I Think My Computer is Infected with Spyware or a Virus

I have several windows that keep popping up over and over again. I close them and they just pop up in a few minutes.

One says "Play Poker" on the blue bar at the top of the window, but it says "Strip-Poker The Hottest Game on the Net" in the window itself and has a picture of a barely clothed woman. I'm sure it would take me to an adult site if I clicked on it.

The second one is a small gray box with a red "X." It says "Warning. Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy... Do you want to download certificated software and protect your computer?" I do not believe this is legitimate since I do not have a firewall installed. I think it is just someone trying to trick me into sharing information.

The third one is a white box with blue and red trim and says "Windows System Online Test. Your system working very slow and unstable." Once again, I do not think this one is legitimate and I do not trust it.

I have Ad-Aware 6.0 and Norton Antivirus 2005. I have downloaded the latest updates and run both of these. I also have the free 15 day trial of STOPzilla. None of these seem to help.

Is anyone aware of any of these? Any idea where they are hiding on my computer? How do I find them and get rid of them? Also, does anyone agree that the second and third popup I described sound like it's NOT legitimate? I can take a picture of my monitor with my digital camera and send a picture to anyone the next time they pop up if you think it would help.

Thanks in advance for any ideas or suggestions.

Mark

 

Hi Mark,

They all sound like crapware to me!! It is likely that you have more issues than the ones immediately apparent. It would be a good idea to start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

Best luck
PP

 

Thanks for the info and the link PhilliePhan. I'll have to try that another night when I have more time.

By the way a fourth one popped up and says "Free Remote Security Scanner FRSS v2.6" on the top bar and "Scanning Internet History..." down below. It then lists a bunch of key words with all porn words listed in red. It has a gray bar at the bottom with "Reccommendations" on it.

 

Sounds like you probably have a trojan or two! If the Cleanup Tutorial doesn't remove them, then they'll show up in your HJT log and we'll do it manually.

PP

 

Thanks for your help once again.

You'll have to excuse me. While I am semi-computer literate I am by no means an expert as some people on here. I did look over the tutorial, and I think I may be getting in over my head if I try that. I'll have to wait a day or two and see if I can get someone to assist me.

Also, I have no idea what people are talking about when they mention a Hijack This list or a HJT list? What is it and how do I get one or produce one?

Mark

 

The Play-Poker window just popped up again. It apparently is being stored on my computer as a jpeg image and if I click on it it will take me to a website. I right-clicked on it, then clicked on properties. I was able to get the following information?

strip-poker.jpg

Protocol: HyperText Transfer Protocol
Type: JPEG Image
Address (URL): http://www.girlsforgames.com/adultgambling/strip-poker.jpg
Size: 128051 bytes
Dimensions: 788 x 533 pixels

Can anyone make anything out of this information? If not, I'll try the other suggestions over the weekend.

Mark

 

The red, white, and blue window just popped up again and it looks like it is linked to http://www.findspyware.net

 

Hi Mark,

Got to cook dinner right now, but will check in tonight and leave you instructions for HijackThis. Also may ask Chaslang to talk you through it since he is here more than I.

PP

 

PhilliePhan:

I've been reading what others are saying about Hijack This and I have a better understanding now. I found where I can go and download it. I'll have to give it a try and see if I can produce a list.

Mark

 

Need Help Unzipping Hijack This

I downloaded Hijack This to my C:\ProgamFiles folder. Now when I double click on the icon it asks me which program I want to use to open Hijack This. What program should I use?

Oh, I never mentioned this before, so I'll mention it now. I'm running Windows Me.

Mark

 

Hi Mark,

You need to unzip HijackThis and EXTRACT it from the ZIP File to C:\Program Files\HijackThis.


See if these instructions work -

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, RightClick your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder (C:\Program Files\HijackThis)and click Next.

Now run HJT from there and SAVE your log as a .txt File and ATTACH it using the "Manage Attachments" tool when you post.

I will be in the forum off and on for the next few days due to other obligations, but will try to talk you through this as best I can over that time. Please be patient

PP

 

Are you sure those instructions were for Windows Me and not another OS? I was able to create a new folder, but I didn't do it the same way you explained. When I right click on the HijackThis ZIP file I get Open With, Destroy, Scan with Norton AntiVirus, Send To, Cut, Copy, Create Shortcut, Delete, Rename, and Properties. These are the only choices. Unzip is not a choice.

I appreciate your help and I have plenty of patience.

Mark

 

Hi Mark,

Sorry about that - Lotsa threads, little time

Do you have WinZip or something else on your machine to unzip the file and extract HJT? What do you normally use?

Here's a link for Winzip (30 day trial), if you don't have it. Use that to extract HJT to its folder and then scan as per the instructions in my 1st post.

WinZip

PP

 

Thanks. Just downloaded the free trial version of WinZip. That appears to be working.

Mark

 

My Hijack This Log 1/6/2004 9:00 PM

See log attached to this message. 1/6/2004 approx 9:00 PM eastern

 

Hi Mark,

I suggest you Uninstall Stopzilla via Add or Remove Programs.

Some of this NetZero & NZ Search stuff can be problematic, but not enough in my opinion to delete the folders. I’ll just have you fix the entries with HJT for now. We’ll do the same for the Attune. It is considered spyware – Do you use Aveo – Attune much?

Frankly, if you want to address popups and search, you should get the Google Toolbar (which has a very good popup blocker!)


Here are my suggestions for a fix:

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the directions in the Read Me First Cleanup Tutorial.


Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

R3 - URLSearchHook: (no name) - {BEBAF9A1-C251-C9BF-3537-1067C7D98A3C} - xxtoolbar.dll (file missing)

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IECUST.DLL (file missing)

O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\attune_ce.exe

O4 - HKLM\..\Run: [ipcfg.exe] C:\WINDOWS\SYSTEM\IPCFG.EXE

O4 - HKLM\..\Run: [scands32.exe] C:\WINDOWS\SYSTEM\SCANDS32.EXE

O4 - HKLM\..\Run: [powerdll] backorif.exe

O4 - HKLM\..\Run: [sbin] NukeSpan.exe

O4 - HKLM\..\Run: [abu] abu.exe

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"

O4 - HKCU\..\Run: [Shaitan1678] ATLIEHELPER.exe

O4 - HKCU\..\Run: [bhoserv] atl_helper.exe

O4 - HKCU\..\Run: [iehelper] defect08.exe

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\WareOut --> The whole Folder
C:\WINDOWS\SYSTEM\SCANDS32.EXE
C:\WINDOWS\SYSTEM\IPCFG.EXE
C:\WINDOWS\SYSTEM\SZIEBHO.dll

You ought to use Windows Explorer to run a search of your computer to find and DELETE these as well:

ATLIEHELPER.exe
atl_helper.exe
defect08.exe
backorif.exe
NukeSpan.exe
abu.exe

They will likely be in the System Folder like the previous ones.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Thanks once again, PhilliePhan.

I'm going to be pretty busy Friday and Friday night, but I will try that sometime over the weekend and let you know how I make out.

I don't even know what Attune is - I'm sure I don't use it.

As for Stopzilla - why do you suggest I delete that? I happen to like the way it blocks popups, prevents my home page from getting hijacked, and it is also supposed to remove spyware without even having to run a scan. I would like to keep Stopzilla if possible.

Mark

 

If you really like the Stopzilla, then keep it. I merely make suggestions

After your machine is cleaned up, we'll hook you up with some additional FREE tools to help keep you safe.

Let me know how you fare with the cleanup and, as always, if there are any questions, just ask!

PP

 

OK PhillePhan, I followed your instructions and completed all the steps. The only questions/problems I ran into are as follows:

1. I could not delete Attune. I tried deleting it using add/delete programs. It asked me for the installation CD which was on a Dell Backup: Dell-Installed Programs Cd I had. It stopped in the middle of deleting and gave me an error message that it couldn't complete the deletion process.

2. I did delete the NetZero search.

3. I did not delete Stopzilla. I kept it, but I did exit from it.

4. Now that I am done, the icon for Windows Media Player changed to a white box with a blue stripe at the top on both desktop and the tray.

I did a HijackThis scan at around 1:30 PM EST which I am attaching below. So far, I haven't seen any of the previous problems pop up. I'll give it a little time and keep you posted.

The only other question I have is whether or not I should turn back on System Restore and disable viewing of hidden files.

Thanks for everything.
Mark

 

After further investigation, Windows Media Player won't open when I double-click on the icon. I don't think this should be a problem. I'll just download the latest version off the internet. This is the least of my worries right now.

Mark

 

An hour and 10 minutes has elapsed and so far none of those annoying things have popped up. I think we've done it.

Thanks once again.
Mark

 

Hi Mark,

Your HijackThis log looks OK.

Attune is mild spyware - It is in the AVEO folder. I'm not sure if this is something you use?

Did you have any problems deleting:
ATLIEHELPER.exe
atl_helper.exe
defect08.exe
backorif.exe
NukeSpan.exe
abu.exe

Once we are sure that all Malware is gone, then you can turn System Restore back on. If you turn it on with Malware on machine, then if you were to ever restore, You'd restore the malware as well!!

Did you install a new windows media player? Is everything OK on that front?

I'm pressed for time right now, but will check back tonight, if possible.

PP

 

I did find and deleted abu.exe. I could not find the others so hopefully they did not exist. I checked in that folder and did a search for them by name. I will look for Attune in the AVEO folder later.

I downloaded Windows Media Player 9.0 for Windows ME and during the installation it told me to turn on System Restore, so I turned it on at that point.

Everything seems to be running great!

Thanks once again.
Mark

P.S. Should I disable viewing of hidden files?

 

You're welcome! Happy to help

You can go ahead and switch Viewing of Hidden Files back if you wish.

You should also take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

I definitely recommend that you continue to use the following tools from the Cleanup Tutorial:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping IE up-to-date will do wonders in helping to keep Malware off your computer!

Best
PP