Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another Trojan.W32.looksky Victim

Started by Jay Poz , Aug 23 2007 10:06 AM

  • Please log in to reply

#1
Jay Poz
Posted 23 August 2007 - 10:06 AM

Jay Poz

    New Member

  • Member
  • Pip
  • 1 posts
I'm another recent victim of the Trojan.W32.looksky attack (the annoying popup kept showing saying I had Trojan.W32.looksky and also it tried to take me to alot supposedly virus/attack protection sites where they wanted me to download more stuff).

Before I knew about this site, I updated My Norton Antivirus and ran a full system scan. It found and corrected a few things:
- Quarantined Trojan.Adclicker
- Automatically deleted two files (wmpenv.dll & wmpconf.dll) that it said were part of the Downloader.MisleadApp

So it appeared that the problem was fixed but then two other symptoms showed which made me suspicious that everything wasn't fixed. First, whenever I opened up Internet Explorer it was redirecting me to a protection page; Second, the desktop background was the evil/devilish page that the virus originally had. I tried to change it and it wouldn't let me.

So I went to this site and found the instructions that said "How to remove trojan.w32.looksky" at http://www.geekstogo...ns-t165752.html. I followed everything it said to do (run the "Search" and then run the "Fix" in Safe Mode). But I still appear to have problems.

When I startup the machine and log in, I get the following two problems:
1. Internet Explorer Error (when trying to load my active desktop) saying "Cannot find 'file:///C:/WINDOWS/privacy_danger/index.htm'. Make sure the path or Internet Address is correct
2. The background on the desktop is WHITE. When I try to right-click to bring up properties to change it, nothing happens.
3. If I try to change my HOME PAGE in IE, I get the error in #1 above.

So I'm going to post the logs generated each time I ran SmitFraudFix:

RAN IT WITH CLEAN OPTION
****************************************************************
SmitFraudFix v2.215

Scan done at 9:54:19.85, Thu 08/23/2007
Run from E:\Removers\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Dell Photo AIO Printer 964\dlcjmon.exe
C:\Program Files\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\main_uninstaller.exe FOUND !
C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Carlos Abad


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Carlos Abad\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CARLOS~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
DNS Server Search Order: 167.206.245.76
DNS Server Search Order: 167.206.245.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


RAN IT IN SAFE MODE WITH FIX OPTION
****************************************************************

SmitFraudFix v2.215

Scan done at 10:02:19.65, Thu 08/23/2007
Run from C:\tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\main_uninstaller.exe Deleted
C:\WINDOWS\privacy_danger\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
DNS Server Search Order: 167.206.245.76
DNS Server Search Order: 167.206.245.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5B12D5AE-969C-4432-9787-B7C886CEFA4E}: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.76 167.206.245.12


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements

#2
Noviciate
Posted 23 August 2007 - 04:23 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
1) Download a copy of HJTInstall.exe from here and save it to your Desktop
  • Double click HJTInstall.exe to begin installation.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to chose somewhere else and then click Install
  • Once HJT has installed, a shortcut will be created on your Desktop and HJT will run automatically.
  • You will need to accept the EULA, if it appears, to be able to use the tool.
  • When HJT opens, click on the Do a system scan and save a log file button.
  • When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the hijackthis folder.
  • Copy and paste this into your next reply.
2) Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.
Go to Start > Run, copy and paste the following into the text box and click OK:

3) regedit /e "%userprofile%\desktop\regfind.txt" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

This will create a text file called regfind.txt on your Desktop - copy and paste this into your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP