Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Shows commercial adverts
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


LookBack is a Trojan that can connect to the Internet without permission, auto start with the infected computer’s operating system, spy on a victim, record sensitive information, and so on. No doubt, it is a vicious threat that no organization would want to encounter. As you see, the malicious application seems to be targeted at particular US institutions, which means it is not distributed among regular home users. If you want to know more about who might be targeted, how could victims receive such a threat, and what it might do if it enters a system, we encourage you to read our full article. Also, at the end of the text, you can find instructions showing how one could erase LookBack manually. However, considering it is a vicious threat, it is best to get rid of it as fast as possible, and it might easier and safer to do so by employing a reputable antimalware tool.

One of the first attacks during which hackers distributed LookBack were noticed between July 19 and July 25, 2019. The targets were three US companies in the utility sector. According to researchers, hackers behind the malicious application were using the so-called spear-phishing method. Spear phishing is usually used to attack organizations and businesses. Another thing that separates it from phishing is that in spear-phishing attackers often impersonate targeted victim’s coworkers, business partners, or anyone a victim would know and trust. Thus, identifying spear-phishing emails or messages could be very difficult.

Moreover, in this case, LookBack’s developers sent their victims malicious email attachments with Microsoft Word documents. From the first look, it seemed as if these emails came from the US National Council of Examiners for Engineering and Surveying (NCEES). Cybercriminals were able to create a website that impersonated the mentioned organization’s official site. This is the fake website’s link: nceess[.]com, and here is the legitimate link: As you can see the difference is only in the web pages’ domain names and, as a result, less attentive users could not notice it. The malicious emails also contained the NCEES logo picture and a signature block of a fictitious employee.

Microsoft Word files sent with the described spear-phishing emails could have been named Result Notice.doc or similarly. What’s more, to convince targeted victims to open the malicious attachments the hackers came up with messages saying they have failed in passing their certification exams. Apparently, the messages stated that all information needed to proceed with the licensing process is available below. It would seem that opening the malicious documents could activate macros commands that would install LookBack on a targeted system.

The malicious application is a remote access Trojan, which means hackers can control it thought a remote network connection. There are quite a few things that the malware developers might be able to do to an infected system. To be more precise, LookBack can allow them to view running processes and system data, to delete files, execute commands (e.g., execute files, delete services, read files, and so on.), take screenshots, use a computer’s mouse, restarting the infected computer, and even removing the malware, which could be done to hide tracks.

All in all, it seems LookBack is a highly capable threat that can cause a lot of damage to an organization of any type. No doubt, it should be removed as soon as it is discovered to prevent it from stealing sensitive information or causing other trouble. The instructions located below show how one could erase LookBack manually, but we cannot guarantee they will work for everyone. Therefore, it might be best to employ a reliable antimalware tool to eliminate this threat. Also, the way it is spread, it could easily infect systems of companies that do not educate their users on cybersecurity as identifying spear-phishing attacks is not an easy task. Thus, we highly recommend teaching employees about such attacks as well as investing in trustworthy security tools and taking other necessary precautions.

Erase LookBack

  1. Click Ctrl+Alt+Delete.
  2. Choose Task Manager and select Processes.
  3. Find a process belonging to the threat.
  4. Mark it and click End Task.
  5. Exit Task Manager.
  6. Click Win+E.
  7. Find these paths:
  8. Locate the malicious Microsoft Word document received via email.
  9. Right-click it and select Delete.
  10. Then go to: %PUBLIC%
  11. Remove all suspicious files from there by right-clicking them and pressing Delete.
  12. Exit File Explorer.
  13. Empty Recycle Bin.
  14. Restart the computer.
Download Spyware Removal Tool to Remove* LookBack
  • Quick & tested solution for LookBack removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.