Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' warning

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mattler, Jun 3, 2008.

  1. mattler

    mattler Private E-2

    Hey folks,

    I seemed to have downloaded a whole medley of malware. The problem started with a system window which kept popping up, along with a slow computer and a disabled wireless connection. The system window said the following:

    Critical System Warning!
    Your system is probably infected with the lastest version of Spyware.Cyberlog-X.
    Type: Spyware
    Infected Length: 266,129 bytes
    Risk: High
    Affected Systems: Windows 95, 98, 2000, NT, 2000 Server, Windows XP
    Behavior: Cyberlog-X is a spyware program that monitors user activity, logs keystrokes, and track Web sites visited.
    Symptims: Low Internet connection speed
    Low System Performance
    Secyrity center alerts
    Strange pop up windows
    Protection: Click OK to download antispyware software

    Additionally, there were two or three other unique balloon-style warnings that would pop up out of the system tray. Can't recall what they said.

    I followed the malware removal instructions on this site, and each step seemed to find a whole bunch of problems. While the symptoms are no longer present, I want to be sure that I caught everything. Would someone mind taking a look at my log files to make sure?

    Thanks in advance, I'm very grateful for the help!

    Cheers,
    Matt
     

    Attached Files:

  2. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    The ComboFix log.
     

    Attached Files:

  3. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi mattler,
    Welcome to Major Geeks!


    You have a few malware entries left and some things that need to be fixed to avoid future vulnerabilities. Please do the following:

    1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


    2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

    O2 - BHO: (no name) - {0F4C92D5-2964-4054-90CD-03D5071F38CE} - C:\WINDOWS\system32\pmnKabbY.dll (file missing)
    O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
    O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
    O2 - BHO: (no name) - {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - C:\WINDOWS\system32\iifgEvwV.dll (file missing)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O20 - Winlogon Notify: iifgEvwV - iifgEvwV.dll (file missing)


    Does the following program have to load at startup? If not, please fix it as well.

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    After you click fix, just close hijackthis.



    3) Next I would like to have you use ComboFix to remove some files.


    • Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):


    Code:
    KILLALL::
    
    FILE::
    C:\WINDOWS\system32\pmnKabbY.dll
    C:\WINDOWS\system32\iifgEvwV.dll
    C:\WINDOWS\system32\acctresk.exe
    
    FOLDER::
    C:\Documents and Settings\Owner\Local Settings\Temp\BTN%Copy%1
    C:\WINDOWS\system32\vntiho06
    
    REGISTRY::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "HideLegacyLogonScripts"=-
    "HideLogoffScripts"=-
    "RunLogonScriptSync"=-
    "RunStartupScriptSync"=-
    "HideStartupScripts"=-
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "HideLegacyLogonScripts"=-
    "HideLogoffScripts"=-
    "RunLogonScriptSync"=-
    "RunStartupScriptSync"=-
    "HideStartupScripts"=-
    
    [HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
    "{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
    
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F4C92D5-2964-4054-90CD-03D5071F38CE}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifgEvwV]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below


    Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4) Now run CCleaner at the default setting with the Windows tab as the top one.

    5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


    Let me know how things are running now?

    abri

     
  4. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi abri,

    Here are the log files, as requested. Thanks for taking the time to help me out, it's a big load off my mind!

    Cheers
     

    Attached Files:

  5. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi mattler,
    Your logs look good. How is your computer running now?
    abri
     
  6. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Everything seems to be working fine now. I'll keep an eye on it for now. Thanks again for the help!

    Cheers,
    Matt
     
  7. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    You're welcome mattler!
    Before you run off, I want to post the final cleanup instructions for you which will remove all the tools and logs we had you put on your computer and you'll be asked to clear your previous restore points and set a clean one so you'll have a clean one to come back to. They are these:
    abri
     
  8. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi again abri,

    Made it through the cleanup sequence just fine, and for a while things seemed to be normal, although the computer did feel just ever so slightly sluggish. Additionally, once in a while when absolutely nothing is running, I get a cursor with the hour glass beside it, cycling on and off for quite a while.

    Since then, I've made several attempts to load service pack 3, with no luck. It fails every time. I do have Windows Installer 3.1 installed. After cruising through some other forums I tried the following:

    Start/Run: regsvr32 qmgr.dll (OK)
    Start/Run: regsvr32 qmgrprxy.dll (OK)

    Rebooted and commenced the download process again. The install failed again, this time with a sequence of popup system messages. After I exited iexplore, the computer was sluggish, and the hour glass was up again, so I went into task manager to see where all the resources were going. Update.exe was at the top of the list, bouncing between 45 and 60% of cpu usage.

    I guess this is the long way of asking, but do you think this is related to my previous problems?

    Thanks in advance!

    Matt
     
  9. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi mattler,

    Do you still get the sluggishness if you turn off your automatic updates?

    Please go to USING MG TOOLS and create a new set of MGlogs.zip as per the instructions and attach it here.


    abri
     
  10. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi abri,

    Haven't noticed a difference in performance when toggling automatic updates. The performance issue seems to be sporadic - occasional, but unexplainable hits in performance. Wouldn't be surprised if the automatic updates problem was entirely unrelated; I may try to contact their tech support.

    Here is my mglogs. Thanks for helping me work through this!

    Cheers!
     

    Attached Files:

  11. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Hi mattler,

    There is one thing I forgot to have you do, but I don't think it will relate to your problems. By controlling startup items using msconfig, it causes problems with programs being uninstalled correctly. As a result, you have leftover antivirus entries that need to be removed. That can be done as follows:

    Download and install Erunt. Use it to create a backup of your registry.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.
    Then please run the following:

    Windows Installer CleanUp Utility

    abri
     
  12. mattler

    mattler Private E-2

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Thanks abri. I modified the registry as instructed. I have yet to run the Windows Cleanup Utility, as I didn't see any programs listed in there which had been previously uninstalled.

    I have a feeling my windows update problem is unrelated. Thanks for taking a stab at it, hope I can return the favour some day!

    Cheers!
     
  13. abri

    abri MajorGeek

    Re: Spyware.cyberlog-x "Critical System Warning!" Popup and system tray 'balloon' war

    Thanks, matt!
    I aske Chaslang to see if I overlooked anything or if he has anything to add. That could take a couple of days, but you may still hear back one more time.
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds