Infected with Spyware, followed above steps...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TheBlackClap, Oct 10, 2006.

  1. TheBlackClap

    TheBlackClap Private First Class

    My PC is acting very very slow, freezing up and such. I followed the above steps and will be posting my logs in both this post and next reply; thank you MG tech support.

    TheBlackClap
     
    Last edited: Oct 19, 2006
  2. TheBlackClap

    TheBlackClap Private First Class

    last two attachments
     
    Last edited: Oct 19, 2006
  3. TheBlackClap

    TheBlackClap Private First Class

    Still need some help......:mad:
     
  4. TheBlackClap

    TheBlackClap Private First Class

    I have come to majorgeeks many times for all of my problems, you guys have never made me wait this long.:confused:
     
  5. TheBlackClap

    TheBlackClap Private First Class

    Bump..............:confused:
     
  6. TheBlackClap

    TheBlackClap Private First Class

    Bump x2

    Please..........
     
  7. TheBlackClap

    TheBlackClap Private First Class

    Bump Bump Bump
     
  8. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi Basically by bumping your thread continually, you have dropped each time to be bottom of the queue in this very busy part of the forum, as the malware guys DO NOT work from the 1st page backwards, they always work from say for example the last current outstanding thread that maybe on pages 3,4,5 etc

    So by bumping you have missed Chaslang reading your thread over the space of two days, as like all of us we only have a certain amount of freetime to answer questions, due to busy home or work lives, as helping others we do freely because we like to help, but at present as many security forums are not stopping assisting or reading malware logs, we have become busier and as you'll apprieciate removing malware and reading the necassary logs is time consuming, so you'll just have to bare with us.

    WE know malware is stressfull and causes grief but if you dont continually bump or start new threads to get on the 1st page your logs will be looked at more quickly.

    Cheers.
     
  9. TheBlackClap

    TheBlackClap Private First Class

    I am sorry, had I known that bumping my thread out only put me further away and confused you guys a bit more, than I am sorry. I had idea and have not noticed this the past few times I have been here. Thanks for clearing it up!

    TBC
     
  10. matt.chugg

    matt.chugg MajorGeek

    Whilst you do have some small spyware infections, I am not convinced all of your problems are malware related. You have SEVERAL customizing apps installed including:

    WindowFX
    LogonStudio
    BootSkin
    CursorXP
    DesktopX

    Those are just the ones I know there may be others. Most of these require lots of integration into the core operating system and are probably the issue.

    Have you tried removing these and seeing if there is an improvment.

    You should uninstall the following:

     
  11. TheBlackClap

    TheBlackClap Private First Class

    Matt,
    I deleted the above applications, now my PC is really acting weird. Pop ups saying I have a virus and I need to delete it. Pops up tons of porn images and a flashing X and ? mark in the bottom right task bar.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What program is popup up to warn you about a virus?

    Is it Symantec?

    Tell us exactly what you see in the popups (word for word).

    Attach new logs from the below:
    - ShowNew
    - GetRunKey
    - HJT
     
  13. TheBlackClap

    TheBlackClap Private First Class

    Thanks for the reply Chaslang.

    First off in the bottom right hand corner (I believe this is the task bar?) I have two items that should not be there. First, a blinking ! inside a yellow triangle. There is a balloon message that pops up above it too:

    "System Alert: Malware threats

    Your computer is infected with a back door Trojan that allows the remote attacker to perform various malicious actions. Click this Baloon to download malware removal software"

    The second item in the task bar is blinking X and ? If I clikc on that one, it sends me to Virusbuster.com

    I am using Symantec as well. That program is not giving me the warnings, the trojans are. When I deep scan my PC with Symantec it comes up with 3 trojans, but leaves as is. I can't do anything with them.

    I can't recall all of the pop up's but I will try to remember and also wait for some to pop up.

    Adult FriendFinder


    the more pop ups I get, I will post here.
    thanks Chaslang!!!!
     
  14. TheBlackClap

    TheBlackClap Private First Class

    Okay here are the logs. Thanks man
     

    Attached Files:

  15. TheBlackClap

    TheBlackClap Private First Class

    Another Baloon just popped up in the bottom right task bar (flashing ! in triangle).

    "Security Alert: Networm-i.Virus@fp

    Type: Virus/Network Worm
    Damage Level: High
    Description: Virus that infects Executable files
    Recommendation: Delete Quaratine Immediately
    Protection: Click this baloon to download Certified Antivirus Software
     
  16. TheBlackClap

    TheBlackClap Private First Class

    And the last two you requested Chaslang.
     

    Attached Files:

  17. TheBlackClap

    TheBlackClap Private First Class

    A new pop-up:

    Critical System Warning!

    Your system is probably infected with the latest verson of Spyware.Cyberlog-X.
    Type: spyware
    Infection Length: 266,129 bytes
    Risk: High
    Systems Affected: Windows 95, 98, NT, 2003 Server, Windows XP
    Behavior: Spyware.Cyberlog-X is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visted.
    Symptoms: Low Internet Connection Speed, Low system performance, security center alerts, strange pop up windows.
    Protection: Click OK to download antispyware software.
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why did you edit your older messages and delete the logs! This was not necessary nor is it desired. When you do this you remove the history of what is beeing done. Please do not do this anymore. In fact you are not even supposed to be allow to do this but there are bugs in the vB code used by the forum that allow this to happen sometimes.

    I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.

    Download SmitfraudFix (by S!Ri) to your Desktop.

    Extract all the files to your Destop. A folder named
    SmitfraudFix will be created on your Desktop.

    Open the
    SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

    Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

    http://www.beyondlogic.org/consulting/proc...processutil.htm


    IMPORTANT: Do NOT run any other options until you are asked to do so!
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

    Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

    Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

    Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

    The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

    Now reboot into normal mode and attach this new rapport.txt log here.

    Now attach new logs from:
    - GetRunKey
    - ShowNew
    - HJT
     
  20. TheBlackClap

    TheBlackClap Private First Class

    Chaslang,

    Hello! The reason I had to delete my previous logs is because my download section was plum full. It would not let me post a document, very odd. Won't happen again though sorry!


    Okay so I ran the first step. Here is the log included (the message said for me not to go any further until your go ahead).

    Thanks!
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's what message number 19 already was, so go ahead and complete the instructions in message # 19.
     
  22. TheBlackClap

    TheBlackClap Private First Class

    Chas-

    Hey man, it appears that when I ran that program in clean mode that it deleted the three viruses that I couldn't get off. The flashing icon in the bottom right is gone now. Here are the logs that you desired. Thanks man!
     

    Attached Files:

  23. TheBlackClap

    TheBlackClap Private First Class

    last log
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You never installed and renamed HijackThis as requested in step 7 of the READ ME!!!!

    Delete the below files:
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
    C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url


    Other than the above, your logs are clean! If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  25. TheBlackClap

    TheBlackClap Private First Class

    Thank you Chaslang, your help is appreciated. This is the second time you guys have helped me out and cleaned me up. I honestly appreciate it and tell everyond I know about you guys. Thanks again!!!!

    TheBlackClap
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds