Spiderman Malware/Virus

Hi, I'm new to a lot of this so please let me know if I am going majorily worng anywhere...

Today I installed an "image resizing windows xp power tool" from what I beleived to be a genuine microsoft website. However, after installing the program it didn't appear to perform any task at all. So I decided to restart my computer in a bid to make it work. However, when it booted back up I had no start button, was faced with a number of messages saying things like: "Hello i am spiderman, you can consider me your best freind now!, if you need me then spiderman will come to the rescue!". Having clicked through them all I was confronted by a "lovely" new backdrop of a bloke showing me his arse with a spiders web tattoo on it! Hmmm...

I found I couldn't click on the desktop, right or left, and when I tried to start IE i was asked if I wanted to open or save "ilovespiderman.bmp". Thankfully I had Firefox installed too.

Realising I had managed to install some kind of virus, trojan horse or malware so I set about searching the internet to find out what it was and how to remove it. I couldn't find much documentation of the said symtons and eventually found my way here.

I have been through the sticky basic guide and none of the scans found anything other than Adware SE which found one file which I remove and took a log of.
I have done a Hijack This scan and have the log ready and waiting for anyone who is kind enough to take a look.

Please help me out becuase I have ablosutly no clue what to do next

Thanks in advance, Sam

 

Sorry, I forgot to mention that I couldn't get the symantec online scan to work. Possibly somthing to do with Firefox/Active X controls I think...
I thought this might be important.

Sam

 

Firefox doesn't implement ActiveX controls. Run the Scan with IE.

 

Yeh, I tried that too, but it just wouldn't load the ActiveX controls, not sure why...

 

IE6 blocks loading of ActiveX controls by default. When trying to load an ActiveX control, look at the top of the window. If there is a bar there click on it and select install ActiveX.

 

Ok, I managed to get the Symantec scan to work but only into normal boot mode (i.e. Not Safe Mode). It just wouldn't load the ActiveX in safe mode.

It found nothing either...

Sam

 

Good continue on with the sticky. Come back after you have completed the rest of the steps and either bjgarrick or chaslang will be glad to help you out with any issues you have.

 

OK, I have finished the rest of the guide.
Like I said none of the scans found anything apart from Ad-Aware SE that found one file which I removed and took a log of.

Also, I forgot to mention on the symtons below that when I boot up my CD drive opens and it also tries to load a website "pichunter.com" (porn i assume) in Firefox (my default browser).

Can someone have a look at my hijack this log now?

Cheers, Sam

 

I thought I would add this as it might help identify what this virus is...

When look through my computer today I found that I have 4 files (SPIDERMAN_ STRIKES.exe, SPIDERMAN_STRIKES.bat, VIRUS.exe, and VIRUS.bat) in my C:/ directory. Its not exactly descreet is it

An addition I have tracked down the background image to C:/documents and settings/all users/

I don't want to delete any of this stuff until someone has had a look at my Hijack this log because I don't really know what I'm doing and don't want to cause more damage. Please Help!

Thanks,
Sam

 

Hi again,
I know I'm not supposed to post a Hijack This log until I'm given the go ahead but I have followed all the instructions from both the cleaning/scanning sticky and the HJT sticky so it should be up to scratch.
I wouldn't do this but I really need to get this computer fixed (final exams coming up) and I appear to be living in a different time zone to most of the moderators etc so its hard to be online when they are to get a decent conversation going.
If someone could have a look at it in the next day are two it would be very helpful. This log was done in safe mode, btw.

Apologies (for bending the rules) and thanks in advance,
Sam

 

sam-d patience, when either bjgarrick or chaslang come back online either one of them will gladly help yu with your problem.

Please rerun your HijackThis from Normal Mode, and be ready to post once either bjgarrick or chaslang ask for it.

 

Hi Sam,

Wow! I haven't seen this one in a long time . . . .

I'll get you started, but, as Shadow Puter Dude mentions, we'll need a HJT Log from Normal Windows boot to get a proper look at all the baddies!

Please print out or save these instructions locally so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled.


Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:\Documents and Settings\All Users\ilovespiderman.bmp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O4 - HKLM\..\Run: [windows16] C:\WINDOWS\Cursors\windows16.exe
O4 - HKLM\..\Run: [NvCplDaemon32] C:\WINDOWS\system32\config\anvshell32.exe
O4 - HKLM\..\Run: [windows32] C:\WINDOWS\system32\windows32.exe
O4 - HKLM\..\Run: [NAVAPIW32] C:\WINDOWS\system32\NAVAPIW32.exe
O4 - HKLM\..\Run: [SunJavaUpdate] C:\WINDOWS\system32\SunJavaUpdate.exe
O4 - HKLM\..\Run: [SoundDriversRun] C:\WINDOWS\system32\snddrvr.exe
O4 - HKCU\..\Run: [NAV Agent] C:\WINDOWS\system32\drivers\wmilib32.exe
O4 - HKCU\..\Run: [default] C:\WINDOWS\system32\wowdeb32.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{A12021DF-70B6-44D2-BC79-7033AB2D4B7C}: NameServer = 212.23.8.1,212.23.8.6

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\ilovespiderman.bmp
C:\WINDOWS\Cursors\windows16.exe
C:\WINDOWS\system32\config\anvshell32.exe
C:\WINDOWS\system32\windows32.exe
C:\WINDOWS\system32\NAVAPIW32.exe
C:\WINDOWS\system32\SunJavaUpdate.exe
C:\WINDOWS\system32\snddrvr.exe
C:\WINDOWS\system32\drivers\wmilib32.exe
C:\WINDOWS\system32\wowdeb32.exe

+ Remove those you noted earlier:
SPIDERMAN_ STRIKES.exe
SPIDERMAN_STRIKES.bat
VIRUS.exe
VIRUS.bat

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I am not around too often these days, but will check back as time permits.

Best luck
PP

 

Phillie Phan,

Thanks for the help, I followed you instructions (everything went smoothly) and it appears to have removed the problem. No background change, pop ups and my start button is back anyway

I have run a HJT log in normal mode like you asked it is attached below.

Just a quick note: I'm pretty sure this entry is to do with my DNS setting for my ISP.
"O17 - HKLM\System\CCS\Services\Tcpip\..\{A12021DF-70B6-44D2-BC79-7033AB2D4B7C}: NameServer = 212.23.8.1,212.23.8.6"

I fixed it as you said but it appears in the new log again probably as I have had to re-input them in order to connect to the internet again.

Cheers for you help guys and sorry I was impatiant.
Sam

 

Your HJT Log is clean. If you are experiencing no further problems, you're probably good to go! Don't forget to take a peek at Chaslang's Suggestions

Yup! This is the case 95% of the time I see those - If they are legit, they come back, as you noted. Ideally, they shouldn't show up in HJT scans because you should be disconnected from the Net when you scan. . . .

You're Welcome!

Happy Computing
PP