1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan.W32.LookSky

Discussion in 'Virus & Other Malware Removal' started by programm, Jul 18, 2007.

Thread Status:
Not open for further replies.
  1. programm

    programm Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    3
    I have Kaspersky Antivirus but it couldn't detect the trojan with the the title up there. I will start with the sympthoms:

    • a red screen with a crap reddish logo with circles with 'privacy danger' covering the desktop, can be moved to the corner of the desktop so as your desktop to be revealed, then by deleting the created by the trojan folder c:\Windows\privacy_danger\ the crap disappears but after some time it reappears with the screen and has to be deleted again and again.
    • System Alert: a Windows message about an impact viruses may have on your pc
    • red triangle windows message in the taskbar
    • a warning message with red (X) sign: Windows has detected an Internet attack attempt... Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scab bow to protect your PC from Internet atatcks, hijacking attempts and spyware! Click here to download spyware reniver for total protection. [OK]
    • A message: Trojan.W32.Looksky detected on your machine. The virus is distributed via the Internet throgh e-mails and Active X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this wormcan allow attackers to access your computer stealing passwords and personal data.
    This process should be removed from your system.

    Type: Virus
    Systems Affected: Windows 2000, NT, ME, XP, Vista
    Security Risk (0-5): 5
    Click 'Yes' to remove it from your PC immediately

    • the home page of IE changed to http://ucleaner.com/main.php?wmid=6010&mid=MjI6Ojg5main.php?wmid=6010&mid=MjI6Ojg5 or drivecleaner

    • icons with privacy protection, antispyware appear in the desktop

    Note: The so called 'ultimate cleaner' as well as 'drive cleaner', also the WinAntiVirus Pro appearing as pop ups from the warning messages are nothing but crap. Not only they do nothing but keep on asking for registration. There is no ordinary program that forces you to use the program and to buy it or register, as the popus up, the unchangeable home page and the appearing icons on the desktop are that. Not to say that such forcing to use programs should rather make you not use them, so that the creators rethink their approach to attracting customers. Do not use these programs, they may harm your PC, not help. They are a junk, you can burn them, throw them, bury them, erase them from the world. Programs like SAS even detect malware exactly with source - the mentioned programs.

    This is not just an info thread, I need help. I found this forum looking for the trojan and thx to this forum I found the first program to detect the trojans - SUPERAntispyware (SAS). Before that I tried all the three mentioned up, also paretologic anti-spyware which could detect some but never found anything entitled 'Trojan' while SAS did it. There were some malware files (20), entitled 'Trojan' and after removing them with SAS and rebooting, I thought everything was ok - in the 1st minute no sign of it. However, my homepage still was something else, if I want to change it, then it changes back to the mentioned up hompage url and SAS asks me if I shoud allow or block the change of my attempt to add my homepage with the automatically set crap of this crap ultimate cleaner. Then the same sympthons appeared, the same messages, SAS cleaned something finally, but obviously not the main parasite. Should I expect the name of this trojan w32 found because SAS cannot find it, it found some others, I cleaned them but this still remains. I have had problems with prolly other types in the past and the best sign for a removal of the trojan is seeing the homepage stays as I set it each time I start IE. Pls help with earisng this trojan, its creator must burn in flames among with his creation.
     
  2. programm

    programm Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    3
    Here is the log, too long to be in one post:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:28:21, on 18.7.2007 г.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Datecs\FlexType 2K\FType2K.exe
    C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Mister X\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - C:\WINDOWS\qnxplugin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: FlexType 2K.lnk = C:\Datecs\FlexType 2K\FType2K.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: msddx - {514D5CEE-3903-40D1-9DBA-C37C06A5D785} - C:\WINDOWS\msddx.dll
    O21 - SSODL: msqnx - {82A31E68-827C-4FC0-B483-AFFB45CF1BC0} - C:\WINDOWS\msqnx.dll
    O23 - Service: Autodata Limited License Service - Unknown owner - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!


    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597372

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice