|
Look2Me
Overview
Look2Me monitors the web sites you visit and sends the log
to the vendor's server. Look2Me will also open pop-up windows.
Look2Me is implemented as a shell extension, which makes
it tightly coupled with Explorer. If you try to remove Look2Me
while Explorer is running, Look2Me will notice this
and reinstall itself, which makes it hard to remove. The trick is to shut down
Explorer before deleting the registry entries associated with
spyware, reboot, and then delete the .dll file. It is also possible to remove Look2Me
by booting up on start-up disks and delete the .dll file.
From the developer:
Look2Me Advertising and Information Network is not a separate application, but is
rather attached to customized applications that Look2Me and our partners distribute.
Look2Me's portfolio of advertisers help keep the leading software applications and
services free.
Source
From the developer:
Look2Me offers merchants an unparalleled opportunity for visibility on the Internet.
Look2Me can help you drive your sales with our millions of monthly active visitors from our
various applications, Web properties and opt-in email lists.
Look2Me provides targeted promotions and advertisements for dozens of leading
corporations, driving extraordinary ROI and click-thru-rates. Look2Me can deliver your
message to millions of monthly visitors through our Advertising and Information Network.
We will effectively display your message and target consumers for less than 1 cent per
advertisement impression!
Source
I have spotted many variants of Look2Me where the first is
Look2Me.msgstar, which is bundled with the SpyBan Trojan,
which does not mention Look2Me in the End User License Agreement (EULA), or more accurate, Spyban
does not have a EULA.
This variant is identified by its long .dll name. I have
not been able to find a EULA for Look2Me.msgstar.
The second variant is Look2Me.msg116, identified by the
msg116.dll file. This variant has a EULA, and
it is no pleasant reading: "I UNDERSTAND AND AGREE THE SOFTWARE PRODUCT WILL MODIFY,
REMOVE, AND ADD ENTRIES TO MY COMPUTER OPERATING SYSTEM, NETWORK PARAMETERS, AND OTHER
INSTALLED FILES THAT WILL CHANGE THE PRIOR DEFAULT SETTINGS, AND/OR INSTALL SOFTWARE FROM
THIRD PARTIES WITHOUT USER INTERVENTION, AND/OR TO INSTALL SOFTWARE TO DISPLAY ELECTRONIC
ADVERTISEMENTS AND THIRD PARTY WEB PAGES OF EVERY KIND AND NATURE AND/OR MONITOR MY ACTIONS
AND REPORT THEM TO THE COMPANY AND/OR UNDISCLOSED THIRD PARTIES, WITHOUT USER INTERVENTION."
Source
The third variant is Look2Me.msg117, identified by the
msg117.dll file. The EULA is the same as for Look2Me.msg116.
The fourth variant is Look2Me.msg118, identified by the
msg118.dll file. The EULA is the same as for Look2Me.msg116.
I have not had the opportunity to review the EULA for the
remaining variants,
Look2Me.msg119,
Look2Me.msg120,
Look2Me.msg121 and
Look2Me.msg122.
Look2Me's signs of infection range from pop-up windows, the
msg-ish dlls in %SystemDir%, ICMP messages coming from
www.look2me.com or your firewall warning about connections to www.look2me.com.
As described in my summary about shell extensions,
Look2Me is running inside Windows Explorer not making any appearance in the Task Manager,
neither in the Application List nor in the Process list.
Look2Me might also connect to the Internet without your firewall warning you about it. I hate to
admit it, Look2Me uses a clever approach to operate undetected, and once detected it will
be hard to remove. Alas, I think we will see more of this coming.
Classification
Spyware
Files
msg116.dll, msg117.dll, msg118.dll, msg119.dll, msg120.dll, msg121.dll, msg122.dll, upd116.exe, upd117.exe, upd118.exe, msg121.cpy.dll, msg{********-****-****-****-************}****.dll, where * represents a character.
Vendor
look2me.com whois
NicTech Networks, Inc whois
End User License Agreement
Look2Me.msg116
Look2Me.msg117
Detection
Bazooka Adware and Spyware Scanner detects Look2Me.
Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and
other potentially unwanted applications.
Read more »
Uninstall Procedure
I have contacted the vendor (info@look2me.com) asking
them for uninstall instructions. I got the following reply:
---
Hello,
The UnInstaller for the Look2Me application can be found at:
http://www.look2me.com/app/UnInstaller.php
http://www.look2me.com/app/UnInstall.php
http://www.look2me.com/cgi-bin/UnInstaller
Thank you for using our application.
Regards,
Look2Me
---
To download the uninstaller, you have to accept an End User License Agreement for the uninstaller and give
Look2Me your email address and they will send the uninstall attached in an email along with a license key. I recommend
that you set up a temporary email account at one of the free email providers such as
Yahoo or HotMail, to avoid giving out your real email address. I have
mirrored this EULA here. To run the uninstaller
you will need network access, allowing the uninstaller to register the uninstall serial key
at the look2me server. So the serial key can only use it once. The Look2Me uninstaller
left the .dll files behind which you can delete manually after rebooting your machine.
I have asked the vendor how they recommend I uninstall Look2Me
when a computer does not have network access. So far, no reply.
Manual removal
Please follow the instructions below if you would like to remove Look2Me manually. Please
notice that you must follow the instructions very carefully and delete everything that is mentioned. In most
cases the removal will fail if one single item is not deleted. If Look2Me remains on your system
after stepping through the removal instructions, please double-check by stepping through them again.
On Windows 95/98/ME/XP, you
can delete Look2Me rebooting on a MS-DOS startup disk. Please follow the instructions below:
-
Create a Windows startup disk.
-
Close all running programs, insert the startup disk, and reboot your computer. During startup you will
be asked if you want to start up with CD-ROM support, choose without. After a while the computer will
display the command prompt, saying "A:\".
- type the following commands (commands in bold):
- c: (hit enter - the prompt should change to "c:\".
- cd windows (hit enter - the prompt should change to "c:\windows\".
- (if you are running Windows 95/98/ME) cd system (hit enter - the prompt should change to "c:\windows\system\".
- (if you are running Windows XP) cd system32 (hit enter - the prompt should change to "c:\windows\system32\".
- del msg{*.dll
- del msg116.dll
- del msg117.dll
- del msg118.dll
- del msg119.dll
- del msg120.dll
- del msg121.dll
- del msg122.dll
- Take out the startup disk and reboot your computer in normal mode.
-
Start the registry editor. This is done by clicking Start then Run.
(The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
- Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}, if it exists.
- Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellExtensions \ Approved \ {DDFFA75A-E81D-4454-89FC-B9FD0631E726}', if it exists.
- Start Microsoft Internet Explorer.
- In Internet Explorer, click Tools -> Internet Options.
- Click the Programs tab -> Reset Web Settings.
If the uninstall procedures above does not work, you can also try to
rename the .dll file, restart your computer, and then delete the renamed file.
Problems uninstalling? Click here.
I'm looking for your help!
Thank you for using my site, I hope you find it useful. I'm looking
for help from all users, please read more.
Contact information for Look2Me's vendor
In order to provide correct, accurate and updated information about Look2Me
I encourage the vendor to contact me if any part of this write-up
needs a revision.
Related links |
|
Bazooka - Free scan for spyware, adware, trojan horses, keyloggers, etc. Detects more than 500 potentially unwanted applications. Freeware!
The File Database - Search the file database for more information. Free!
PopUp Blocker Test - Find out if your pop-up killer can handle all pop-ups. Free!
Kephyr Labs - Find out what is going on at Kephyr. Try products in an early stage of development.
|
|
|