Please help with SpyWare problem

OK I have this spyware on my computer. My programs detect this junk and I use it to delete it. But this stuff I have now is new to me. It won't delete. In other words it re-installs everytime I run a spyware finder and delete it.

I've went as far as going into the registry and removing the registry keys. But they come right back!

The name I have for the spyware is 'Look2Me'
It is also know by other names as well. Anyone know how to get rid of this awfull junk? It's sucking the life out of my computer and draining my system resources completely every time I get on the internet.

HEEEEEELLLLLLLP!!!!!!

First thing you need to do is download Adaware. There is a free version that you can use. After you download it and install to your computer run the program. It will detect and remove all of the spyware proggies it finds. If you still have one running after running adaware....you will have to restart your computer and boot into safe Mode..(hit the f8 key when your computer is booting. You may have to hit it a few times.) once in safe mode then rerun the spyware program and it will help.

Todd

Try the top link first, At PC Hell

http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=Look2Me

First, go to c:\ drive on my computer using windows. Find the windows folder, then the start menu folder,then programs folder,then startup folder. Examine each item in this folder. These are the programs that run each time you start your computer. Each item can be deleted they are simply shortcuts to executable programs. Removing all items simply means no programs will run automatically when you start your computer. Probably, what is happening is that a program runs at startup to reinstall everything you spent time to remove. Either delete all entries or the one you don't recognize. Reboot.exe is a common program to reinstall removed programs. Now download and install ad-aware and spybot. Before running these programs use the update button to update each program provided by the respective program. After the update completes then run both ad-aware and spybot. Delete the identified files. Follow the first instructions again to make sure the program was not reinstall to the startup folder. Now is the time to fix the registry. Both Norton and Macafee have instructions on their web sites how to do it. PRINT THE INSTRUCTIONS FIRST. You can find the right instructions by searching on norton or macafee for the spyware that is on your computer. Cool search page is a common one. Simply search Norton for the name of the website of the first popup or the one your home page has been changed to. Once your registry has been fixed go to download.com and download the "Advent" web browser it is free. It has a built in popup blocker that allows you to choose from zero popups to only ones you want. I have used it for 2 years and have never had a popup beat the blocker. Now for the really bad news. Some spyware will load unwanted images on your computer and child porn is very common. If big brother searches your computer and finds child porn, you will have to prove you didn't get it by choice. To see hidden images on your computer, you will have to download a "index.dat file viewer". There are many viewers and they are free. Simply search yahoo on "index.dat" and most likely the first site result will be a viewer. Be prepared for what the viewer shows you because you will likely be very surprised. Now for the end of the bad news. If you find unwanted images on your computer, you will not be able to remove them without being a computer programmer. However, there is a solution, but it will cost you between $29-$50. One of the most common of these programs is called "ghost surf" and can be bought at any bestbuy. This is not your only option. You will need to select a software program that cleans the "index.dat" file. You can also download a free 15 day copy at download.com, but after 15 days it will no longer work. Good Luck I hope this helped.

"hijack this" is a free programs and works good too.

Todd,

I tried the Adware 6.0 and it doesn't even detect this. SpyBot does but is not sucessful at removing it although you think it's gone until you check the registry.

GrassMaster,

The PC Hell fix didn't work either! I'm going to try it one more time though in safe mode and try to make sure I get out 100% of the msg entries.

dblyellow,

Checked your idea. But my startup is still empty. Maybe you are on to something though because maybe even though I have "view hidden files" enabled on my computer...maybe I still can't see some things.

Let me ask you all this now. 'WHERE' would something like this load 'FROM' on the system? If I could figure out where it originates from in the system, I think I could get it out.

Texas16,

I will try 'hijackthis' tomorrow night if I can. I like what I see there. A glimmer of hope maybe.....

dblyellow,

Checked your idea. But my startup is still empty. Maybe you are on to something though because maybe even though I have "view hidden files" enabled on my computer...maybe I still can't see some things.

Let me ask you all this now. 'WHERE' would something like this load 'FROM' on the system? If I could figure out where it originates from in the system, I think I could get it out.

Texas16,

I will try 'hijackthis' tomorrow night if I can. I like what I see there. A glimmer of hope maybe.....

Ok, by what your saying it seems your registry has been changed. Random deleting registry entries can result in a expensive pile of **** on your desk. Go, start,programs,accessories,system tools,system information. Under tools on the menu at the top click system configuration utility.Under startup you will find all hidden programs that start up when the computer is turned on. First click cleanup button at the bottom to remove any old unused items from the registry. Now uncheck any checked items that do not say c:\windows\blahblah. Select ok and follow prompt restart message. Return here to find if any item returns to being checked. Do search on web to find instructions to remove rechecked item from registry using run regedit. Once you have edited the registry correctly delete all registry backups. Windows uses "depending on version" five files called rbxxx.cab to save registry backups. You find resistry backups like this: my computer, c drive, windows folder, sysbckup then files rb000.cab,rb001.cab, etc to five backups. Delete all backups then start,run then enter regscanw in the box. When prompted to back up registry say yes. This will result in a clean registry backed up and all infected registry backups will be deleted by you from empty recycle bin. Make sure you fix registry first then use regscanw. From this point forward a infected registry backup won't be a problem unless you get infected again.
1) find fix and remove bad items using run regedit use caution.
2)delete all registy backups before restarting computer
3) create a clean backup for the registry using run, scanregw. good luck.

dblyellow,

OK so I checked the startup under msconfig. I looked at all the items a little harder this time. I found this one that looks like what I'm looking for since I looked at the second part of the entry. We'll see and I'll be back later...hopefully
;)

Taskbar Display Controls RunDLL desktop16.dll,QUICKRES_RUNDLLENTRY

quick restore?

dblyellow,
Last idea of mine didn't work either. I am going to run through your instructions now before trying the 'hijackthis'.

This is my start programs
ScanRegistry Registry (Machine Run) c:\windows\scanregw.exe /autorun
TaskMonitor Registry (Machine Run) c:\windows\taskmon.exe
SystemTray Registry (Machine Run) SysTray.Exe
LoadPowerProfile Registry (Machine Run) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager Registry (Machine Run) C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv Registry (Machine Run) c:\windows\system\hpsysdrv.exe
USBMMKBD Registry (Machine Run) usbmmkbd.exe
VsecomrEXE Registry (Machine Run) C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
VsStatEXE Registry (Machine Run) C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
StillImageMonitor Registry (Machine Run) C:\WINDOWS\SYSTEM\STIMON.EXE
Vshwin32EXE Registry (Machine Run) C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
TkBellExe Registry (Machine Run) "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
LoadPowerProfile Registry (Machine Service) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Vshwin32EXE Registry (Machine Service) C:\PROGRAM FILES\NETWOR

These are my running tasks
Kernel32.dll 4.10.2222 Microsoft Corporation Win32 Kernel core component C:\WINDOWS\SYSTEM\Kernel32.dll 4.3 Microsoft(R) Windows(R) Operating System
MSGSRV32.EXE 4.10.2222 Microsoft Corporation Windows 32-bit VxD Message Server C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.0 Microsoft(R) Windows(R) Operating System
Mprexe.exe 4.10.1998 Microsoft Corporation WIN32 Network Interface Service Process C:\WINDOWS\SYSTEM\Mprexe.exe 4.0 Microsoft(R) Windows(R) Operating System
Vshwin32.exe 4.0.3 Network Associates Inc. VShield C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\Vshwin32.exe 4.0 VShield
MMTASK.TSK 4.03.1998 Microsoft Corporation Multimedia background task support module C:\WINDOWS\SYSTEM\MMTASK.TSK 4.0 Microsoft Windows
Explorer.exe 4.72.3110.1 Microsoft Corporation Windows Explorer C:\WINDOWS\Explorer.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Vsstat.exe 4.0.3 Network Associates Inc VShield Statistics C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\Vsstat.exe 4.0 McAfee VirusScan
Rundll32.exe 4.10.1998 Microsoft Corporation Run a DLL as an App C:\WINDOWS\Rundll32.exe 4.0 Microsoft(R) Windows(R) Operating System
Taskmon.exe 4.10.1998 Microsoft Corporation Task Monitor C:\WINDOWS\Taskmon.exe 4.0 Microsoft(R) Windows(R) Operating System
Systray.exe 4.10.2222 Microsoft Corporation System Tray Applet C:\WINDOWS\SYSTEM\Systray.exe 4.0 Microsoft(R) Windows(R) Operating System
Mmkeybd.exe 3.1.1.4 Netropa Corp. One-touch Multimedia Keyboard C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\Mmkeybd.exe 4.0 One-touch Multimedia Keyboard
Hpsysdrv.exe 1, 7, 0, 0 Hewlett-Packard Company hpsysdrv C:\WINDOWS\SYSTEM\Hpsysdrv.exe 4.0 hpsysdrv
Usbmmkbd.exe 1.014 Hewlett-Packard Company HP USB Multimedia Keyboard/Hub C:\WINDOWS\SYSTEM\Usbmmkbd.exe 4.0 HP USB Multimedia Keyboard/Hub HID Client
Stimon.exe 4.10.2222 Microsoft Corporation Still Image Devices Monitor C:\WINDOWS\SYSTEM\Stimon.exe 4.0 Microsoft(R) Windows(R) Operating System
Realsched.exe 0.1.0.3018 RealNetworks, Inc. RealNetworks Scheduler C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\Realsched.exe 4.0 RealPlayer (32-bit)
Keybdmgr.exe 3.0.6.4 Netropa Corp. Keyboard Manager C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\Keybdmgr.exe 4.0 Keyboard Manager
Osd.exe 2.43 Netropa Corp. Onscreen Display C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\Osd.exe 3.1 OSD
Mmusbkb2.exe 1.1 Netropa Corporation USB Multimedia Keyboard Driver 2 C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\Mmusbkb2.exe 4.0 USB Multimedia Keyboard Driver 2
Wmiexe.exe 5.00.1755.1 Microsoft Corporation WMI service exe housing C:\WINDOWS\SYSTEM\Wmiexe.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Pstores.exe 5.00.1877.3 Microsoft Corporation Protected storage server C:\WINDOWS\SYSTEM\Pstores.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Realplay.exe 6.0.12.857 RealNetworks, Inc. RealPlayer C:\PROGRAM FILES\REAL\REALPLAYER\Realplay.exe 4.0 RealPlayer (32-bit)
Msinfo32.exe 4.10.2222 Microsoft Corporation MSInfo32 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe 4.0 Microsoft System Information
Notepad.exe 4.10.1998 Microsoft Corporation Windows Notepad

STARTUP
ScanRegistry Registry (Machine Run) c:\windows\scanregw.exe /autorun
TaskMonitor Registry (Machine Run) c:\windows\taskmon.exe
hpsysdrv Registry (Machine Run) c:\windows\system\hpsysdrv.exe
StillImageMonitor Registry (Machine Run) C:\WINDOWS\SYSTEM\STIMON.EXE


RUNNING TASKS
Kernel32.dll 4.10.2222 Microsoft Corporation Win32 Kernel core component C:\WINDOWS\SYSTEM\Kernel32.dll 4.3 Microsoft(R) Windows(R) Operating System
MSGSRV32.EXE 4.10.2222 Microsoft Corporation Windows 32-bit VxD Message Server C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.0 Microsoft(R) Windows(R) Operating System
Mprexe.exe 4.10.1998 Microsoft Corporation WIN32 Network Interface Service Process C:\WINDOWS\SYSTEM\Mprexe.exe 4.0 Microsoft(R) Windows(R) Operating System
MMTASK.TSK 4.03.1998 Microsoft Corporation Multimedia background task support module C:\WINDOWS\SYSTEM\MMTASK.TSK 4.0 Microsoft Windows
Explorer.exe 4.72.3110.1 Microsoft Corporation Windows Explorer C:\WINDOWS\Explorer.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Rundll32.exe 4.10.1998 Microsoft Corporation Run a DLL as an App C:\WINDOWS\Rundll32.exe 4.0 Microsoft(R) Windows(R) Operating System
Taskmon.exe 4.10.1998 Microsoft Corporation Task Monitor C:\WINDOWS\Taskmon.exe 4.0 Microsoft(R) Windows(R) Operating System
Hpsysdrv.exe 1, 7, 0, 0 Hewlett-Packard Company hpsysdrv C:\WINDOWS\SYSTEM\Hpsysdrv.exe 4.0 hpsysdrv
Stimon.exe 4.10.2222 Microsoft Corporation Still Image Devices Monitor C:\WINDOWS\SYSTEM\Stimon.exe 4.0 Microsoft(R) Windows(R) Operating System
Msinfo32.exe 4.10.2222 Microsoft Corporation MSInfo32 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe 4.0 Microsoft System Information
Notepad.exe 4.10.1998 Microsoft Corporation Windows Notepad application file C:\WINDOWS\Notepad.exe 4.0 Microsoft(R) Windows(R) Operating System

Mine doesn't have a 'CLEAN' button to clear out all the old stuff.

dblyellow,
I am going to run through your instructions now before trying the 'hijackthis'.
Ran through all that stuff. No dice!!!...... hijackthis tomorrow night?
After that I think I give up.

I do have some questions though. Do you see anything suspcious running?
Also many removal instructions say "press Crtl+Alt+Del then find explorer.exe and end task. Well it's running but it's not showing in the window to end task. How do I shut it off then?

hijack this will find some good stuff also so be careful what you delete. It is an awesome program though.

Ran through all that stuff. No dice!!!...... hijackthis tomorrow night?
After that I think I give up.

I do have some questions though. Do you see anything suspcious running?
Also many removal instructions say "press Crtl+Alt+Del then find explorer.exe and end task. Well it's running but it's not showing in the window to end task. How do I shut it off then?

I did some checking and I think you are still infected with the look2me spyware. I need to see the entire registry to know for sure, but that is sort of difficult. To see what I mean go to start, run, enter regedit. Under my computer all files need to be open, but I am not sure you can edit, copy paste it from your machine, so I will just give you this to try, the download is free but only last a few days then it has to be uninstalled because it will no longer work. But this spyware remover goes after the oddball spyware others don't get and remove. So give this one a try maybe it will work.
http://www.onlinepcfix.com/spyware/spyware.htm?OVRAW=Look2Me&OVKEY=look2me&OVMTC=standard
good luck.

I am a new member here and this question may be answered but here is my $0.02 worth!

Your spyware may be reloading from the "Run" key in your registry. Run a search for either the "Run" Key or "Look2Me".

Below are some detailed instructions for removal of Look2me.


Follow these removal instructions to remove Look2Me from your computer:

Click Start > Run, type 'regedit' and press Ok to open Registry Editor.

Open Task Manager (press CTRL+ALT+DEL), in the process list, select 'explorer.exe' and terminate it. Repeat this step until you kill all the running instances of 'explorer.exe' . Start Menu, Task Bar, System tray should disappear then.

Press ALT + Tab and select Registry Editor.

Find and delete the following keys:

HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}

Reboot the computer (Press cTRL+ALT+DEL)

Open the System directory( By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP)), and delete all the files listed below or the the files looks similar:

msg{1e253d5d-6add-4fe9-829c-f51038158be5}0110.dll
msg{1e253d5d-6add-4fe9-829c-f51038158be5}0111.dll
msg{46b08877-2be4-4f35-8e77-034c2142321c}0115.dll
msg{5bef546a-e3c1-489c-996a-c9688d985ae0}0110.dll
msg{5bef546a-e3c1-489c-996a-c9688d985ae0}0111.dll
msg{63de1ad9-f0c6-4dac-886a-5a9707b0d23c}0110.dll
msg{63de1ad9-f0c6-4dac-886a-5a9707b0d23c}0111.dll
msg{93396c3f-aea3-4ac0-bb55-81f0f0414a24}0113.dll
msg{9d4f5b7c-2a4b-46c5-99a7-4c775b688d45}0110.dll
msg{9d4f5b7c-2a4b-46c5-99a7-4c775b688d45}0111.dll
msg{aac5700f-954a-47b7-9746-871ae8e634e4}0115.dll
msg{b9a9ac6a-2cc9-4a24-a250-bea974703ff8}0110.dll
msg{b9a9ac6a-2cc9-4a24-a250-bea974703ff8}0111.dll
msg{d331b768-d6da-41e8-a7b6-78ed724126c0}0115.dll
msg{e01b47a7-a499-4fee-83c2-b0684ca28e6b}0115.dll
msg{e8d8ffef-30a4-4df1-a618-e0599a0d0a15}0110.dll


Click Start > Settings > Control Panel, double click Internet Option icons. Select Programs tab and click Reset Web Settings button.