Look2Me Pop-up Infection Removal Guide

TroganTrogan London, UK
edited February 2006 in Spyware & Virus Removal
At this time, please DO NOT use the fix mentioned below as there seems to be a slight problem with the removal tool. If you have identified the Look2Me infection, then please start your own thread in the Spyware/Virus/Trojan Forum and an alternative fix will be used. This thread will be updated when more information is available. If you use the tool below, it is at your own risk!



This guide will show you how to identify and remove the Look2Me Spyware Infection.


This infection causes unwated POPUPS. It is identified by the O20 Winlogon Notify key in HijackThis.

There will be a random named file located in the WINDOWS\system32 folder. The name of the Notify key may also be a normal looking name even though it does not belong there.

For example:

O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\lv6q09j5e.dll

In the entry above, ShellScrap is the Notify Key and lv6q09j5e.dll is the random named file located in the WINDOWS\system32 folder. This indicates the Look2Me Infection.


More examples of entries in HijackThis that indentify the infection:

O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\hpj0231mg.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\e602lgdo160c.dll
O20 - Winlogon Notify: TESING - H:\WINDOWS\system32\p0r40a9qed.dll
O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg117.dll
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\j4l4le3q1h.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\irr2l59o1.dll
======================================


The Fix

Please download Look2Me-Destroyer.exe to your desktop.
  • Print out these instructions and close ALL windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown
    your computer    , click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • You should now be clear of Look2Me

If you receive a message from your Firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download
MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


======================================


The Look2Me Infection should now be removed from your computer. If you are still having problems, please start your own thread in the Spyware/Virus/Trojan Forum and post a HijackThis log.
This discussion has been closed.