Posted: 10/14/2007 7:24:50 AM EDT
|
I need help removing Trojan.w32.looksky I think I got this malware from looking up porn on the internet  I just want it gone and have searched the interweb and all the crap I find does not work. my desktop is a biohazard symbol and I have security popups every 30 seconds or so. This is a pain in the ass and need help to remove this program. Thanks |
|
Disable system restore (click Start, right click "My Computer," select Properties and click the System Restore tab), restart your PC in safe mode and run a virus scan with whatever anti virus software you use. ETA - And next time, surf for pron with a browser other than Internet Explorer, something that won't run ActiveX controls without your say so like Firefox. |
I did what you suggested. Strange results. My virus scan found nothing and it is the new mcafee When I restarted my computer, only the top left quarter has the biohazard .gif image and I have only had the pop up once...ok twice now. It did not fix anything. Any more suggestions? Specific programs to download? |
I am doing this as I type |
There's probably still a command somewhere in the Windows registry to re-enable the virus. The file itself has been deleted, but upon start up the command in the registry runs and regenerates the virus. They're like zombies, those fucking computer viri. |
|
Try this, it's free free.grisoft.com/ I've been using it for a couple of years. |
|
Wipe the drive and start over? Once crap like that has been on a computer I never trust that machine again until its been wiped. Too much chance of a key logger or credit number finder being left behind on a 'cleaned' machine. 1) Make backups frequently. 2) Don't surf pron using IE. Use FF on a Ubuntu Linux machine instead. BSW |
5.56, 7.62, 9mm, .45??? What do I do to kill the fucker? |
|
ok finished the scan SmitFraudFix v2.240 Scan done at 11:25:55.65, Sun 10/14/2007 Run from C:\Documents and Settings\Timothy\My Documents\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\toolbar.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\msvb.dll FOUND ! C:\WINDOWS\netadv.dll FOUND ! C:\WINDOWS\privacy_danger FOUND ! C:\WINDOWS\sysdx.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Timothy »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Timothy\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Timothy\FAVORI~1 C:\DOCUME~1\Timothy\FAVORI~1\Online Security Test.url FOUND ! C:\DOCUME~1\Timothy\FAVORI~1\Error Cleaner.url FOUND ! C:\DOCUME~1\Timothy\FAVORI~1\Privacy Protector.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop C:\DOCUME~1\Timothy\Desktop\Error Cleaner.url FOUND ! C:\DOCUME~1\Timothy\Desktop\Privacy Protector.url FOUND ! C:\DOCUME~1\Timothy\Desktop\Spyware?Malware Protection.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\VideoAccessCodec\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm" "SubscribedURL"="" "FriendlyName"="Privacy Protection" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{abef791f-947e-4cdf-83c3-e72a240afb67}"="frisbee" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NETGEAR FA311 Fast Ethernet Adapter #2 DNS Server Search Order: 128.194.254.2 DNS Server Search Order: 128.194.254.3 DNS Server Search Order: 128.194.254.1 Description: NETGEAR FA311 Fast Ethernet Adapter #2 DNS Server Search Order: 209.189.224.40 DNS Server Search Order: 209.189.224.45 HKLM\SYSTEM\CCS\Services\Tcpip\..\{2C4F6B46-EEB7-4AB1-8D8C-23D7D1E4C958}: DhcpNameServer=209.189.224.40 209.189.224.45 HKLM\SYSTEM\CCS\Services\Tcpip\..\{30030071-83FE-42CD-8057-527DAF76B4C4}: NameServer=208.180.42.100,208.180.42.68 HKLM\SYSTEM\CCS\Services\Tcpip\..\{D80B7545-3721-4FBE-9203-555D9D81E8B9}: DhcpNameServer=128.194.254.2 128.194.254.3 128.194.254.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{2C4F6B46-EEB7-4AB1-8D8C-23D7D1E4C958}: DhcpNameServer=209.189.224.40 209.189.224.45 HKLM\SYSTEM\CS1\Services\Tcpip\..\{30030071-83FE-42CD-8057-527DAF76B4C4}: NameServer=208.180.42.100,208.180.42.68 HKLM\SYSTEM\CS1\Services\Tcpip\..\{D80B7545-3721-4FBE-9203-555D9D81E8B9}: DhcpNameServer=128.194.254.2 128.194.254.3 128.194.254.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{2C4F6B46-EEB7-4AB1-8D8C-23D7D1E4C958}: DhcpNameServer=209.189.224.40 209.189.224.45 HKLM\SYSTEM\CS2\Services\Tcpip\..\{30030071-83FE-42CD-8057-527DAF76B4C4}: NameServer=208.180.42.100,208.180.42.68 HKLM\SYSTEM\CS2\Services\Tcpip\..\{D80B7545-3721-4FBE-9203-555D9D81E8B9}: DhcpNameServer=128.194.254.2 128.194.254.3 128.194.254.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=209.189.224.40 209.189.224.45 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=209.189.224.40 209.189.224.45 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=209.189.224.40 209.189.224.45 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End this is what it came up with. I am going to restart in safe mode again and finish the steps from geeks to go thanks for the help wish me luck |
|
Check out the link david_g17 posted: www.symantec.com/security_response/writeup.jsp?docid=2006-011812-1823-99&tabid=3 You'll have to go into the registry: 4. To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. 1. Click Start > Run. 2. Type regedit 3. Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. 4. Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5. In the right pane, delete the value: "HostSrv" = "%Windir%\sachostx.exe" 6. Exit the Registry Editor. |
Good lord, that's your BIGGEST problem.  www.virus.gr/portal/en/node/28 Go look at McAfee's reliability rating in the list at the bottom of the page. It's number 20 and only 86% effective in catching viruses in a test against almost 175,000 seperate and unique viruses. In other words, it's crap. Between that and Norton, it's no small wonder so people have so many problems. Uninstall Mcafee, then go here: Kaspersky Linkage download the 30 day free trial and install it. (in safe mode, preferably) Clean your computer up and then decide what you want to use for long term virus protection. I highly suggest using the list on the site virus.gr I linked above when you choose... Hope this helps some... ETA: follow what Quintin posted as well, before you change antivirus programs. You need to clean out the registry entries to be 100% sure. If you're too afraid of doing something wrong, your best bet is to burn your important stuff to CD/DVD's and just zero out the drive completely with a low level formatting tool. |
This worked  Back to normal...it seems I guess i will find out Thanks for the quick help guys |
Cool. Those douchebags that write viruses rank right up there with guys like Fred Phelps on the list of people who really need their asses kicked. Low life losers got nothing better to do than to write programs to fuck someone's computer up. |
I was sitting here thinking "who the fuck comes up with shit like this?" Just another reason why I hate people |