desktop spyware warning - help requested

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bolvers, Dec 28, 2004.

  1. bolvers

    bolvers Private E-2

    Hello,

    I had a lapse and got infected, but all seems to be running OK now, but for a desktop hijack (which doesn't stop me using my PC) ~
    the desktop is blue with 'windows security warning - you have spyware' paragraph. I can cancel it for 10 minutes, but it returns and is also there on start-up.

    I run or use sygate firewall, AVG, spybot, adware, ccleaner & spyblaster, and several other suggested small programmes.

    Now I have run HijackThis and read through the log.

    I've read through the details of several similar problems discussed on majorgeeks, and have tried to read through the log to try and familiarise myself with its details. But my understanding is not that good and I would very much appreciate help with my HijackThis log to rid my PC of this desktop take-over if possible.

    Thanks
    Andy
    UK
     
    bolvers, Dec 28, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 28, 2004
    #2
  3. bolvers

    bolvers Private E-2

    Hope this is the right way to do it. Have spent a good number of hours over last few days trying to read up on it - help appreciated

    Andy
     

    Attached Files:

    bolvers, Dec 28, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 28, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need some Windows Updates!
    You do realize you are running a pirated copy of Windows.
    The below two lines indicate you do:
    E:\WINDOWS\system32\resetservice.exe
    O23 - Service: Reset 5 - Unknown - E:\WINDOWS\system32\srvany.exe

    They disable Activation for Windows OSes (2K and above). If you have it, you installed it!
     
    Last edited: Dec 28, 2004
    chaslang, Dec 28, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 28, 2004
    #6
  7. bolvers

    bolvers Private E-2

    Thanks Chaslong for all your notes. which are all very much aprpeciated.
    I was not running MSexcel.
    I will re-read and go from there.

    Thanks
    Andy
     
    bolvers, Dec 28, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\about.htm
    O4 - HKLM\..\Run: [Video Process] MSlti64.exe
    O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
    O4 - HKLM\..\Run: [Gate Personal Firewall] systpl.exe
    O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
    O4 - HKLM\..\RunServices: [Gate Personal Firewall] systpl.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] whrmqc.exe
    O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
    O4 - HKLM\..\RunOnce: [Srv32 spool service] E:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [Windows Compliant] whrmqc.exe
    O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
    O4 - HKCU\..\RunOnce: [Srv32 spool service] E:\WINDOWS\System32\spoolsrv32.exe
    O15 - Trusted IP range: 69.50.161.82 (HKLM)

    After clicking FIX, exit HijackThis.

    Boot into safe mode and use Windows Explorer to delete:
    E:\WINDOWS\about.htm
    E:\WINDOWS\System32\MSlti64.exe
    E:\WINDOWS\System32\msexcel.exe
    E:\WINDOWS\System32\systpl.exe
    E:\WINDOWS\System32\whrmqc.exe
    E:\WINDOWS\System32\spoolsrv32.exe

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 28, 2004
    #8
  9. bolvers

    bolvers Private E-2

    Hi Chaslang

    Yesterday followed your comments and had a good amount of success (I think) thanks to your suggestions.

    I've listed below the progress I made. I expect the attached HijackThis log will show me still to have many problems, but the desktop is clear and I can't find any of the suggested nasties in the registry log or in the windows folder. One problem I did have, which I didn't have with my [very] old previous W95 PC, was that I couldn't this one to enter SAFE MODE on startup. I followed a suggested way of entering a kind of SAFE MODE at one point (if that's possible), but can't remember how I did that. Any suggestions? I used the eliminate on reboot function in HijackThis to get rid of the ones that wouldn't go because they were in use - seems to have worked.

    Thanks for your help again - expect I've done plenty wrong and have more to do, but really I don't know what I'm doing .

    Andy


    I think this is a trojan:
    O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
    This was identified by Trendmicro Homevisit but couldn't be removed.
    I removed it by using HijackThis eliminate on reboot.

    You also have this trojan:
    http://www.trendmicro.com/vinfo/vir...e=WORM_RBOT.ADC
    Trendmicro dealt with this.

    You also have this worm:
    http://www.trendmicro.com/vinfo/vir...=WORM_AGOBOT.UE
    Didn't seem to show up through trendmicro link, but WORM_RBOT.AFK did, but couldn't deal with it. This was the msexcel bug which I deleted on reboot using HijackThis.

    And this too: Trojan-Clicker.Win32.Spyre.b
    This seemed to disappeared with the trendmiccro homevisit.
    Two trojans picked up srpcsrv32.dll I used eliminate on reboot, whilst homevisit got rid of txfdb32.dll

    ################

    This seemed to rid my PC of a great deal of the last list of suggestions.
    Of those, the ones I've just had to do now are:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\about.htm
    O4 - HKLM\..\Run: [Video Process] MSlti64.exe
    O4 - HKLM\..\RunServices: [Video Process] MSlti64.exe
    O4 - HKLM\..\RunServices: [Windows Compliant] whrmqc.exe
    O4 - HKCU\..\Run: [Windows Compliant] whrmqc.exe
    O15 - Trusted IP range: 69.50.161.82 (HKLM)


    Of the files to delete, I had done some myself already, plus the ones tackled by trendmicro - I couldn't find any of these - just one lookalike:
    E:\WINDOWS\system32\whrmqc.exe-up.txt
    Should I do anything with that?

    E:\WINDOWS\about.htm
    E:\WINDOWS\System32\MSlti64.exe
    E:\WINDOWS\System32\msexcel.exe
    E:\WINDOWS\System32\systpl.exe
    E:\WINDOWS\System32\whrmqc.exe (can only find whrumqc.exe-up.txt)
    E:\WINDOWS\System32\spoolsrv32.exe
     

    Attached Files:

    bolvers, Dec 29, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you should delete E:\WINDOWS\system32\whrmqc.exe-up.txt
    It may be interesting to bring it up in notepad first and see what's in it.

    Other than that, you look clean. How are things running?
     
    chaslang, Dec 29, 2004
    #10
  11. bolvers

    bolvers Private E-2

    Everything seems to be running just fine now, thanks.

    I'll delete the file ~ E:\WINDOWS\system32\whrmqc.exe-up.txt

    It contained the following text, but what does it mean?

    Thanks
    Andy


    __SEH__ 0xc00000fd at 0x77f51042
    CS :0x0000001B SS :0x00000023 DS :0x00000023
    ES :0x00000023 FS :0x0000003B GS :0x00000000
    EAX:0x01293084 EDX:0x7FFE0304 ECX:0x0129304C
    ESP:0x01292FFC EBP:0x01293050 EIP:0x77F51042
    ESI:0x00000098 EDI:0x00000000
    -- backtrace --
    0x77f51042:[ntdll.dll]:(000:00000000)
    0x77e7a65f:[kernel32.dll]:(001:0001965f)
    0x77e7ac21:[kernel32.dll]:(001:00019c21)
    0x71ab3c70:[ws2_32.dll]:(001:00002c70)
    0x00415fb8:[whrmqc.exe]:(001:00014fb8)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    0x0041645a:[whrmqc.exe]:(001:0001545a)
    --stack--
    0x01292ffc: 0x00000000 0x00000000 0x00000000 0x00000000
    0x0129300c: 0x00000000 0x00000000 0x00000000 0x00000000
    0x0129301c: 0x00000000 0x00000000 0x00000000 0x00000000
    0x0129302c: 0x00000000 0x00000000 0x00000000 0x00000000
    0x0129303c: 0x00000000 0x00000000 0x00000000 0x00000000
    0x0129304c: 0x77f7671a 0x012930b0 0x77e7a65f 0x01293084
    0x0129305c: 0x77e7a64a 0x00000000 0x00a81e90 0x00000000
    0x0129306c: 0x00000102 0x01293074 0x00000000 0x00000000
     
    bolvers, Dec 30, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It looks like just a log file from the whrmqc.exe program (what ever that program is).
     
    chaslang, Dec 30, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds