Look2Me Adware manual removal:
Kill processes:
vt09.exe
Delete registry values:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Asynchronous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\DllName=[filename]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Impersonate=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logoff=WinLogoff
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Logon=WinLogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run\Shutdown=WinShutdown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\ID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian\Idex
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page=[site address]
Delete files:vt09.exe
Misc:Look2Me uses numerous randomly named files and registry entries.
Most Look2Me files can be found in the default system directory, which is one of the following: C:\Windows\System, C:\Windows\System32, C:\Winnt\System32.
Follow the registry instructions above and delete these files.
Used Ad-Aware to clean as much as it could, which was all but these two files:
c:windowssystem326no4svc.cpy.dll
c:windowssystem326no4svc.dll
Then I rebooted, cleared my IE cache and history and emptied my recycle bin.
Then I downloaded a utility called "MoveOnBoot" from: http://www.gibinsoft.net/gipoutils/fileutil/index.htm
Look down at the bottom for the MoveOnBoot freeware version:
GiPo@MoveOnBoot 1.9.5 (English), EXE-setup (644 Kb)
And used this utility to remove both files. I rebooted, cleared my cache and history and recycle bin again, and then reran Ad-Aware and it's gone!
Cheers,
~K
Registry Keys vary very widly as well.
A program called VX2Finder.exe will locate the files and their keys just fine.
I downloaded it from:
http://www.pchell.com/support/look2me.shtml
even if the rest of their instructions are too old to work now.
I'm going to try 'kaeli's idea in a few minutes.
I have yet to successfully remove this POS. I consider it a trojan as it executes code and programs independent of the will of the user. I've been advising my clients (who've paid dearly for its removal) to pursue legal action.
Ad-aware, Spybot and McAfee are able to ID the software (McAfee spots it when it tries to launch a popup ad) but none have been able to eradicate it completely. Disabling "System Restore" in XP before running the above software seems to have helped to some degree as spybot and AA no longer spot the offending reg keys, but McAfee still catches the popups. It claims to move/clean the virus each time, but i still get popups.
Does anyone know where this came from? Kazaa spyware bundle?
PS - Look2me sucks balls.
General Information
Contact: Timothy Nichols
Phone: 612-720-4674
Email: tim@nictechnetworks.com
http://quickstart.clari.net/qs_se/webnews/wed/bl/Bprofile_mn-nictech.RzY7_DSC.html
I did a reverse look up by address & found this phone number-
(952) 997-6502
So what if the number was disconnected. Here's another.
i closed expoler.exe and the rundel stuff... then i went in an deleted all the reg keys for the program, and then i was able to delete the .cpy of the bad dll then i restarted my comp and could delete the other dll hope it works for you
http://computercops.biz/postt31253.html
its about half way down the page, and just use it for your .dll good luck
Before, the only way to stop it per WinXP session was to closeRUNDLL32 with Taskkiller and delete the 309 Kb a****s.dll in /SYSTEM32. Had none of the msg***.dlls or DDFF reg entries at all..?
Will be sending NicTech some 5Mb emails now...
127.0.0.1 www.look2me.com
it doesn't get rid of it, but at least when the pop-up launches it doesn't do anything.
DIE TIM NICHOLS YOU FUCKING BASTARD!!!!
Corp Headquarters
14551 Europa Way
Apple Valley, Minnesota 55124
Private Residence
Tim Nichols
(952) 884-5664 - 9149
Colfax Ave S, Minneapolis, MN 55420
I finally found out how the damned thing worked and got removal instructions which absolutely cleaned my system. The cleansing routine is here:
http://www.computerelvis.com/SquashingBugs.htm
If anybody is in the area would they PLEASE deliver a severe beating to this FUCKWAD, here is the address again:
Corp Headquarters
14551 Europa Way
Apple Valley, Minnesota 55124
Private Residence
Tim Nichols
(952) 884-5664 - 9149
Colfax Ave S, Minneapolis, MN 55420
Why is this not classified as a virus, the people behind shit like this need to be prosecuted! I still have not been able to clean this, I do know that when I find these new dll files I have to end the rundll32 process first.
Maybe all the hatemail got to em. I know I was ready to hop a flight.
If anybody has any further suggestions or possible solutions, I'd be glad to hear them.
In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.
I also used Spybot to clean as well.
Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.
After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).
I was able to delete all BUT two ( the active 6* and the adm.dll ) .
I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.
Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..
Hope that helps anyone who gets in the problem.
I have been clear for 12 hours :) and very happy.
127.0.0.1 registration.iwon.com
127.0.0.1 sa.windows.com
127.0.0.1 look2megg.com
127.0.0.1 www.look2megg.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.zestyfind.com
127.0.0.1 www.lowrateadvisors.com
127.0.0.1 66.102.131.19
127.0.0.1 webpdp.balance.gator.com
127.0.0.1 targetnet.com
127.0.0.1 *.targetnet.com
127.0.0.1 *.iwon.com
127.0.0.1 *.windows.com
127.0.0.1 *.look2megg.com
127.0.0.1 *.igetnet.com
127.0.0.1 *.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 *.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 *.qckads.com
127.0.0.1 *.zestyfind.com
127.0.0.1 *.lowrateadvisors.com
127.0.0.1 *.gator.com
127.0.0.1 *.targetnet.com
You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.
So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html
and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.
I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found
It hasn't been back since!
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.
Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.
Both NOD32 and Housecall.trendmicro report NO Virus.
When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.
Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com
1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.
What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.
*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.
*You should now be CLEAN!!
Finally free!!! :D
Case solved. No problems now.
Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.
Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.
Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman
Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml
Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.
Good luck!
-Adam
http://www.intermute.com/spysubtract/
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US
NetRange: 69.20.0.0 - 69.20.127.255
CIDR: 69.20.0.0/17
NetName: RSPC-NET-4
NetHandle: NET-69-20-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.RACKSPACE.COM
NameServer: NS2.RACKSPACE.COM
Comment:
RegDate: 2003-01-24
Updated: 2004-04-28
Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.
If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.
Post Comment: