spyware/virus help

Hello there,

Thank you in advance for your time and effort.

Yesterday i had a massive spyware/virus attack; my computer shut down automatically and wouldnt boot initially. Finally i got it too boot in save mode and ran teh following programs: kapersky, antivir, ccleaner, spybot, microsoft spyware removal, ad-aware personal, spydocter and finally registry mechanic. At least 1000 infections were removed. However i still believe my computer is infected, a friend of mine recommended this website. I made sure to follow all the steps posted in "read me first" threads. I havent disabled system restore because i am not entirely sure that all the malware has been removed. I have run a bitdefender scan and saved the log (as a .txt file), if u need it I will post it as soon as possible. It found plenty of infections. I used msconfig to disable any programs on boot that look very suspicious. Please find the HJT file attached. I hope i have done everything according to the read mes. Thank you again for your time.

My system is displayed below, it wont let me attach even though it is within the correct size restraints:

Inline log attached!

Thanky you

 

Welcome to MajorGeeks.com!

Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

 

Hello again,

I ran the scans suggested in safe mode; my results are displayed below:

Cclenaer removed 4 meg of internet files.

Ad-aware found tracking 7 cookies and 6 MRU lists. Neither were found again after a rescan.

Spybot removed all entries. Nothing was found in the rescan.

Microsoft anti-spyware found no threats.

Spyware doctor found a further 15 threats and 0 in the rescan

There are two threats I see over and over again, two three hours later, the two most prominent being surfsidekick, and a certain Trojan dropper.

Also after performing the scans my quicklaunch toolbar disappeared, I don’t know if that is related.

Everyday in the morning i run spydocter and it generally finds anywhere between 30 and 50 spyware entries, again the most common are surfsidekick Coolwwwsearch (i think thats what it is called) and a "trojan dropper" and a "trojan desktop hijacker", it changes my desktop image to a text image which explains that my computer is infected with spyware. I removed it once and my desktop has never changed again, spybot still seems to pick it up now and then.

I must apologise for my late reply but it was difficult to find time to eprform the online bitdefender scan. It again found several entries. I have attached the log. All my scans completed, there were no threats that needed removal on reboot.

I have to say that my computer is already running much faster after the scans so i do believe a large bulk of the spyware was removed; i still firmly believe there is some more. I also had a virus today that tried to send itself out in 4000 emails through outlook, however it never happened again.

I hope i have covered everything. I haave attached the bitdefender log and a newer hijack this log (just in case) which i performed 10 minutes ago after spydoctor removed some spyware.

Thank you for your time, i am very grateful.

 

Disable Spybot's Teatimer pre our tutorial.

You have not run the Panda ActiveScan per our tutorial.

Convert teh BitDefender log as per oue tutorial.

Post teh Panda ActiveScan log and the converted BitDefender log when finished.

 

What is teatimer and how do i remove it? I had no idea i had it...
I will run panda scan tomorrow morning, and will upload its log as well as the new fixed bitdefender log. Should i perform another hijack this?

Also one last thing. After i have removed teatimer, i presume i should scan using spybot in safe mode, correct?

again, many thanks!

 

I think i may have stopped teatimer by removing it from the system startup, is that sufficiant?

 

To be perfectly honst i did, there was a lot i didnt understand. My friend who used this website advised me to do what i could adn that i would be told what i ahd missed. I am trying my best to co operate

 

OK, so i suppose i will start again, tomorrow morning i will disable teatimer and allow all the programs to run on startup. I will then run all the scans in the order specified, I will make notes of what is noticed. I will then reboot to normal to be able to scan using both bitdefender and panda. I will attach those logs allong with a hijack this log. That is all. I dont have to worry about disabling system restore. Also, about msconfig, i had to use it safemode to disable some start up items because otherwise windows would not boot. I will try again, perhaps the source of that problem ahs been removed, but i had no choice but to use it.

thank you for your help

 

Hello again,

I uninstalled my Norton anti-virus, emptied my recycle bin and deleted the folder which contained any quarantined files.

I then rebooted to safe mode and ran cclenaer. 1.35mb of temporary internet files were removed.

I could not find windows malware remover in safe mode so I did the next scan, ad-aware. It again found several MRU lists and tracking cookies.

Spybot found no immediate threats.

Microsoft antispyware found Trojan.paytime and Trojan krepper. I deleted both. I then proceeded to the quarantine. Microsoft anti-spyware had quarantined two surfsidekick items, I deleted both.

When I restarted back to normal the following message came up: windows cannot find ‘C:\windows\inet2003\services.exe’ Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

After hitting ok, the following message came up: Could not load or run ‘C:\windows\inet2003\services.exe’ specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry. I have the newest version of registry mechanic which should solve that problem, i havent used it yet, i was wondernig if it is alright to do so.

Windows Microsoft antispyware pops up in the bottom left corner and asks me whether I want to block a change which would reduce my internet security below minimum. I blocked the change.

I keep getting a loopylove add which pops up.

The bitdefender scan found some more Norton system works quarantined files on my C drive which I was unaware off; I have also removed those. I then restarted the bitdefender scan.

The logs for the bitdefender and panda scans are attached. I have also made another HJT log.

Thank you.

 

Please make sure that the following have been done:

How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Follow the directions for SurfSideKick Removal

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

Next Start hijackthis
Click "open misc tools section"
check both options beside "generate startup list log" and generate the log. Say OK. Post the results.

Next Go here:

C:\Windows

Locate system.ini
Open it with notepad > Save As system_ini.txt and post results here.

Post all files and logs including a fresh HijackThis log.

 

Hey Shadow,

Don't forget to delete --> C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
Unless you are saving it on purpose to deal with later . . . .

You guys might also look for these:

-- %WINDIR% \temp\$_2341234.tmp
-- c:\program files\common files\microsoft shared\web folders
\ibm00001.dll
-- c:\program files\common files\microsoft shared\web folders
\ibm00002.dll
-- %WINDIR% \temp\$_2341233.tmp

I think that this --> %WINDIR% \temp\$_2341233.tmp is the actual "Key Log" and it might be interesting to have a look at it, if it exists/remains on this machine.


I'm butting out now!
PP

 

No, I forgot. Good catch, Thanks.

Good advice, we need to look for those also. Even though Ewido should get ibm00001.dll and ibm00002.dll.