan the hidden file, I receive an error message from Norton that it does not have permission to scan the file. Hopefully this information will be helpful in finding a way to remove this pest.