Trojan.W32.Looksky

Hi

I'm back again!

Number 1 son has again managed to download something inadvertently. He was on MSN and MySpace when security alerts popped up saying they had detected this virus, attempts made to change IE, etc and usually comes thru emails or Active-X and that someone could be trying to access and our emails, passwords, etc. Both he and my daughter assure me they have not opened any emails etc from anybody they don't know - they have been deleted nor have they downloaded anything new. Don't know if this is of any relevance anyway.

Windows Internet boxes keep popping up, internet slow at best (won't use it as worried about consequences), keep getting security alerts and the following:

SpywareGuard repeatedly says a BHO has been added:
60D3EC53-56A8-46A8-9D011-IAB64410665C
C:\Windows/nsduo.dll
(Despite repeated attempts at removing the BHO and restoring the IE homepage, it keeps repeating the same information)
Trying to change the IE homepage from Google to:
http://softwarereferral.com/jump.php?wmid=6010mid=Mj160jg5lid=2

Can't run AntiVirus as the above seems to slow it right down and it just doesn't seem to be working as normal.

I have Windows XP Home, IE 7, have AntiVirus, SpywareGuard, SpyBot, SpywareBlaster, and Sygate Firewall.

Please, please help.

 

P.S
Forgot to say also have Adware 2007.
Thanks

 

Thanks for your prompt answer. Please excuse my ignorance and point me to the 'Read and Run First' sticky?

 

Thanks for link, remembered where to find it just after I posted my reply! Will work thru and post results.

 

Hi again

Currently in process of defragmenting C drive with IObit. I have clicked by G drive (external hard drive back up) to defrag as well - is this ok or should it only have been C drive?

 

I am having all sorts of problems doing the counterspy. It is running ok, but took 1 hour to download and 7 hours to scan (found 16 items with 98 traces) and then proceeded to ignore the whole lot! Do I have to run the scan again? And why is it taking so long? Can I try the AVG one instead now I have already run Counterspy? I can't any anyway of retrieving those items and deleting them - am I missing something obvious here? I have had to use a neighbour's computer to post this thread as the internet is taking so long. Please help

 

Hi
Firstly, was my mistake with counterspy - I was running it in normal mode - I wasn't too impressed with myself when I realised!! Have run it again in safe mode along with CCleaner and Spybot. Can't run my broadband connection in Safe Mode with Networking Support, and almost impossible for me to get on the internet in normal mode as everything is so slow and lots of windows keep popping up (again I am posting this from a neighbour's computer) so I don't think I will be able to access BitDefender and Panda Active Scan let alone run them as they will take forever. Is the GetRunKey.Zip and NewRunKey.Zip plus a log of Counterspy enough for you to go on at present? I will also attempt to a HijackThis log.

Is it possible to download these logs/zips on to a memory stick and then attach them from another computer?

This seems a lot worse than my previous problems and I am spending an awful lot of time trying to sort it. Would I be better off reinstalling my operating system and applications or just buying a new computer??!!

 

P.S. can I download the various programs onto a memory stick and then run them from that on my computer without connecting to the internet?

 

Runkeys and newfiles attached
Will endeavour to send Counterspy reports and do HijackThis

Couldn't download Java so haven't been able to run BitDefender or Panda Scan - too many windows opening and pop-ups are slowing my internet connection to a snails pace - unless I can get this to stop any online scan would take about a week!

 

Counterspy.txt attached
Note - this is the one I did in normal mode by mistake but found the most problems. I will send the one done in safe mode separately as Counterspy.txt - it only found one problem.

 

as per previous post second counterspy scan attached

 

Thanks for your prompt response. Can I just clarify one thing please - do you still want me to run HijackThis before these procedures or now at the end of them. I have downloaded the program but not run it yet.
Thank

 

The link to SmitfraudFix doesn't work - I have tried on my work computer as well, just comes up with page cannot be displayed. I have tried searching for a download separately on your website but can't find one. Please advise.

 

I found a link thru Google (from lavasoft) which was:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

I have downloaded this onto a memory stick but not on to my desktop until you say it is the right one.

 

First smitfraud log attached as requested.

Question before continuing with next sequence please - you've said to attach new GetRunKey and ShowNew logs. Will the new logs overwrite the previous ones I did for you so I just have to attach the runkey.txt and newfiles.txt as per the instructions in Read & Run Me First?

 

Hi again

Second Smitfraud log in safe mode attached. Waiting on your reply to my earlier question before re-doing GetRunKey and ShowNew.

Already internet is running much faster, the desktop icons for Error Cleaner, Privacy Protector and Spyware & Malware Protection have been removed. Just one thing - when I connect to the internet, it always comes up as working offline even though I am actually online. I have to open up a second tab to get to the website I want (you guys!) ??

 

Ok - forget the offline thing in previous post, appears to be working ok now. Following things noticed:

When I am logged in:

1. Desktop wallpaper has disappeared - no big deal, just wondered why?
2. IObit Smart Defrag Ending Program window when logging off
3. Windows-No Disk window when logging off which says:
Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bfc 75b6bfc

When hubby is logged in:
Same problems as 2 and 3 above

When daughter is logged in:
1. Same problems as 2 and 3 above, plus:
2. Open File-Security Warning, Publisher could not be verified
Name: TOMBRA 1.EXE
Type: Application
From: C:\DOWNLO 1
3. msrr.exe-entry point not found. The procedure entry point ?CreateGraphic@Value@DirectUI@@SGPAV12@PB_WEIGGPAUHINSTANCE_@@_N2@Z could not be located in the dynamic link library MSNcore.dll

When son is logged in:
1. Same problems as 2 and 3 for me
2. Same problem as 3 for daughter, plus
3. Steam Error - Unable to connect to Steam Network because no Steam login information stored on this computer. Check status on http://steampowered.com/status (I think this is an old 'leftover' from some game he used to play many moons ago but not anymore - just gives an OK box, no 'X' to click)

In addition, I have had Sygate Firewall with message:
Client Server Runtime Process (crsse.exe) is trying to broadcast to 224.0.0.22 - allow? I clicked no but didn't click remember my answer as yet.

I hope this all makes sense!

 

I went on the assumption that the runkeys.txt and newfiles.txt would be overwritten (like the Smitfraud) so have attached the re-runs plus HijackThis log. Hope this is all ok.

Computer running much better and faster, no annoying windows popping up whether online or not. No other apparent problems other than ones listed in previous post.

Will not do anything more on computer until receive further instructions from you.

Thanks

 

Ok - latest instructions done. Following noticed

When I am logged in:

1. Desktop wallpaper has disappeared - no big deal, just wondered why?

Still the same

2. IObit Smart Defrag Ending Program window when logging off
3. Windows-No Disk window when logging off which says:
Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bfc 75b6bfc

All gone now

When hubby is logged in:

everything ok

When daughter is logged in:
1. Same problems as 2 and 3 above, plus:

Gone now

2. Open File-Security Warning, Publisher could not be verified
Name: TOMBRA 1.EXE
Type: Application
From: C:\DOWNLO 1
3. msrr.exe-entry point not found. The procedure entry point ?CreateGraphic@Value@DirectUI@@SGPAV12@PB_WEIGGPAUHINSTANCE_@@_N2@Z could not be located in the dynamic link library MSNcore.dll

Both these still there

When son is logged in:
1. Same problems as 2 and 3 for me

Gone now


2. Same problem as 3 for daughter, plus
3. Steam Error - Unable to connect to Steam Network because no Steam login information stored on this computer. Check status on http://steampowered.com/status (I think this is an old 'leftover' from some game he used to play many moons ago but not anymore - just gives an OK box, no 'X' to click)

Still there

In addition, I have had Sygate Firewall with message:
Client Server Runtime Process (crsse.exe) is trying to broadcast to 224.0.0.22 - allow? I clicked no but didn't click remember my answer as yet.

This hasn't happened again, and I couldn't find crsse.exe on a search

Other points:

1. My son still has the 3 icons on his desktop for Error Cleaner/Privacy Protector/Spyware & Malware but they have gone from my desktop??

2. When re-installing Windows Live Messenger, Sygate Firewall came up with a prompt to a 'Driver Package Installer' trying to connect. I clicked no, but not remember my answer as wasn't sure what this was. Is this correct?

 

Just reviewed my message and haven't done the quotes properly. I have written under the problems what has changed or not. Hope it makes sense.

Thank you!

 

No I didn't run it in the administrator a/c as I didn't realise I had to ...

I have attached the first rapport.txt after running it logged on to my son's a/c - didn't know whether you needed this or not.

I will now run the smitfraud clean in safe mode and then attach that.

 

rapport.txt from safe mode logged into son's a/c attached.

His desktop wallpaper has disappeared too so obviously a thing with running smitfraud.

My husband and daughter's log in a/cs do not show these 3 icons on the desktop. I am assuming this is because they have not logged on to the internet whilst infected with this virus. Is this correct? Do I need to run smitfraud on their a/cs anyway or should I do it again as administrator? In addition, the other logs attached were all from my login a/c. Does that mean I should do them all again as administrator?

I am sorry - I'm not a computer expert and need step by step instructions as you have given but I didn't see anywhere telling me to log in as administrator. Did I miss something?

Thanks

 

Can I access the GetRun, ShowNew and HJT from my son's a/c or I need to download them to him as well? (I downloaded them whilst logged on as me)

 

ShowNew, GetRun and HJT files attached from son's login a/c

 

CCleaner run in administrator a/c - backup done to desktop.

The driver package prompt happened when I had already just re-installed Windows Live Messenger - should I uninstall and reinstall again to get the same prompt from the firewall and click yes this time?

When right clicking on Desktop/Properties there was no option for Web - only tabs for Themes/Desktop/Screen Saver/Appearance/Settings - have I misunderstood your instructions?

Daughter is still getting the Tombra and msrr.exe windows as previously listed. She also got a End Program -sgtray.exe window when logging out.

My son is getting the msrr.exe window and Steam one as previously listed.

I have tried to attach the exact message boxes but they are too big.

 

Our messages have crossed - just to double check you want me to do the Steam uninstall, Java, run HJT etc logged on to my son's a/c?

 

No I didn't run the CCleaner issues on each a/c - I did the issues on the administrator a/c only (per your instructions "Run CCleaner on each account ... OR from the administrator account"). Should I just do a CCleaner run + issues on each a/c with a backup saved in my documents each time?

I have no idea what the sgtray.exe is or if it's still installed - how do I check?

Desktop tab instructions show nothing in web pages box for both of us.

 

Further update for you:

On son's login a/c -
1. Steam issue fixed
2. Still getting the following window on desktop after login:
msrr.exe-entry point not found. The procedure entry point ?CreateGraphic@Value@DirectUI@@SGPAV12@PB_WEIGGPAUHINSTANCE_@@_N2@Z could not be located in the dynamic link library MSNcore.dll

On daughter's login a/c -
1. getting the same msrr.exe as above
2. Still getting the Tombra window as well:

Open File-Security Warning, Publisher could not be verified
Name: TOMBRA 1.EXE
Type: Application
From: C:\DOWNLO 1

Other 2 login a/cs are fine. Internet working fine on all users and at normal speed again.

CCleaner has been run on every user, cleaning and issues, with a backup done to My Documents for each user. The Administrator backup I have left on the desktop for now.

Java Runtime downloaded; HJT run and the two lines fixed; fixME.reg done - all on son's login a/c.

Will wait on further instructions.

Thanks

 

Yes, both MSN messenger has been removed in the past and reinstalled and Tomb Raiders was removed ages ago.

Will do the HJT on both a/cs and let you know how things are working.

What about the driver package with Windows Live Messenger? Should I uninstall and reinstall WLM again as the Sygate message hasn't reappeared again? Kids aren't using computer at moment until you say it is ready to go so they are not on MSN and I don't use MSN so I don't know if it is working properly.

 

Ok - HJT has fixed the msrr.exe problem in both a/cs!!

I noticed in Emma's a/c after the HJT scan that there was an O4-HKCU line for Tomb Raider. Should I run it again and fix this line as well and see if this fixes the problem?

 

I've done the Windows explorer on both a/cs and can't find the msrr.exe .....however, noticed some 'interesting' things:

In Andy's My Documents there are icons for IMesh 5 Shortcut and IMesh V5, Steam Install and one that says funrecent.fmp ???? In his My Music there is also an IMesh folder. I know IMesh shouldn't be on the computer. Should I get rid of these and how please?

On Emma's desktop there is an icon for msjavax86 - any ideas what this is?

Thanks

 

Bingo! Everything appears to running smoothly - thank you so much.

My login is a bit slow loading up - there are quite a few things in the system tray but I know how to deal with that thru msconfig and the start-up tab.

I realise that a computer can't be 100% protected against this stuff but I have everything you guys have suggested on your guides and past threads; given strict instructions to my kids about what not to download, don't do if your not sure etc (or you won't live to your next birthday!); I update all the programs regularly, clean, immunize etc etc. and still this has happened. Can I do anything better? Is it better to say take the subscription to the AntiVir program - will this give me better automatic real-time protection? Is there a better firewall I could use?

And one more quick question - I regularly back up (using Microsoft SyncToy) to an external hard drive (my last back-up was before this infection). When I run all these programs I have, do they check the exteranl drive as well or do I have to check that separately?

I have read all the support guides on majorgeeks but would really appreciate your advice on the above matters - if for nothing else, so I don't have to bother you again!

Look forward to your reply.

 

P.S. can I delete the SmitFraud folders, fixME.reg, HJT, GetRunKey and ShowNew?

 

Ok thanks - will do all the removals etc.

I downloaded the Startup Manager but exited after download to deal with later - where do I find it again? Can't see it on the desktop or in Programs??

I did NOT do an external back-up whilst infected - the last back up was a week before this infection - so that would mean I don't have to reformat that drive but just scan it anyway as a safety measure?