Spyware on my PC- Please help!

rch · Oct 29, 2006

Since yesterday, I have been getting this message on the right hand side bottom corner of my screen. 'Your computer is infected! Windows has detected spyware infection! It is recommended to use special antispyware tools to prevent data loss. Windows willnow download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!'

I have downloaded Hijackthis and I have attached the log. If you need me to run some other application instead, please let me know.

Is there a free tool that will automatically kick out any spyware? If so, can you please recommend names. This is the second time in 2006 my PC is infected.
Thanks!

chaslang · Oct 30, 2006

You have more problems than the one you are mentioning! I will give you a fix for the one you mention but then in another message, I'm going to give you instructions to follow so that you can clean all the other malware off your PC.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

chaslang · Oct 30, 2006

Now to fix your other problems you must follow the steps below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy - ONLY IF you were not able to run Windows Defender

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

rch · Oct 30, 2006

Here is the rapport.txt after completing Step 1.

Thank you for your time!

rch · Nov 1, 2006

Please ignore earlier posted rapport.txt. This is the real one

Here is the rapport.txt from Step 1
Thanks,

rch · Nov 1, 2006

Rapport.txt from Step 2

Here is my rapport.txt from step 2

chaslang · Nov 3, 2006

Re: Rapport.txt from Step 2

Okay that fix some of your problems! Are you working on what I gave to you in message # 3?

I will be away for 9 days! Hopefully one of the other helpers here can continue to help you! Or you will have to wait until I get back!

rch · Nov 4, 2006

Hi,
Sorry it took so long. Here are three files from Step 3.
Thanks

rch · Nov 4, 2006

The rest of the files from Step 3...
Thanks

bjgarrick · Nov 5, 2006

Download Pocket KillBox

Save it to your desktop or a place easy to find.

Do not run it yet

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

wrtyjadu.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/ search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

C:\winstall.exe

C:\WINDOWS\system32\swsc.exe
C:\WINDOWS\system32\ntsystem.exe
C:\WINDOWS\system32\Process.exe

C:\Documents and Settings\R Chaba\eybfxebi.exe
C:\Documents and Settings\R Chaba\iudkavpp.exe
C:\Documents and Settings\R Chaba\mgnauzqa.exe
C:\Documents and Settings\R Chaba\nbhfdofm.exe
C:\Documents and Settings\R Chaba\pzsuclyk.exe
C:\Documents and Settings\R Chaba\qitbppkf.exe
C:\Documents and Settings\R Chaba\smunjloe.exe
C:\Documents and Settings\R Chaba\syfujtmn.exe
C:\Documents and Settings\R Chaba\wbzvihur.exe
C:\Documents and Settings\R Chaba\xztbxgrj.exe
C:\Documents and Settings\R Chaba\ydyhqpbx.exe
C:\Documents and Settings\R Chaba\zvcqqtoe.exe
C:\Documents and Settings\R Chaba\bqbubvkh.exe
Click to expand...

If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

Disable and Re-enable System Restore

Turn OFF System Restore to flush any bad Restore Points.

Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

rch · Nov 5, 2006

Here's the new hijackthis log.

The message about my computer being infected is gone now! whew! Thank you both!

There is a new red shield like icon which on mousing over says 'Windows security alert' and says that my PC does not have virus protection. That is a windows security alert, right? not malware.

Is there a free anti-virus software available? Which do you recommend?
Thanks!

bjgarrick · Nov 6, 2006

rch said:

Here's the new hijackthis log.
Click to expand...

Your log looks good!

rch said:

There is a new red shield like icon which on mousing over says 'Windows security alert' and says that my PC does not have virus protection. That is a windows security alert, right? not malware.
Click to expand...

Yes, this is an alert that you can disable from the Security Center by checking the box "I have an antivirus that I'll monitor....".

rch said:

Is there a free anti-virus software available? Which do you recommend?
Click to expand...

Yes, I personally recommend AVG AntiVirus. Also you need a firewall installed, I recommend ZoneAlarm which you can find in the thread below.

How to Protect yourself from malware!

Log in or Sign up

Spyware on my PC- Please help!

rch Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rch Private E-2

Attached Files:

rapport.txt

rch Private E-2

Attached Files:

rapport.txt

rch Private E-2

Attached Files:

rapport2.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

rch Private E-2

Attached Files:

Activescan.txt

bdscan.txt

runkeys.txt

rch Private E-2

Attached Files:

newfiles.txt

hijackthis.log

bjgarrick MajorGeeks Admin - Malware Expert

rch Private E-2

Attached Files:

hijackthis.log

bjgarrick MajorGeeks Admin - Malware Expert