Help with spyware/trojan: fake windows security warning, name spywarewarning.mht

Hi, thanks in advance for all your help. I really appreciate this forum and all the brilliant people behind it. I have seen a couple of similar postings, but have not been able to resolve my issue. I would appreciate any help.

I have a fake windows security alert in my system tray that says:
System Alert: Trojan-Spy.Win32@mx
Type: Spyware/Trojan
Vulnerable: Windows 95/98/ME/NT/XP
Description: Spyware program that sends confidential information to remote attacker.
Protection: Click this baloon to download official security software.

I know it is fake because my real Windows security alert is running, and when I click the fake one it opens up an internet explorer page. However, my real windows security's automatic updates has been disabled, and I am unable to re-enable it. Also note, balloon is misspelled.

I was able to locate it in C:\Windows\system32\spywarewarning.mht, and also C:\Windows\system32\spywarewarning2.mht, but I cannot delete the former.

I've tried the whole Read & Run, and I also tried the XP cleaning procedure. However, after running superantispyware, i am now unable to open the other .exe files, like Combofix.exe, or Mgtools.exe. I double click but nothing happens, so I am unable to complete the steps indicated in the XP cleaning procedure.

I have attached my hijackthislog, and SASlog. Please help when you get the chance.

Obliged.

 

Hi pakmanaz,
Welcome to Major Geeks!


You mentioned that after using SAS, you were unable to open any .exe files. Please see if you can put your computer back to an earlier restore point. If you've never done this before, go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceding this problem with the .exe files and allow your system to return to that date. See if the problem with the .exe files goes away.

The above step may and probably will have the effect of bringing back any malware which SAS removed. Please do it anyway. Then go back to the READ & RUN ME FIRST and work through all the instructions, but skip SuperAntiSpyware this time.

Let me know how this goes. If this does not help, tell me and I will give you something else to try, but try this first.
abri

 

abri, thanks so much for your speedy reply.
I did as you requested, and restore my computer to an earlier date, but the .exe files that I downloaded still cannot be executed. Let me know what I should try next.
Thanks again for your reply.

 

Hi pakmanaz,

See if you can do any of the following instructions. They should be done in normal mode, not safe mode. If Process Explorer doesn't work, continue on with HijackThis. Do as much of the instructions as you can.

1) Please begin by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
yayyAtUK.dll
byXRhHyY.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
yayyAtUK.dll
byXRhHyY.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
yayyAtUK.dll
byXRhHyY.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.


2) Run HijackThis by double clicking on it. Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
O2 - BHO: (no name) - {2A77D7E2-9BF3-480E-9F5D-68645D67593B} - C:\WINDOWS\system32\awtqoLde.dll (file missing)
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\yayyAtUK.dll
O2 - BHO: (no name) - {B3797C92-138E-413A-8B34-6812F9664437} - C:\WINDOWS\system32\byXRhHyY.dll
O2 - BHO: {8dd92212-5d1f-c3fb-9fa4-4e640812f38f} - {f83f2180-46e4-4af9-bf3c-f1d521229dd8} - C:\WINDOWS\system32\plxuaonm.dll
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\3com_dmij.exe
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\sosecjyt.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\hyugpdoa.dll",s
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\3com_dmij.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Ali\Application Data\Microsoft\dtsc\16422.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\3com_dmij.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\3com_dmij.exe
O20 - Winlogon Notify: yayyAtUK - C:\WINDOWS\SYSTEM32\yayyAtUK.dll

After you click fix, just close hijackthis.

3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

5) Now download The Avenger by Swandog46, and save it to your Desktop. Do not run this in safe mode.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

abri, I am forever indebted to you for your great support. After doing all your proposed steps, I no longer see the fake windows security alert, nor do I get a pop-up concerning spywarningalert.mht. Thank you a million times over for your help!

Thought I would tell you specifics: when I was running process explorer, I wasn't able to find the following:
O2 - BHO: (no name) - {2A77D7E2-9BF3-480E-9F5D-68645D67593B} - C:\WINDOWS\system32\awtqoLde.dll (file missing)
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\yayyAtUK.dll
O2 - BHO: (no name) - {B3797C92-138E-413A-8B34-6812F9664437} - C:\WINDOWS\system32\byXRhHyY.dll
O2 - BHO: {8dd92212-5d1f-c3fb-9fa4-4e640812f38f} - {f83f2180-46e4-4af9-bf3c-f1d521229dd8} - C:\WINDOWS\system32\plxuaonm.dll
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\sosecjyt.dll",b
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\hyugpdoa.dll",s
O20 - Winlogon Notify: yayyAtUK - C:\WINDOWS\SYSTEM32\yayyAtUK.dll

Wondering if that is anything I should be concerned about.

Lastly, when you get the opportunity, could you assist me on removing Toshiba Power Saver? I saw it during hijackthis, but was unsure if that would be the best method in removing it. It is really annoying, and I have been unable to remove it thus far. When I try to remove it from add/remove it informs me that "unable to locate installation log file.... Uninstallation will not continue."

Thanks again for all your time and help.

Deeply obliged.

 

Hi pakmanaz,

It's important that you keep going without stopping. Otherwise everything we're trying to stop will come back!

Please begin by running HijackThis again by double clicking on it. Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\yayyAtUK.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C13EA89D-75BE-42E4-A008-A3F75A59E357} - C:\WINDOWS\system32\awtqoLde.dll (file missing)
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\mhmmbwsl.dll",b

When you're finished, just close the program and continue straight on with the next set of instructions. It's very important that you keep going.

Now that you've got some improvement in your computer, I need for you to go through the instructions in the READ & RUN ME FIRST as soon as possible! You still have some files that can get all the malware going again, and this set of instructions will allow you to get rid of it and give us the information we need to see what's left. Please do not delay. When you finish, attach all the requested logs so we can get you the rest of the instructions.

Thanks.
abri

 

hey abri,
I ran HiJackThis and was able to fix all the files you had indicated.

Unfortunately, I am still unable to open the .exe fiiles: Spybot, Combofix, and Malwarebytes Anti-Malware. I have attached the following logs from SuperAntiSpyware and MGTools.

I am also unable to open up Mozilla Firefox, and Internet Explorer will occasionally redirect to an advetisement page.

Thanks again for you continued support.

 

Hi pakmanaz,

Thanks for the new logs. It's helpful having more information to work with. Please do the following:


1) Please go to the following folder in Windows Explorer and delete any of the files in it that you are allowed to delete. Windows will not allow you to delete files from the current date.

C:\Documents and Settings\Ali\Local Settings\Temp\

2) Now close all your browser windows and run CCleaner, then come back here for the rest of the instructions.

3) What is in the following folder? (You can open the folder, but do not open any files if you don't know what they are.) You can also get further information about the folder by right-clicking on it and selecting properties.

C:\s2dc

4) Please disable your guest account if this hasn't already been done.

5) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Did you install the following sidebar? If not, please run C:\MGtools\analyse.exe or HijackThis by double clicking on it, select Do a system scan only) and after closing all your browser windows, click on fix.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.trustyhound.com/sidebar-search.php

After you click fix, just close hijackthis.



8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Now run CCleaner again at the default setting with the windows tab as the one on top. Remember to close all your browser windows.

10) Next, we need a bit more information. Please do the following:

Download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter clbdriver in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

11) The following items on your desktop should be considered for deletion, since it's unlikely you still need them. If the Firefox installation program is there to try and overcome the problems with Firefox, you could keep that one. It would be a good idea, if it is not already the case, to have your browsers set to prompt you for the download location. Creating a downloads folder under C:\ would allow you to know where to find things, but at the same time you'd have the option to download them to other locations (including the desktop) for those programs which need to be located there.

C:\Documents and Settings\Ali\Desktop\

Unused Desktop Shortcuts
Acoustica-MP3-Audio-Mixer-Installer.exe
Download_mbam-setup.exe
Firefox Setup 2.0.0.14.exe
VeohSetup-3.9.5.1039.exe


12) And now please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log and the results of the Regsearch.


Let me know how things are running now?

abri

 

Hey abri,
I did all the steps as you requested, and now firefox is able to open! Thanks for the millionth time for your superb support.

Concerning C:\s2dc, it is not a folder, but a file. There are many similar files in the C: folder, such as s1h4, s1tc, s2fk, etc. totaling 23. What should I do with these files? Are they harmful?

I suppose I should now be able to complete the rest of the steps of Read and Run Me, so I'll do that next and add any problems if any occur (hopefully not!).

I have attached the requested logs.

Thanks a again for your time and amazing advice. I am deeply indebted to you.

 

hey abri,
I ran spybot, and after it did the scan I pressed Fixed selected problems, which resulted in my computer going to the blue error screen.

Thanks again for your help.

 

Hi pakmanaz,

Your computer has a rootkit which has to be gotten out. This may account for the files you found under C:\ What is odd about them is that they don't seem to have a file extension, at least not a visible one, and I can only see one of them. When you first started, you were not able to run Combofix. I would like for you to go to Using Combofix and install it according to the instructions, being sure to install it over the old one. Then see if you can run it. If so, attach the resulting log here. If not, tell me. By the way, did Spybot find a lot of stuff that needed fixing? Don't run it again. We'll come back to that.

abri

 

Hi abri,
I ran combofix.exe and attached the log.

Concerning spybot, it found a few a things needing fixing, can't remember exactly how many, but about five or six is my estimate.

Thanks.

 

Hi pakmanaz,

Regarding the files you mentioned (see quote box), please delete them. If you can't delete them, please make a list of their names for me.

After I hear back from you about this, I'll post another set of instructions to try and remove the remaining malware files.
abri

 

Hi pakmanaz,

Adding to my instructions in post 13, please do the following:

1) Now run the Avenger by Swandog46

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner at the default setting with the Windows tab as the top one.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger.


Let me know how things are running now?

abri

 

Hey abri,
I ran avenger, cctools, and MGtools, and also deleted those 23 files in C:\ as you requested, and have attached the logs as well. My computer seems to be running fine; no indication of malware or spyware. However, over the weekend it did freeze a few times, even at startup.

Let me know if you think I should go through the Read and Run list now. Thanks again for your wonderful support.

 

Hi packmanaz,

I'm glad to hear things are running better.

I would like for you to run the same instructions I gave you in Post 8 Step 10 which was the regsearch for the rootkit. Some things were not found by Avenger, so I'd like to see if they are really gone.

Also, could you check your C:\ again for any files that resemble the other 23 you took out. If there are, I would like to ask you to upload one here so I can look at it. You would have to zip it to do this.

Finally, I would like for you to go to Running GMER to detect rootkits. There have been a lot of rootkits showing up lately.

When you finish, please attach the GMER log and the results of the regsearch and, if relevant, one of the odd files. Let me know if you are still having problems with the computer freezing. When it does freeze, is it temporary or do you have to shut it down from the switch?

abri

 

hi abri,
I couldn't find any of the aforementioned files in C:\. I deleted them all earlier.

I did do the steps you indicated, and have attached the corresponding logs. My computer hasn't been crashing much as of late, but when it did I would have to close it by holding down the power button.

Thanks again for your continued help and great support.

 

Hi pakmanaz,

Your logs look good. You had an earlier question about wanting to remove Toshiba Power Saver. Please go ahead with the final cleanup instructions, which include setting a new restore point and then try to remove that software. Since this is not a malware issue, I will ask you to start a thread about this in the Software Forum. Here are the final cleanup instructions:

abri