Help! Malware is driving me nuts...! Trojan.W32.Looksky

First, need to say that you guys at MG are doing a great job!

I've been reading and meticulously following the instructions in the READ & RUN ME FIRST page (attached logs). The first time I did it seemed to have solved the problem. But a week later the popups came back with the same messages (spyware alert, windows has detected an internet attack attempt... somebody's trying to infect your PC, ... etc).

I updated to windows SP2 and got all the updates, downloaded all the software you recommended, using now Mozilla instead of Win Explorer... basically did all what is recommended in READ & RUN ME FIRST and HOW TO PROTECT YOURSELF... but the damn problem is still there!

So I need your help! Here are the logs I collected, as a starter.

 

Here are the rest of the logs I got.

Thanks for your help!

 

Sorry, I forgot to mention that I also ran PandaActiveScan (it didn't find anything wrong) but somehow I couldn't get a report (?).

Thks

 

Hi Papito!

Welcome to Major Geeks!

Please go back to the READ & RUN ME FIRST under Step 0 where you'll see a link called Uninstall Malware via add/remove Programs. Please take a few minutes to match the list at this link against your add/remove programs in your computer. I see there are a few things in your computer that appear on this list, two of them being Viewpoint applications. It doesn't take long to do this and is a big step towards preventing the reentry of malware into your computer.



Thanks!
abri

 

Hi abri,

Thanks for your quick reply!

I removed the Viewpoint stuff you mentioned. I didn't see anything else on my computer that was on the list of malware.

I ran CCleaner and then Bitdefender. Again it didn't find anything, so there was no "Detected Problems" tab to clic on and to save the log. All I could do is save the html report (attached).

Hope you can figure all this stuff out!!

Papito

 

Hi Papito!

What is in this folder?
- C:\CHAPTER


Please follow the instructions below:


1) You have an old version of HijackThis in your uninstall list. Please see if you can find it in add/remove programs and uninstall it. It should be listed as:

- HijackThis 1.98.1

2) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

3) Please copy the bold text below (including the word REGEDIT4 ) to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

7) After you have completed All of the above, please attach the Avenger log, and after running new scans for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and analyse.exe (hijackthis.log) please attach fresh logs for them as well. Also, please remember to answer the two questions at the very beginning about the strange folder under C:\WINDOWS AND, please let us know how it went and how your computer is running now.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

Hi abri!

The CHAPTER folder is empty. I think I created it a couple of weeks ago (by mistake) to save some work files. I needed it in My Documents, but somehow it ended up in C:\ so I never used it and didn't bother to remove it.

I did not find the old version of Hijack This (1.98.1) with Add/Remove Programs. What I see listed is the last version I downloaded 2 weeks ago (1.99.1).

I went through the procedure as per your instructions. I had a problem with Avenger. It said that the lines I entered (copied and pasted from your box) "did not appear to be a valid script". I tried a few more times but it wouldn't work. So I used the DOS prompt and managed to delete two of them (wmpdev and nsduo) but for the two others, I got an "access denied" message. I went to SAFE mode and finally could delete them. I was not sure if I was doing the right thing (I thought that Avenger was maybe doing more than just deleting those files?). But I was in dire need of my computer today for work, so I took a chance... I hope I didn't screw up anything. But so far so good. The machine now runs perfectly and the problem seems to be solved. Hey... what a relief!!

I'm joining the requested logs.

One happy Papito!

 

abri, here's the last attachment.

thks!!

P

 

Hi Papito!

Your computer might be working perfectly! BUT! we're not out of the woods yet! Please do the following:

1) Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

2) Please copy the bold text below (including the word REGEDIT4 ) to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Please try running Avenger again. It should be on your desktop. In case you ran it directly from the ZIP file, please extract it to your desktop and run it from there. I removed two of the files which are gone and corrected an error which may have prevented it from running.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

5) After you have completed All of the above, please attach the Avenger log, and after running new scans for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and analyse.exe (hijackthis.log) please attach fresh logs for them as well.

• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

Hi abri!

Thanks for not letting me get away with it so easily !!

Followed your last instructions. This time Avenger worked (although the log says it didn't find the files...?) the problem before is that I was running it from the zip file.

Latest logs attached.

P

 

abri,

Here's the last attachment.

P

 

Haha! Sometimes you just have to zap them with all your weapons! They're gone now. Everything looks good. You still have a number of BitDefender temporary logs which you don't need and which will go away if you use CCleaner. It's a tool it's good to use regularly just at the default setting as we did in the READ & RUN ME to clear out your temporary files, temporary internet files, internet history, logs and cookies. Please follow the instructions in the box for the final cleanup and for replacing the previous restore points with a clean one. Also please read the section on How to protect yourself from malware. It has a lot of good suggestions.

abri

 

Hi abri!

I got rid of those files and did the disable/system restore thing.
Just a couple of quick questions:

1) I just recently upgraded to SP2 (for Windows XP). "How to Protect Yourself from Malware" recommends I download a firewall (like Comodo) rather than using the MS firewall that comes with SP2? My question is: do I need to first dis-able the MS firewall or will Comodo do it upon installation?

2) I really appreciated having you MGs around. Your help was invaluable at a time when my laptop is vital for my work (I'm on a 2 month mission in Madagascar for the Red Cross, no tech help available here!) and I would like to make a donation to keep the site running. How can I do this?

Thanks again!

Papito

 

With any security software, the best way to install it is to never allow yourself to be unprotected. In this case, it would mean downloading the installation program for the firewall you want to use. Disconnecting from the internet. Disabling the Windows firewall (in settings under Windows firewall or in the Security Center under Virus Protection). Install the new firewall and then turning back on your internet connection.

Your firewall will immediately want you to make all kinds of decisions for it. I'm not sure how Comodo works, I use ZoneAlarm. However, I expect the firewalls are similar. If there's something that requests permission to connect to the internet and you don't recognize, don't give it permission to connect (and don't check always remember this setting.) Then if you lose your internet connection, you'll know that was something you needed. You may have to reboot to get the same request so you can say allow the next time around. Once you've established it's a connection you need, then check the box to always remember this setting, if Comodo has something like that.

There are some things which will obviously have to connect to the internet. One of them is your browser. I allow Firefox and Internet Explorer to connect, but I do not allow Windows Explorer to connect. If you've never configured a firewall, it takes your attention on and off for a little while as the firewall encounters new programs that want an internet connection. Some things are more obvious than others. If you have messengers, they obviously need to connect to the internet. Same with your e-mail program. Requests for permission to connect to the internet often occur right after the installation of a new piece of software. Decide for yourself if it is a piece which requires access to the internet or not.

Thank you, Papito. I'm not sure what policy there is on this. Please send a private message to Chaslang, whose name you will find on many of the threads in the Malware section. Just click on his name and ask him if that's possible.

Good luck in Madagascar. That sounds quite interesting!
abri

 

Papito,
With regard to your second question, thanks for the offer. We're glad we could offer you support in your work helping other people.
Good luck!
abri