Noob, here. Can't find help on this anywhere else.

Discussion in 'Malware Help (A Specialist Will Reply)' started by irishd, Mar 15, 2005.

  1. irishd

    irishd Private E-2

    Hey all.
    I've went through your "do these first" suggestions and still stuck on how to remove or even what this is. Searching through Google, Yahoo etc. only provided me with a few others that seem to have this problem but no answers.

    When I boot up the computer, my desktop is completely white, right clicking it doesn't bring up the usual menu but rather a web page menu, when I go into desktop through the settings it indicates that the background should be normal however going if I go in through the "customize desktop" and then over to the "Web" tab, it has a checkmark beside "Security" in the web page box. Unselecting restores to normal, but rebooting reverts to back again.

    Along with this I have a yellow exclamation mark at the lower right of my taskbar that pops up every five minutes stating:
    "WARNING! YOUR COMPUTER IS AT RISK. Spyware detected on your PC. Windows did not find spyware protection on this computer. Click to choose a recommended Spyware protection software."
    Of course when you do, you are brought to a web page full of Spyware software available for sale from this webpage: http://www.topantispyware.com/removers.php?223
    Also, every 10 or so minutes a full screen blue webpage pops up, made to resemblet the 'blue screen of death' with similar offers.

    So far I've ran Norton AV, Spybot S&D, Adaware se, Adaware 6, Microsoft Anti-Spyware, and Genuinecheck, all updated today.

    Any ideas? Thanks ahead of time.
     
    irishd, Mar 15, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you ran all steps of the Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, do the below.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 15, 2005
    #2
  3. irishd

    irishd Private E-2

    Thanks, here the log:
     

    Attached Files:

    • hij.log
      File size:
      8.3 KB
      Views:
      5
    irishd, Mar 15, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have not completed ALL the steps in the READ ME FIRST as required.
     
    chaslang, Mar 15, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\system32\spm1316.dll (file missing)
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765723548} - C:\WINDOWS\system32\wer3548.dll
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
    O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe


    Do you know what this below UO01.EXE process is for?
    O4 - Startup: Unattended Operation.lnk = C:\HEX0601\PGM\UO01.EXE

    What version of DAP are you running? If it is not the most recent, it should be uninstalled. Older versions contained malware.
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

    Did you put the below entries into your Trusted Zone! Are these absolutely necessary to get something you use to work (I doubt it). My opinion is that NOTHING belongs in the Trusted Zone
    O15 - Trusted Zone: http://www.justiceontario.jus.gov.on.ca
    O15 - Trusted Zone: http://www.justiceontarioefile.jus.gov.on.ca
    O15 - Trusted Zone: http://www.justiceontarior.jus.gov.on.ca
    O15 - Trusted IP range: http://142.108.66.18
    O15 - Trusted IP range: http://142.108.66.98
    Do you recognize the below items? If not, fix them too.
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {AD8D3C68-0C60-4B53-8A9E-BC654BBB36FE} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\wer3548.dll
    C:\WINDOWS\System32\srvc32.exe
    C:\WINDOWS\System32\spoolsrv32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Now run Ccleaner installed while running the READ ME FIRST.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 15, 2005
    #5
  6. irishd

    irishd Private E-2

    Well, it seems you've solved my problems. No more icon, pop-ups, or white background. My desktop icons appear to have some kind of blue shadows, and the text boxes below them are a dark blue which is different, but I can live with that no problem.

    Thanks for all your help, I'll be sure to stop by often and direct others from another board as someone did for me.

    Here's the newest log BTW (can't seem to remove the justiceontario trusted website, it's no longer an available service.)
     

    Attached Files:

    irishd, Mar 15, 2005
    #6
  7. irishd

    irishd Private E-2

    NM the shadow thing, got that all fixed up too.

    Thanks again chaslang.
     
    irishd, Mar 15, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Mar 15, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds