Warning! Spyware detected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by oldmotorbikes, Aug 23, 2008.

  1. oldmotorbikes

    oldmotorbikes Private E-2

    Hopefully someone can help me? When my PC boots up it opens "My Documents" in Explorer. My desktop icons have disappeared and are replaced with a blue screen with a yellow message box saying "Warning Spyware detected on your computer!". My task bar is also gone so I do not have a START button to open the control panel etc. Ctrl+Alt+Del just shows a single window with CPU usage. I use Alt+F4 to close this as there is no close button. I've read the "read me first" instructions but cannot really do very much. I am using Windows XP (SP2). Luckily I have most of my data backed up on an external hard drive. Any help is appreciated.
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I know you said you read the READ & RUN ME, but see if you can do any of it using some of the additional information/tips below. Without logs, there is not much we can do for you.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. Also you even if you have no Start button or Desktop, Task Manager can often be used to run programs from the File, New Task (Run...) feature of Task Manager.
     
  3. oldmotorbikes

    oldmotorbikes Private E-2

    Thanks for the reply. I have managed to run all the cleaning processes as far as combofix. I do not have the run command. Using explorer I can see winnt32.exe on my D: drive but I cannot pass the parameter to it. I am stuck on what to do now. The task manager does not have any menus on it so I cannot use this to run commands?
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just ignore the Recovery Console part and simply double click the ComboFix.exe file to run it.

    Just double click anywhere along the outer border area of the Task Manager window and the menus will show.
     
  5. oldmotorbikes

    oldmotorbikes Private E-2

    I have completed all scans and am attaching logs. The warning message is gone but i am still left with a blank desktop and no task bar. Right clicking on the desktop does nothing.

    Thanks, my task manager is working.
     

    Attached Files:

  6. oldmotorbikes

    oldmotorbikes Private E-2

    4th log attached
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you try to run explorer.exe from Task Manager, does your Desktop appear?


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    Spybot - Search & Destroy 1.3.1 TX <-- this version is 4 yrs out of date


    Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O20 - AppInit_DLLs:

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. oldmotorbikes

    oldmotorbikes Private E-2

    If you try to run explorer.exe from Task Manager, does your Desktop appear?
    No, Explorer just opens another window of "My Documents" folder and its contents.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger
    removed ok.

    Norton removed ok.

    Run C:\MGtools\analyse.exe
    Ran this and closed everything as suggested. When it came to fixing the 2 entries I had forgotten what they were. So I ran explorer.exe from Task Manager in order to get IE to log onto your site to get the info. As soon as I hit the return key my desktop was restored as was the bottom task bar. Various programs then started updating from the internet. When this completed I got the names of 2 files to fix and finished MGtools.

    Now we need to use ComboFix
    I moved combofix.exe to my restored desktop and created the txt file as instructed, closed everything down, dragged and dropped the txt file onto combofix.exe and it started working. While it was doing this my desktop and task bar disappeared. It finished all the steps and created a text file. It then automatically rebooted. My desktop did not re-appear!!!.

    The Regedit worked successfully.

    I am attaching 2 logs.

    Your help is greatly appreciated.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is starting to look like any remaining problems are not malware.

    From Task Manager, click File, New Task (Run...) and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

    Tell me if t asks for your CD.

    Reboot afterwards and let me know if there is any change.
     
  10. oldmotorbikes

    oldmotorbikes Private E-2

    yes it asked for the cd but it does not recognise it as being the version that is installed?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have Windows XP SP2 installed. Is that what your CD is? Are you sure it is a Windows XP boot CD? Even if it is an old version, will it let you restore the files from the CD?
     
  12. oldmotorbikes

    oldmotorbikes Private E-2

    Was able to run sfc. It took 35 minutes but did not give any messages, it just closed down when the blue line got to the end. I re-booted and no difference ie Explorer opens "My Documents", no desktop icons, no task bar.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please try this:

    • Open Task Manager and run explorer.exe - tell me what happens. Do not close any windows that open!!!!!
    • Then run explorer.exe one more time. Now what happens.
    • Then run iexplore.exe and tell me what happens.

    In message # 8 you first said the Desktop did not appear when you ran Explorer but then a paragraph or so later, you said it did appear when you ran Explorer. Or are you confusing the explorer.exe with iexplore.exe which are different. Explorer.exe is Windows Explore which is responsible for your Desktop. iexplore.exe is the Internet Explorer browser.
     
  14. oldmotorbikes

    oldmotorbikes Private E-2

    It is like double clicking on the "My Documents" icon ie explorer opens My Documents

    a 2nd window of My Documents is opened

    Internet Explorer opens Google - my default home page

    No, i am not confused. In running MGTools I had to close all windows. I did that. I had to fix 2 entries in HJT but did not note down what they were - i had forgotten! As i had no desktop or task bar I had to run explorer to navigate to my "Desktop" Folder to get a shortcut for IExplorer to re-read your reply #7. It was then that the real desktop appeared. Should I repeat the "cleaning" exercise again to see if it re-occurs?
     
    Last edited: Aug 30, 2008
  15. oldmotorbikes

    oldmotorbikes Private E-2

    As soon as I had posted the previous message I closed ALL the windows and was about to shut down the computer when I remembered to check something on the internet. So I ran explorer.exe from task manager and like magic my desktop was repopulated with all the icons and the task bar at the bottom was restored and like before all the start menu programs started downloading their updates!

    I will now reboot and let you know what happens.
     
  16. oldmotorbikes

    oldmotorbikes Private E-2

    I shouldn't be too quick to assume things are fixed!!!!!

    It is the same as before. No desktop or task bar.................



    I have just tried something.

    I closed the explorer window. The only window open is this one (IE). Ran explorer.exe from task manager and it has re-populated the desktop. Hurr-rah!

    It looks like on bootup explorer is not opening the desktop properly. If I close it and re-open it, it works?

    Also, in my windows start display there are 2 unknown entries
    Antivirus XP 2008 and
    Register Antivirus XP 2008

    To clarify things - I was in America for 3 weeks holiday and when I got back home my daughter had wrecked the PC!! I appreciate your help. Thanks,
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is sounding more like a Windows options/registry configuration issue than it does malware. You may need to work this in the Software Forum.


    When you get your Desktop to appear, do the below.
    1. Click Start, point to Programs, point to Accessories, right-click Windows Explorer, and then click Properties.
    2. Click the Shortcut tab.
    3. Tell me exactly what you see in the Target box
    You may want to look at this: http://support.microsoft.com/kb/307856
     
    Last edited: Aug 30, 2008
  18. oldmotorbikes

    oldmotorbikes Private E-2

    Target location: %SystemRoot%
    Target: %SystemRoot%\explorer.exe
    Start in: %HOMEDRIVE%%HOMEPATH%
    Shortcut key: None
    Run: Normal window
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What happens if you login to other user accounts?

    Also try the Administrator account in safe boot mode?

    What happens if you create a new user account with Administrator priviledges?
     
  20. oldmotorbikes

    oldmotorbikes Private E-2

    same problem

    same problem

    same problem for both admin and limited accounts
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's sounding more and more like it is a problem with some kind of common setting. Perhaps a registry entry. Let's try a search.



    Download Registry Search (see the link titled RegSearch Download Link)
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • Enter explorer.exe in the top area of the form and then click "OK".
    • Be patient while this runs the search. It can take some time to finish.
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.
     
  22. oldmotorbikes

    oldmotorbikes Private E-2

    thanks for your help. i have attached the file as requested but i will not be able to read your response as i will be away from home until early next week. I will check back then. Thanks again.
     

    Attached Files:

  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well at this point all I can say is that I see no malware or other reasons for this problem with My Documents opening. I still expect it is a setting somewhere but it is not listed under any registry keys that contain the word explorer.exe. It could be elsewhere.

    I suggest that you describe in detail your remaining problem in a new post in the Software Forum and reference this thread for them to look at if they wish. You other options may be to
    1. try using System Restore to return to a point before this problem begain
    2. try a Windows Repair using your CD
    3. a reinstall.
     
  24. oldmotorbikes

    oldmotorbikes Private E-2

    i have never used this before as i have never performed any system backups.

    i have tried this once before but got confused and cancelled it. can you point me to "how to run" instructions as i want to try this.

    i do not like this idea. i can live with the fix!

    thanks again for your help.
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    System Restore points are made automatically by Windows XP as long as you have not disabled System Restore.


    Try the Software Forum.
     
  26. oldmotorbikes

    oldmotorbikes Private E-2

    Found out how to "repair" windows, run it, and it has worked - my desktop is restored.

    Thanks again for your help.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds