Cannot get rid of Look2Me

Computing.Net > Forums > Security and Virus > Cannot get rid of Look2Me

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Cannot get rid of Look2Me

Name: kikkachu
Date: December 25, 2003 at 12:12:50 Pacific
OS: Windows XP
CPU/Ram: 752

Comment:

I need help trying to get rid of this annoying spyware. I've tried EVERY spyware/adware remover, but no luck. Spybot S&D says it will run on my next boot, but it never does. I even tried the method posted earlier on how to remove this spyware, but to no avail. Everytime I log back on, a new spyare appears such as Ezula or New.net. I even tried to get rid of the file using GiPO@MoveOnBoot to rid this file. No help either. My OS is XP w/Service Pack 1. Please help!! Thanks!
Here's my log file.
Logfile of HijackThis v1.97.7
Scan saved at 12:07:20 PM, on 12/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\KWorld\MpegTV Station USBTV\CheckSch.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3c813382-5598-43be-8195-5064f4481986} - C:\DOCUME~1\Jennifer\APPLIC~1\lstireahee.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF3BFA75-7671-466F-901F-002D3E6E61E0} - C:\WINDOWS\System32\kbdibm0m2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: MpegTV Station USBTV Timer.lnk = C:\Program Files\KWorld\MpegTV Station USBTV\CheckSch.exe
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.sexxx-direct.com/BHO.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37957.8804050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab

Sponsored Link

Ads by Google

Response Number 1

Name: sxshep
Date: December 25, 2003 at 13:36:04 Pacific

Reply:

Jennifer,
Let's give this a try.
Do you have newdotnet in your add/remove programs. If so uninstall from there, it's the first step in the process discribed here.
If not we'll do the following:
Download and run LSP Fix
Delete all entries > inetadpt.dll and only those. It will ask if you know what you're doing, OK.
Disconnect from the internet, disable system restore, and reboot into safe mode (tapping F8 on reboot).
Have HijackThis fix these:
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll (file missing)
O2 - BHO: (no name) - {3c813382-5598-43be-8195-5064f4481986} - C:\DOCUME~1\Jennifer\APPLIC~1\lstireahee.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {BF3BFA75-7671-466F-901F-002D3E6E61E0} - C:\WINDOWS\System32\kbdibm0m2.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
Probably won't be there, but..
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
And:
O16 - DPF: {4CF5275B-CDBC-11D3-A8AF-0090279A5978} - http://www.sexxx-direct.com/BHO.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
Reboot
and post your new log
hth
shep

Response Number 2

Name: sxshep
Date: December 25, 2003 at 13:44:09 Pacific

Reply:

....and enable system restore it will create a new restore point ridding any creeps that were residing there.
shep

Response Number 3

Name: iceblue
Date: December 26, 2003 at 07:20:55 Pacific

Reply:

Yep, >>follow that advice through till the finish.
As well, to keep the malware from installing itself on your system; download and run
Spywareblaster
SpywareGuard
These keep your system free from infection and also protect Spybot, AdAware and antivirus programs from being disabled.

iceblue

Response Number 4

Name: kikkachu
Date: December 30, 2003 at 16:20:58 Pacific

Reply:

Hi Shep,
Thanks for your reply. Sorry I didn't answer sooner, I was on vacation.
I did everything you mentioned and I ran SpyBot again. I still can't get rid of this annoying Look2Me file:
msg{5EDC3ADF-87BD-4BF8-B1EC-68DFEC8FDC23}0115.dll
And now, VX2 starts appearing!! Although I can get rid of VX2 with spybot. But it appears as long as the Look2Me file is still in sight. *sigh*. I tried to delete from windows/system32 folder and tried to delete it through regedit. It stays there. Here's my new log:
Logfile of HijackThis v1.97.7
Scan saved at 4:19:24 PM, on 12/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\pgtools\tatss.exe
C:\Program Files\KWorld\MpegTV Station USBTV\CheckSch.exe
C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\omi-setup.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: McAfee.com SpamKiller.lnk = C:\Program Files\McAfee.com\SpamKiller\SpamKiller.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: MpegTV Station USBTV Timer.lnk = C:\Program Files\KWorld\MpegTV Station USBTV\CheckSch.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37957.8804050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
Thanks for your help once again.

Response Number 5

Name: sxshep
Date: December 30, 2003 at 17:45:40 Pacific

Reply:

Jennifer,
Welcome back, nice vacation I hope.
Thought we had it.
Have you tried this site, at the bottom.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html
Also try Lavasoft Adaware if you haven't already.
Been pouring over your log SLOW, line by line and don't see anything.
If you haven't run Adaware here are some setup tips:
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........
Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"
then......
click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"
then.........
go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"
then...... click "proceed" to save your settings.
Now to scan it�s just to click the "Scan" button.
When scan is finished, mark everything for removal and get rid of it.
---------------------
Where did this info come from?
VX2 ?
msg{5EDC3ADF-87BD-4BF8-B1EC-68DFEC8FDC23}0115.dll ?
Happy New Year
Let me know what's up.
shep

touch.exe cannot verify the version of activesync on your device createobject wscript no sleep method	Wscript Sleep SecondsToDelay get rid of back door agent reg delete /f
See More

Response Number 6

Name: sxshep
Date: December 30, 2003 at 18:22:29 Pacific

Reply:

Jennifer,
Try running this script exactly as outlined:
As for Look2Me, Spywareinfo Expert Mosaic1 has been working on this foistware, and has created a script to remove it:
Copy the text between the lines to Notepad. Name as Remove L2m.vbs
Save in C:\ as type 'all files'.
You want to remember the path to this file as C:\L2m.vbs
--------------------------

Dim fso, WshShell, nasty
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FilesystemObject")
On error resume next
nasty = WshShell.RegRead("HKCR\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}\InProcServer32\")
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(nasty)
f.attributes = 0
fso.DeleteFile(nasty)
Err.clear
Wscript.Sleep 100
On Error resume Next
WshShell.Run "reg delete HKCR\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} /f" ,vbhide
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desk'top\Taskbar"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop\Toolbars"
WshShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2\"
MsgBox "Done"
---------------------------
Once you have it saved, open Task Manager and click the processes tab. Click Explorer.exe and then click the end Process button. this will close Explorer.exe No desktop icons and no taskbar. Click the Applications tab. Click the New Task Button. A box will appear. Type in the path to the script you created ( C:\L2m.vbs ) and then click ok.
Next, Click shutdown on the task manager toolbar. Scroll down and Restart your computer.
This should do it
Shep

Response Number 7

Name: iceblue
Date: December 30, 2003 at 19:02:04 Pacific

Reply:

nods, nice work shep....
iceblue

Response Number 8

Name: sxshep
Date: December 30, 2003 at 19:11:14 Pacific

Reply:

Might still be lookin' for you iceblue.
Glad to see your still lurking this thread.
Hope that will do the trick.
For Jennifer's sake!, if not mine.
shep
P.S.
Keep in touch Jen.

Response Number 9

Name: iceblue
Date: December 30, 2003 at 19:51:06 Pacific

Reply:

yep, nods,
the good thing about Mo's scripts is...
they work! Specially written for look2me.
Started looking it up for another thread, and you beat me back here - good work.
PS I think this script will be in demand soon.
iceblue

Response Number 10

Name: sxshep
Date: December 30, 2003 at 19:59:10 Pacific

Reply:

Yup
Been there
shep

Response Number 11

Name: kikkachu
Date: December 31, 2003 at 00:19:35 Pacific

Reply:

Shep!! It worked!!
I ran AdAware before posting my messages, but it didn't help either. After I made the changes you suggested, it found the Look2Me file, but didn't delete it after rebooting.
Thanks a bunch! What helped was the script you gave me. It finally got rid of the Look2Me file msg{5EDC3ADF-87BD-4BF8-B1EC-68DFEC8FDC23}0115.dll. This Look2Me file was the one SpyBot always spotted but could never remove.

And thanks for the suggestion of downloading SpywareGuard iceblue :). I had Spywareblaster already, but it didn't block out that nasty Look2Me spyware :/. So I downloaded SpywareGuard, hopefully it'll double the protection.
Thank you both for your time and your patience :).
Jennifer

Response Number 12

Name: henkvhrood
Date: December 31, 2003 at 03:15:17 Pacific

Reply:

I had the same problem with Look2Me and VX2 and the vbs script worked for me as well.
And with that, I had another problem. My desktop didn't appear on every first Windows logon. After a Log off (Ctrl-Alt-Del > Log off...) everything appeared, but with every restart the problem came back. The removal of Look2Me has solved that problem as well.
So thank you very much for helping me out here, I was vey close to formatting my HD... :)

Response Number 13

Name: iceblue
Date: December 31, 2003 at 03:49:55 Pacific

Reply:

Iceblue looks for a medal to pin on sxshep..
pops the hat on the ground for appreciative passers-by....
heh heh
(I know shep is too shy to step up and receive congrats)
so, Bloody Good Work, Shep !!
and *Thanks* Mosaic1, you're a champ!
[I know she's done a Win 98 & ME version as well.] Awesome!

Response Number 14

Name: p_adice
Date: January 2, 2004 at 21:03:34 Pacific

Reply:

Hi ... read your messages about removing "look2me" and most of the suggestions have worked except for the vbs script. My OS is Win98 SP2 and unfortuneately the Task Manager does not give me the option to run a new task. Do you know of a way that I can run this script in Win98?
Thanks in advance! : )

Response Number 15

Name: Computer God
Date: January 6, 2004 at 00:42:30 Pacific

Reply:

Look2Me spyware will not show in Hijack This nor will it show in task manager.
It embeds itself in explorer (AKA in Windows itself!)
It is one of the nastiest piece of crap there is....
Look2Me monitors the web sites you visit and sends the log to the vendors server. Look2Me will also open pop-up windows like "Zesty b---tards R-us."
Look2Me is implemented as a shell extension which makes it tightly coupled with Explorer. If you try to remove Look2Me while Explorer is running, Look2Me will notice this and reinstall itself, which makes it hard to remove. The trick is to shut down Explorer before deleting the registry entries associated with spyware, reboot, and then delete the .dll file.
Files
msg{********-****-****-****-************}****.dll, where * represents a character.
Please follow the instructions below if you would like to remove Look2Me manually.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Start the Windows Task Manager.
On Windows 95/98/ME systems, press CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab.
(*) In the list of running programs, select 'explorer.exe'. Press either the End Task or the End Process button, depending on the version of Windows on your system.
Repeat until (*) no 'explorer.exe' process is running. (Yes, the Start Menu, Task Bar, System tray should disappear.)
Select the registry editor.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}, if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}', if it exists.
Exit the registry editor.
Press CTRL+ALT+DEL. (A menu will open). Choose 'Shut Down' and restart your computer.
Delete all files matching:
%SystemDir%\msg{********-****-****-****-************}****.dll, where * represents a character.
Note: %SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.
Good luck and please post your results

Response Number 16

Name: iceblue
Date: January 6, 2004 at 03:44:23 Pacific

Reply:

Thanx for that info.
I'll be filing that one away for reference.
Ice

Sponsored Link

Ads by Google

How can i disinfect my co...

firewalls help

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Cannot get rid of Look2Me

h91746.exe cannot get rid of it

Summary

www.computing.net/answers/security/h91746exe-cannot-get-rid-of-it/17862.html

Cannot get rid of W32.hostidel.troj

Summary

www.computing.net/answers/security/cannot-get-rid-of-w32hostideltroj/7380.html

Cannot get rid of Spyaxe homepage

Summary

www.computing.net/answers/security/cannot-get-rid-of-spyaxe-homepage/17035.html

From the Geek Dictionary
Online - This is a term used to describe the current state a person is in with relat...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
adware pop up

Graphics + Cpu Upgrade

Keyboard locked, cant log-in to windows

Enecpected error with program

Program that scans for bad sectors for Vista

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE