HELP potential spyware problem

Hello everybody,

Here's my problem, I was searching for some animated gifs on yahoo and I came across this site, and with my luck it was a porno site, Norton immediately alerted me of a trojan and that it got rid of it, then I try to get out of the site and it won't let me, I try to do a control alt delete , that didn't work either.

So I have to push in the power button for 6-7 seconds and then restart the computer, when my desktop icons come up the screen goes gray then a deep, deep blue, it then says

"Systemerror #1752 Your computer has several fatal errors due to spyware activity your IP address is and via this address an unathorized access was gained by another computer. It is scrictly recommended to install an antivirus software to close all breaches. They know you are on internet explorer and you have a intel pentium 4cpu with 2.8 ghz and 479 mb of ram. Risk status for further investigation is very high risk.
to protect from spyware attacks click here to erase tracks of internet security click here".

Also on my icon desktop there is an exclamation point that keeps on popping up it says

"Your computer is infected Windows has detected spyware infection it is recommended to use special antispyware tools to prevent data loss, Windows will now download and install the most up to date antispyware for you click here to protect your computer from spyware".

I clicked on that icon and a website called telsa.com came up with several downloads, is this a trick or what ,PLEASE SOMEBODY ANYBODY HELP this is our only computer and my wife uses this computer for school, please can someone read this and tell me what to do I can turn the computer on and off and this deep blue screen is still there with all the alerts, one more thing I just scanned with norton 75,000
files it said good, and same thing with defender2 over 400,000 objects and everything is good, I really don't know what to do, Steve helped me out on my last issue with uninstalling norton but this thing is just scary.




Thanks

James

 

Hello James

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

 

Hello Shadow_Puter_Dude,

Thanks for your reply , well now to get started, some stuff in the readme I could not get to work or figure out.

I could not figure out how to empty the norton protected recycle bin and panda stopped half way through the scan about 300,000 files and said "choose profile name", so I closed that box and saved the report, didn't understand that one

Bitdefender found I think 6 virus' and trojan's some were deleted, panda found a malicous software and spyware but did not delete them.

CC cleaner was good, deleted a bunch of stuff as was adaware,deleted quite a bit also defender2, malicious software tool, cws shredder, kill2me and spybot were clean with the exception of spybot, found I think 5 things and deleted them. All scans were done in safe mode with hidden files showing, one thing I didn't understand in the middle of the panda scan I went downstairs for a moment and came back upstairs, and found out the computer kicked out of safe mode and was wanting my password, so I got back in and it said "windows has recovered from a serious error", so I clicked off of the report and the deep blue screen that said 1752 error went away and the flashing popup in the lower right hand corner went away too.

I went back to my panda scan to see if the spyware and stuff were still there, and of course they were. I almost forgot bitdefender after the scan, said it saw something unwanted it didn't delete it or anything it was
"intel32/.exe c:/windows/system32/intell32.exe", whatever that means. I believe I followed the readme pretty good and ran everything in the order it was supposed to be ran. Here are my scans in the order that I did them. Well I guess I'll read this post tommorrow when I get off work around 5-6 p.m. now to go to bed for an hour

Thanks again

James

 

You have an AlfaCleaner infection, or at least what is left of one.

Download the following
smitRem.exe written by noahdfear and save the file to your Desktop.

Removal Instructions
​

-- You will want to print these instructions out, as ALL Browser windows will need to be closed. --

NOTE: Not all of the HijackThis entries; Files and Services may be present on your system.
​

1. First look in Add/Remove Programs and uninstall if found

2. Now please reboot to Safe Mode
3. Go to Start > Run and type Services.msc

• Look for the following service

AlfaCleanerService or AlfaCleaner.com
​

• Right click it and choose Stop if not greyed out
• Now choose Properties and change Startup Type to Disabled

4. Now open HijackThis

• Choose Open Misc Tools
• Choose Delete an NT Service
• Copy AlfaCleanerService or AlfaCleaner.com (whichever service name it was under) into the box and delete it.

5. Open HijackThis and scan and place a check next to the following

Now close ALL Browsers and choose Fix Checked

6. Open your Smitrem folder located on your desktop

http://www.malwareteks.com/images/icon.png​

7. Double click the Smitrem.exe file. Your screen will look like the following:

http://www.malwareteks.com/images/extract.png​

8. Click Start and allow it to extract the files into the Smitrem folder on your desktop.
9. Now please look for and delete the following files and folders

10. Now close ALL Windows and open the Smitrem folder on your desktop.
11. Please select Runthis.bat from the folder contents

http://www.malwareteks.com/images/folder.png​

12. Follow the prompts on the screen.
13. Your desktop will disappear, this is normal. When Smitrem is finished, Disk Cleanup will automatically start.

http://www.malwareteks.com/images/dc.png​

14. When Disk Cleanup completes, please reboot your PC back to Normal Mode.
15. Now run Panda ActiveScan

• Click Scan your PC
• Fill out the requested info
• Click Scan Now

Post Smitfiles.txt, the Panda ActiveScan log, and a fresh HijackThis log.

 

Hello Shadow_Puter_Dude,

I just got home and was all ready to go, I downloaded the smitRem.exe file, in the add/remove programs I found Desktop Uninstall, but I didn't find AlfaCleaner.com .

I went ahead and restarted and went into safe mode and I enabled viewing of hidden files, I clicked on Start>Run and typed Services.msc but I didn't find AlfaCleanerService or AlfaCleaner.com.

I don't know what to do now because in HijackThis it wants me to copy and delete this file, but I cannot find it, would it be in another name I'm stuck because I don't know if I should continue if I can't find this file.

Thanks

James

 

As stated in the instructions some of the files, services and entries may not be present; on your system.

Just skip over anything not found and continue with the fix.

 

Hey Shadow_Puter_Dude,

I saw that "some files may not be present on your system" ,I missed that , well I'm on step 9 but I cannot figure out where I'm supposed to look for and delete these following files and folders, because in step 10 it tells me to open the smitrem folder so I guess they are not there, it indicates there are 7 of them to look for but where do I look

James

 

The full path and filename are indicated in Step 9. Just open Windows Explorer and look for those files were indicated in Step 9 and delete them if present.

 

Ok, but do I click on start>run and find them or go to my computer and click on local disc C ? sorry this is tripping me up.

 

my computer and click on local disc C

 

Ok, I will try this, be back in a few.

 

Hello Shadow_Puter_Dude,

In step 5 I found the first one and deleted it "04-HKLM\..Run: [intell321.exe].....", in step 9 I found only 1 C:\Windows\warnhp.html, I searched pretty good and couldn't find any others, I just hope I didn't overlook anything

When the disk cleanup was running it ran drive c then went to drive d and then stopped running, I asumed it would say disk cleanup completed or something like that, I hope everything was alright .

When I went to run panda after the scan it found 4 spyware and 2 malicous activity oh well here's my logs.

Thanks

James

 

Scan with HijackThis and fix the following lines:

Panda ActiveScan Reports a Registry entry as infected, but doesn't list the entry. Can't fix it if I don't know what it is.

4 spyware, these are cookies and you can simply delete them if you want. The 2 malicious activity are false postives, Panda alerted on two of the tools you downloaded, this is not unexpected and happens quite often with scanners.

To take a deeper look at your registry run the following:
Running WinPfind by OldTimer
Using GetRunKey

Post winpfind.txt and runkey.txt when finished.

 

Hey Shadow_Puter_Dude,

I did the scans like you said and ran HijackThis, I also fixed the 2 lines you told me to, I was going to send a report but saw you didn't request one.

One question though, on WinPFind I went to save it but noticed at the bottom of the notepad that it said it was saved already in the WinPFind folder, hope this was right, as chaslang in his WinPFind post stated to "save it to a file", but it was already saved oh well, hope I didn't do anything wrong . Oh I forgot, I did the scans, with the exception of HijackThis in safe mode with the viewing of hidden files, my logs are down below.

Thanks

James

 

Your logs are clean.

How is your computer running?

 

The computer seems to be running alright, nothing strange happening, I guess I'll delete those cookies that Panda found, that was a relief that nothing was wrong with the 4 spyware

So about that registry that Panda found, nothing to worry about I assume, or hope I should say

James

 

I have no idea what registry entry needs to be fixed. You could run a registry cleaner, it just may be an orphaned entry.

 

Would you be able to recommend one that you think would do the job, and could this be something that has the potential to be harmful.

James

 

Chas go ahead and post it. Wouldn't hurt to run the patch.

 

Hello chaslang,

Sorry I didn't see your post before I posted, YES by all means I will try this, and how will I know this is fixed?

Thanks

James

 

eiter of these:
RegCleaner: http://www.majorgeeks.com/RegCleaner_d460.html
Lexun RegScrubXP: http://www.majorgeeks.com/Lexun_RegScrubXP_d2048.html

 

Ok, I will try the RegCleaner.

 

Ok, I again missed your post chaslang , which one should I run first the regcleaner or this patch.

I don't know how to copy the bold text, when I right click it says select all and selects the whole page. When I run the regcleaner or the patch should I send the log so one of you guys can see it?

James

 

Left-click and hold then drag to highlight the text you want to copy. Righ-click on highlighted text, select copy.

Runteh registry patch, then run panda and post the pandea log

 

Ok I'll do this, be back in a few.

 

Hey Shadow_Puter_Dude,

I'm back from the panda scan, said I still have some things wrong, before I did the scan I deleted my cookies and temporary internet files.

I downloaded the regcleaner but did not run it. After I came out of the scan and went back to my homepage I did notice it wanted me so sign in again, although I was already signed in before the scan , anyway here is the log I hope everything passes the test!

James

 

The 3 potentially unwanted applications are false postives. Those are the tools you downloaded earlier.

The registry enter ignore it. Panda isn't giving any useful information on what it is finding. May be as chas stated a false alert. That is not unusual.

 

Ok, so everything (should) be ok, right?.

From this point on what should I do as far as looking for problems, I mean panda isn't giving any info, so what kind of things can happen if this isn't false, I guess what I'm trying to say is, in your opinion is there anything to be greatly worried about?

James

 

It's a false positive. All your other logs are clean.

 

Alright Shadow_Puter_Dude,

Good enough for me, I would like to thank you for your expertise these last 2 days, your help was extremely valuable and I wouldn't have known what to do.

Also thank you chaslang for your valuable inputs, both of you guys are real professionals . Again I say thanks (very much).


James