There is a much easier way to do this than what is listed below.
Go here

Magic Happy Fun Time With Look2Me

Yet More Look2Me Removal Instructions

Introduction

Look2me is a malware package that causes ads to be spontaneously opened in browser windows. The nasty thing about this adware is that it seems to come out of nowhere.

Normally cleaning out the registry in all of The Usual Places and killing off everything that looks questionable is enough to get rid of nasty software. However, Firefox or Internet Explorer will keep on opening after it seems that everything is gone.

How it works

Look2me installs a bunch of dlls in system32 and tries to execute them from various locations. Most of the locations it executes from aren't a problem, Adaware, Spybot, etc can remove them. However there are two locations that are a problem. Look2Me runs from (among other places):

• winlogon.exe
• explorer.exe

The big, important place to prevent the damn thing from running from is winlogon.exe. This is a problem because:

• One can not kill the winlogon.exe process (well you *can* but it causes the system to instantly reboot).
• As long as the dll is in memory it (somehow) prevents the executable from being renamed.
• Even if you remove the registry keys that execute the thing it gets informed of system shutdowns and will reinstall itself prior to shutdown.

How I got rid of look2me

1. Make sure you have a copy of the RIP disk on hand.
2. Get, install and update Ad-aware.
3. In file explorer go to WINNT/system32 or WINDOWS/system32.
4. Sort by date. The .dlls that Look2Me installed will be recent.
5. Start Regedit and go to HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon
6. Find the subkey from where Look2Me runs from. This took me a while as it *looked* reasonable and not like the normal x7ffEeAr line-noise-like stuff.
7. Write down the name of the key.
8. Boot off the RIP disk.
9. Mount your windows partition (probably mount /dev/hda1 /mnt/hd)
10. Load chntpw in editor mode on the SOFTWARE registry hive with chntpw -e /mnt/hd/WINNT/system32/config/SOFTWARE
11. Go to the key you recorded earlier and get rid of it.
12. Reboot.

Once you are back in Windows Look2Me will still load as an explorer.exe extension. The important thing is that it is not running through winlogon.exe. Let's continue...

13. Start ad-aware
14. Get a cmd.exe window going.
15. Hit ctrl+alt+delete and get the task manager going.
16. Kill explorer.exe.
17. Kill rundll32.exe (if it is running).
18. Kill anything and anything that will not make the system crash. No, don't kill ad-aware or cmd.exe.
19. At this poing Look2Me should not be in memory. Start an ad-aware scan.

With any luck you will now be free of this beast. Good luck.