41. by Guest. 2004-06-18 20:06:04
Nice little program/trojan they have going for them. From what i can see from Sygate's log's it also tries to connect to www.look2me0.com (64.74.134.64) and when doing a traceroute from my linux box it dead end's at (you'll love this one) Newdotnet. Interesting no doubt. The other little fact that i find interesting is that all of these address have the same Mac address (00-20-E0-04-45-C6). Just wanted to add that nugget of information to the pile.
42. by RobMM. 2004-07-12 06:07:12
I finally got rid of the nasty buggers and thought I would add my two cents, 3 days later and alot of nasty things to say about that company.
In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.
I also used Spybot to clean as well.
Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.
After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).
I was able to delete all BUT two ( the active 6* and the adm.dll ) .
I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.
Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..
Hope that helps anyone who gets in the problem.
I have been clear for 12 hours :) and very happy.
43. by RobMM. 2004-07-12 07:07:39
I forgot to mentioned, in the middle I once the host file ( DRIVERS/ETC ) is restored make sure its WRITE protected and add many of the offending sites into that file so even if you have popups for awhile, it will not try to connect.
You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.
44. by Guest. 2004-08-19 10:08:04
Well I finally got rid of it after 2 days of no help from any of the google suggestions. None of the reg entries or msg {xxx{.dll's were being found.
So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html
and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.
I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found
It hasn't been back since!
45. by Guest. 2004-09-25 08:09:14
Until a few days back I could avail of Symantec Security Check & Google/Search without any error messages.
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.
Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.
Both NOD32 and Housecall.trendmicro report NO Virus.
When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.
Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com
46. by Guest. 2004-10-01 11:10:59
Much of the info above pointed to this and that utility that will help. I got the malware on my computer when I dropped my firewall on a trusted site to test something and forgot to raise it before I went searching later. Started getting the "Spotresults.com" hijack and other fun stuff immediately. Norton 2003 could not combat it and AdAware and Spy-Bot would remove it but it would continually clone itself. This is what worked for me and was alluded to above.
1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.
What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.
47. by Guest. 2004-10-22 05:10:56
For me the problem was aotiveds.dll and aotiveds.cpy.dll ... I had norton internet security 2005 (paid $50 - no help! FYI), spyware blaster, spybot and adaware SE working on this problem and while they did find and remove it, it was temporary. I tried a million ways to Sunday to delete them, but they always ALWAYS returned. (including using move on boot and delete on boot, registry locker, vx2finder, and everything else you have already found and can think of.) 14 angry hours later, here is what finally worked for me (please note that at this point, I had the aotiveds.cpy.dll already deleted - I believe move on boot managed to delete it at some point - but the aotiveds.dll would not go away):
*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.
*You should now be CLEAN!!
Finally free!!! :D
48. by nariman. 2004-10-23 03:10:30
Hello.
Case solved. No problems now.
Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.
Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.
Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman
49. by Guest. 2004-11-15 22:11:47
Hey guys.. this is the most EVIL spyware/virus I've ever encountered. I'm contacting an attorney about the company responsible for this disease. This "software" is a serious and unacceptable invasion of privacy. Anyone care to go class action with this? ;) I'm actually a bit serious. email me (arcooke at gmail dot com).
Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml
Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.
Good luck!
-Adam
50. by Guest. 2004-11-19 11:11:47
Tried several several spyware removal software ( and days of frustration)but none would remove Look2Me. Finally downloaded free 30 day trial of SpySubtract by InterMute and that did the trick. Worked better than SpyBot, Adaware, SpyHunter, etc. I did a search on intermute to see if they were legit or just more spyware and they were legit...do your own serach for reassurance.
http://www.intermute.com/spysubtract/
51. by Guest. 2004-12-05 16:12:09
But I know that Rackspace is the company that own the computer that send this code.
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US
Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.
If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.
52. by ewn. 2005-01-20 10:01:31
I tried everything on this forum, the 'spysubtract' seems to be the only solution that worked for me (XP), only time will tell. Thanks Rbrunner!
Nice little program/trojan they have going for them. From what i can see from Sygate's log's it also tries to connect to www.look2me0.com (64.74.134.64) and when doing a traceroute from my linux box it dead end's at (you'll love this one) Newdotnet. Interesting no doubt. The other little fact that i find interesting is that all of these address have the same Mac address (00-20-E0-04-45-C6). Just wanted to add that nugget of information to the pile.
42. by RobMM. 2004-07-12 06:07:12
I finally got rid of the nasty buggers and thought I would add my two cents, 3 days later and alot of nasty things to say about that company.
In the end, the 6*04svc.dll are the key as mentioned above. However, I had to clean up alot before doing that final step. Use Hijack to clean out the browser crap and search hijacks, toolbars etc.
I also used Spybot to clean as well.
Finally I used DOS command to find the hidden files.
1. In DOS Navigate to C:WindowsSystem
2. Type "dir /A:H" and hit Enter
3. Look for suspicious hidden files, all of the same size. I found lots with 320KB size. Not only 6* ones as mentioned but also adm.dll and a few others.
After finding them, I returned back to the OS search and deleted most from there. ( once I found the exact date I was infected. I did a complete sweep of the drive for that date and size. ).
I was able to delete all BUT two ( the active 6* and the adm.dll ) .
I got ZONEALARMS trial and stopped winlogon.exe and rundll32.exe to stop connecting to the internet . ZONE prompted and I blocked it.. CRITICAL STEP.
Once that was doen I got MOVEONBOOT program to delete the two files about ( ADM.dll and 6*.dll ) that I could not delete since they were tried in too deep. A few reboots later ( MOVEONBOOT only does one at a time and a manual delete of adm.dll ) and I was done..
Hope that helps anyone who gets in the problem.
I have been clear for 12 hours :) and very happy.
43. by RobMM. 2004-07-12 07:07:39
I forgot to mentioned, in the middle I once the host file ( DRIVERS/ETC ) is restored make sure its WRITE protected and add many of the offending sites into that file so even if you have popups for awhile, it will not try to connect.
127.0.0.1 registration.iwon.com
127.0.0.1 sa.windows.com
127.0.0.1 look2megg.com
127.0.0.1 www.look2megg.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.zestyfind.com
127.0.0.1 www.lowrateadvisors.com
127.0.0.1 66.102.131.19
127.0.0.1 webpdp.balance.gator.com
127.0.0.1 targetnet.com
127.0.0.1 *.targetnet.com
127.0.0.1 *.iwon.com
127.0.0.1 *.windows.com
127.0.0.1 *.look2megg.com
127.0.0.1 *.igetnet.com
127.0.0.1 *.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 *.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 *.qckads.com
127.0.0.1 *.zestyfind.com
127.0.0.1 *.lowrateadvisors.com
127.0.0.1 *.gator.com
127.0.0.1 *.targetnet.com
You might also want to add Spywareblaster to the list of good software to use in the fight. It will import a long list of domains into your restricted list on IE. Its a good way to keep the unwanted extra visits down to a dull roar while you are repairing.
44. by Guest. 2004-08-19 10:08:04
Well I finally got rid of it after 2 days of no help from any of the google suggestions. None of the reg entries or msg {xxx{.dll's were being found.
So I download VX2Finder from here(126).exehttp://simplythebest.net/info/spyware/look2me_spyware.html
and ran it. I deleted every file it found and the ones it couldn't delete were removed on reboot.
I then booted back into safe mode and ran regseeker (found here http://www.snapfiles.com/get/regseeker.html) and removed all entries it found
It hasn't been back since!
45. by Guest. 2004-09-25 08:09:14
Until a few days back I could avail of Symantec Security Check & Google/Search without any error messages.
Since the last few days whenever I access Symantec>security Check>Virus Detection>Start I get a message "UNABLE TO RUN VIRUS DETECTION'.
Under IE>Tools>Internet Option>Security Tab>Internet Zone>Custom Level> ActiveX Control Section under Download signed ActiveX controls have selected PROMPT.
Under Run ActiveX controls have selected ENABLE.
Under Download Script ActiveX controls marked safe for scripting have selected ENABLE.
Still I get the same message.
Similarly in Google/Search "msg118.dll" I get message ERROR. Requested URL could not be retrieved.
While trying to retrieve the URL http://www.google.com/Search the following error was encountered : ACCESS DENIED.
Access control configuration prevents your request from being allowed this time.
Both NOD32 and Housecall.trendmicro report NO Virus.
When I run Spybot S&D 1.3 It reports Look2Me & Vx2BetterInternet. Altjhough I choos "Fix Selected Problems" it cleans BUT the same problems arise time and again.
Please help me out of this FIX i AM IN
times I
Some malware has disturbed my settings.
Nariman
email : silloo@roltanet.com
46. by Guest. 2004-10-01 11:10:59
Much of the info above pointed to this and that utility that will help. I got the malware on my computer when I dropped my firewall on a trusted site to test something and forgot to raise it before I went searching later. Started getting the "Spotresults.com" hijack and other fun stuff immediately. Norton 2003 could not combat it and AdAware and Spy-Bot would remove it but it would continually clone itself. This is what worked for me and was alluded to above.
1. I used my firewall to block internet access. (tried several times without this step and the little nasty kept cloning itself)
2. I ran HijackThis and deleted the requisite lines. Careful not to delete anything you might need)
3. I ran Adaware and found the nasty party. I noted its name and prior to having AdAware zap it, I went and checked it out in Explorer. I noted the file size, the "created" date and the "created by" info you get on a mouse-over. You'll notice it does not come up as Microsoft-built where everything else does. I sorted by file size and found another file with same size and mouse-over info. I deleted it and then let adaware zap the other one. Adaware said it couldn't and to do it on boot up.
4. I rebooted, immediately cut off internet access again and searched the System32 folder for the beastie or another clone. Nothing popped up.
4. I ran Adaware and HijackThis again and both came up clean.
What all this tells me is this: the DLLs are probably using the net to make the clones. If it doesn't have net access, it probably can't make the clones. So, things to consider - make sure your firewall is not giving "run DLL as an APP" access to the internet. Also, after this little scare, my Norton subscription expired. I spent the extra $5 and upgraded to Norton 2005 and ran it. IT found four bugs that the older version overlooked. So, for $5 more a year, you still get the updates to the definitions but also get the new software. Something to think about.
47. by Guest. 2004-10-22 05:10:56
For me the problem was aotiveds.dll and aotiveds.cpy.dll ... I had norton internet security 2005 (paid $50 - no help! FYI), spyware blaster, spybot and adaware SE working on this problem and while they did find and remove it, it was temporary. I tried a million ways to Sunday to delete them, but they always ALWAYS returned. (including using move on boot and delete on boot, registry locker, vx2finder, and everything else you have already found and can think of.) 14 angry hours later, here is what finally worked for me (please note that at this point, I had the aotiveds.cpy.dll already deleted - I believe move on boot managed to delete it at some point - but the aotiveds.dll would not go away):
*Make sure your system restore is OFF
*Reboot in safe mode (NO networking)
*Delete the offending DLL files (they should delete immediately)
*Run VX2Finder to locate the reg key - copy key and close
*Run Regseeker - locate the key(s) - (be sure to check mark all the boxes) - delete them all.
*Run VX2Finder again - User agent $ should be gone now - if its not, click the button that removes it. Guardian key will be back (its a stubborn little mofo!!) - click that button to remove it.
*NOW that both keys are empty, click restore policy - it will make you reboot.
*You should now be CLEAN!!
Finally free!!! :D
48. by nariman. 2004-10-23 03:10:30
Hello.
Case solved. No problems now.
Whilst waiting for your response did some R&D. Took my HDD to my friends place and connected it with his computer. Searched for and deleted MSG118.DLL & MSGUARD.DLL. Brought the HDD home and connected to my computer. Ran Ad-Aware SE Personal, et al. No trace of spyware. Ran NAV2005. No virus found.
Searched for the two DLLs. No Trace. No trace in Registry of the four entries entries associated with the DLLs.
Can now search for msg118.dll in Google/Search Bar. Can also access Symantec on line Virus check.
Nariman
49. by Guest. 2004-11-15 22:11:47
Hey guys.. this is the most EVIL spyware/virus I've ever encountered. I'm contacting an attorney about the company responsible for this disease. This "software" is a serious and unacceptable invasion of privacy. Anyone care to go class action with this? ;) I'm actually a bit serious. email me (arcooke at gmail dot com).
Anyhow, I found a tool that seems to have done the trick for rme. You can download it here: http://www.softpedia.com/public/cat/10/17/10-17-178.shtml
Thanks for everyones help and tips for removing it. I've offically codenamed it Cancer version 2.0.
Good luck!
-Adam
50. by Guest. 2004-11-19 11:11:47
Tried several several spyware removal software ( and days of frustration)but none would remove Look2Me. Finally downloaded free 30 day trial of SpySubtract by InterMute and that did the trick. Worked better than SpyBot, Adaware, SpyHunter, etc. I did a search on intermute to see if they were legit or just more spyware and they were legit...do your own serach for reassurance.
http://www.intermute.com/spysubtract/
51. by Guest. 2004-12-05 16:12:09
But I know that Rackspace is the company that own the computer that send this code.
They say they are a respectable company but theysend you right back to look2me.com to be infected again.
For what I read here, Rackspcae have known for month.
Anybody know if asking the internet provider to block all addresses owned by Rackspace might stop thi thing ?
OrgName: Rackspace.com
OrgID: RSPC
Address: 112 E. Pecan St.
Address: Suite 600
City: San Antonio
StateProv: TX
PostalCode: 78205
Country: US
NetRange: 69.20.0.0 - 69.20.127.255
CIDR: 69.20.0.0/17
NetName: RSPC-NET-4
NetHandle: NET-69-20-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.RACKSPACE.COM
NameServer: NS2.RACKSPACE.COM
Comment:
RegDate: 2003-01-24
Updated: 2004-04-28
Maybe contacting Rackspace's customer to complain ?
Some of them are listed here:
http://www.rackspace.com/aboutus/customerstories.php
We have to find legal but creative ways of making them stop distributing the look2me code.
If somebody has a new way of removing this thing, it seems that is a new version because nothing I tried worked so far.
52. by ewn. 2005-01-20 10:01:31
I tried everything on this forum, the 'spysubtract' seems to be the only solution that worked for me (XP), only time will tell. Thanks Rbrunner!