Jump to content

I have the r.looksmart.com redirect trojan and would appreciate help


Recommended Posts

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

What browsers are involved?

~~~~~~~~~~~~~~~~

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[bLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : CPN (rundll32.exe "C:\Documents and Settings\john1\Local Settings\Application Data\Downloaded Installations\CPN\tctbkj.dll",CreateInstance) -> FOUND

[bLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : CPN (rundll32.exe "C:\Documents and Settings\john1\Local Settings\Application Data\Downloaded Installations\CPN\tctbkj.dll",CreateInstance) -> FOUND

Now click Delete on the right hand column under Options

MrC

Link to post
Share on other sites

I had only browsed with Firefox so I don't know if it was doing it with any other browser however I just tried to duplicate the issue before scanning and IE wasn't doing it, however I tried to get it to do it with Firefox and it wasn't do it right now.

But I did the scan again as you said, and it did come up with those two keys you showed. I clicked delete and it got rid of them. I will see if it does it again over the next day or so and if so I will report back. I know you said to uncheck any others, and I did, however there was one other line that it came up with, is it safe to assume that that other line is not an issue ?

thanks again for the help, I will be donating

Link to post
Share on other sites

is it safe to assume that that other line is not an issue ?

Yes

~~~~~~~~~~~

We're not done yet, I was just trying to establish what browsers are involved.

Please download GooredFix from one of the locations below and save it to your Desktop

http://jpshortstuff....m/GooredFix.exe

http://downloads.sec...m/GooredFix.exe

Ensure all Firefox windows are closed.

To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista & W7).

When prompted to run the scan, click Yes.

Reboot and post the log, MrC

Link to post
Share on other sites

One thing to note is that my eset is showing an alert that says something about a recent dns poisoning cache attack.

Didn't see that in the RogueKiller report.

Lets run some scans....

Please read the directions carefully so you don't end up deleting something that is good!!

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Link to post
Share on other sites

It says "Detected DNS cache poisoning attack remote IP address 192.168.2.1

This is your network.

~~~~~~~~~~~~~~~~

While we're checking lets run one more scan.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.