AntiSpy Spider I do believe

I do believe I have antispyspider My desktop is all Red and says Warning: Your computer is under rewarded attack your computer is infected by anonymous rewarded program operating system has several fatal errors due to spy ware activity is strongly recommended to install an antispyware software to eliminate all security vulnerabilities (and there is a hot link and when clicked it brings me to antispyspider.us/69 web sight) Could someone point me in the right direction? thanks I was looking at (Enimrac1206) thead and it sounds real close to what I'm dealing with

 

Hi Bocephus,
Welcome to Major Geeks!

You have malware. And if you have one thing, chances are very good that you have more than one thing. For us to be able to help you, we need to look at logs produced by a set of scans that we ask you to run in the READ & RUN ME FIRST. Please go through these instructions. You will likely get some relief from the symptoms as you work through these scans and afterwards, you can attach the requested logs using the Manage Attachments button down below the reply box.

Thanks.
abri

 

I'm going through the read & run me 1st....I'm at the part of Empty ALL Quarantine type folders for antivirus and antispyware applications. I do have spybot s&d and I can't seem to find how to empty the quaratine folder Sould I just uninstall the whole program? thanks

 

Hi Bocephus,

No, don't uninstall it. Just go on with the instructions. Important is that Spybot's Teatimer is disabled, that your computer is in normal startup mode with msconfig and that you run all the scans possible so we have your logs to work with.

abri

 

It seems to be running back to the Norm, Here's 2 out of 4 logs

 

Thanks Again and hopefully I done with the Spider

 

Hi Bocephus,

Your computer is badly infected. Please try not to use it and don't reboot unnecessarily until one of us can post a set of instructions to you. This takes some time, so thanks for being patient.

abri

 

Hi Bocephus,

I have some instructions partially made, but in infections like this, it helps to have as much information regarding the files as possible.

Your MGlogs are not correct, so I don't yet have all the information I need. I think this may be due to a procedural problem. When you install the tools, you need to install them to C:\ There will be a file called MGTools.exe which you run. When you run this, it will put a folder called MGTools under C:\ and it will produce a set of 5 logs which will all be together in a zipped file called MGlogs.zip, also under C:\
If you installed the tools correctly according to the instructions, then something went wrong when they ran. Please review the instructions in USING MG TOOLS. Did you get any errors? If they are installed in C: and there is a folder there called MGTools, please open this folder and find the file called GetLogs.bat and double-click on it. Allow this to run. If you get any error messages, please tell me which error you are getting.

Also, you may have a rootkit. I would like for you to run a rootkit scan. Please go to
Running GMER to detect rootkits and follow the instructions.

Attach the new logs from each of these steps (MGlogs.zip - under C:\ and GMER) and let me know how this goes.
abri

 

Abri: Sorry I think I was ahead of myself running the MSTools I now have 5 logs and it ran without an error, and no warning on GMER

 

Hi Bocephus,

I would like for you to go through the following instructions in order. If there is something you can't do, please continue on, but let me know what happened in that case.

1) Please download Registry Search (see the link titled RegSearch Download Link)

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter clbdll in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

2) Install the current version of Sun Java from: Sun Java Runtime Environment

3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {E36B50BB-B411-41C2-A1C4-DC35E7095E55} - C:\WINDOWS\system32\qoMeeBsq.dll (file missing)
O2 - BHO: (no name) - {E778BCB1-23B0-4112-BD78-E341CBD8D87A} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


Does the following program have to load at startup? If not, please fix it as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


After you click fix, just close hijackthis.

5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
swenumm
clbdll

FILELOOK::
C:\WINDOWS\BMf75528aa.txt

FILE::
C:\WINDOWS\BMf75528aa.txt
C:\WINDOWS\system32\clbdll(2).dll
C:\WINDOWS\system32\WinCtrl32(2).dll
C:\WINDOWS\system32\WLCtrl32(2).dll
C:\WINDOWS\system32\LA20F.tmp
C:\WINDOWS\system32\LA309.tmp
C:\WINDOWS\system32\LA3F3.tmp
C:\WINDOWS\system32\LA4BF.tmp
C:\WINDOWS\system32\qoMeeBsq.dll
C:\WINDOWS\system32\drivers\swenumm.sys

FOLDER::
C:\Program Files\QdrModule(2)
C:\Program Files\QdrPack(2)
C:\Program Files\webHancer(3)
C:\WINDOWS\mgwwgmke
C:\WINDOWS\QnVzaEhvZw
C:\WINDOWS\system32\3546
C:\WINDOWS\system32\dFrnx06

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E778BCB1-23B0-4112-BD78-E341CBD8D87A}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E36B50BB-B411-41C2-A1C4-DC35E7095E55}]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"=-

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.


7) You have a lot of open ports, so before I have you do the final step of this set of instructions, I would like for you to go to How to Protect Yourself from Malware and download and install one of the free firewalls if you do not have one or if you are using the Windows Firewall which is not adequate. If you are not familiar with firewalls, I recommend ZoneAlarm, as it's easy to use.



8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log and the log from the RegSearch.


Let me know how things are running now?

abri

 

Abri seems to be running fine..The windows messenger was already disabled and after running combofix it did reboot.And again... Thanks for your Guidance and Help

 

Hi Bocephus,

Please go to add/remove programs and uninstall GameSpy Arcade

See if this helps. Then I would like for you to do the following:

You have a lot of programs under C:\Programs which may or may not belong there. You need to create an extra folder under C: called Downloads. When you download something and it doesn't require a specific location, then you can first download it to this new folder calle Downloads.

At the moment you have a lot of installation files, zip files and .exe files under C:\Programs and I would like for you to look at the list in the box below and decide if you can get rid of any of the ones which are installation files. If you know the program to be the real program rather than the installation program, you can leave it, but normally when a program installs, it creates a folder of its own and its .exe file is located in that folder. It's pretty safe to assume if the word setup is in the name of the program, that this is the installation program and it can be deleted if you don't need it anymore. If you want to keep it anyway, move it into your new Downloads folder. If you're not sure about it, just leave it.

To make things easier, I've highlighted all those with the word setup in the file name. Please delete them or create the new folder called Downloads and move them there.

I don't expect this to get rid of the warning you're getting, but it will help your computer anyway and will make it easier to narrow down the problem.

When you finish, please go to the C:\MGTools folder and find the file GetLogs.bat. Double-click on this and allow it to run. Then when you come back here to post, click on the Manage Attachments button and look for the MGlogs.zip file directly under C:\

Attach this to your next post.

Thanks.
abri