Look2Me Adware manual removal:
Kill processes:
vt09.exe
Delete registry values:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Asynchronous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\DllName=[filename]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Impersonate=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logoff=WinLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logon=WinLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Shutdown=WinShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\ID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\Idex
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address]
Delete files:vt09.exe
Misc:Look2Me uses numerous randomly named files and registry entries.
Most Look2Me files can be found in the default system directory, which is one of the following: C:\Windows\System, C:\Windows\System32, C:\Winnt\System32.
Post Comment:
Attention: Use this form only if you have additional information about Look2Me Adware parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.
Comments from visitors:
1. Tried everything here by ewn. 2005-01-20 10:01:31
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US
NetRange: 69.20.0.0 - 69.20.127.255
CIDR: 69.20.0.0/17
NetName: RSPC-NET-4
NetHandle: NET-69-20-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.RACKSPACE.COM
NameServer: NS2.RACKSPACE.COM
Comment:
RegDate: 2003-01-24
Updated: 2004-04-28
Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.
If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.
http://www.intermute.com/spysubtract/
Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml
Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.
Good luck!
-Adam
Case solved. No problems now.
Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.
Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.
Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman
*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.
*You should now be CLEAN!!
Finally free!!! :D
1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.
What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.
Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.
Both NOD32 and Housecall.trendmicro report NO Virus.
When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.
Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com
So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html
and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.
I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found
It hasn't been back since!
127.0.0.1 registration.iwon.com
127.0.0.1 sa.windows.com
127.0.0.1 look2megg.com
127.0.0.1 www.look2megg.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.zestyfind.com
127.0.0.1 www.lowrateadvisors.com
127.0.0.1 66.102.131.19
127.0.0.1 webpdp.balance.gator.com
127.0.0.1 targetnet.com
127.0.0.1 *.targetnet.com
127.0.0.1 *.iwon.com
127.0.0.1 *.windows.com
127.0.0.1 *.look2megg.com
127.0.0.1 *.igetnet.com
127.0.0.1 *.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 *.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 *.qckads.com
127.0.0.1 *.zestyfind.com
127.0.0.1 *.lowrateadvisors.com
127.0.0.1 *.gator.com
127.0.0.1 *.targetnet.com
You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.
In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.
I also used Spybot to clean as well.
Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.
After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).
I was able to delete all BUT two ( the active 6* and the adm.dll ) .
I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.
Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..
Hope that helps anyone who gets in the problem.
I have been clear for 12 hours :) and very happy.
If anybody has any further suggestions or possible solutions, I'd be glad to hear them.
Maybe all the hatemail got to em. I know I was ready to hop a flight.
Why is this not classified as a virus, the people behind shit like this need to be prosecuted! I still have not been able to clean this, I do know that when I find these new dll files I have to end the rundll32 process first.