Warning! Spyware threat detected, windows recommend removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by mongooseba, Oct 26, 2008.

  1. mongooseba

    mongooseba Corporal

    Dear All.:confused

    My computer's lower right task bar had a yellow pop-up box that said " Warning: Spyware threat has been detected ... windows recommend removal." Clicked on it and there was another pop-up that asked you to recommend downloading an antispyware. The logo looked sort of like Windows but I believe it is a fake. Tried to use the Symantec AntiVirus but it would not run and gives a completed scan in a second.

    Followed the directions.
    1. Could not initially run Superantispyware or Spybot
    2. Able to detect some malware with Malwarebytes Anti-malware: Lots detected and removed
    3. Reran the Superantispyware and Spybot: picked up two more
    4. Reran the Antivirus and found 1 malware
    5. Ran Combofix with Windows recovery and MGtools

    Enclosed are the logs reguired. I did not install the recovery module as asked by ComboFix. Did I do something wrong?

    The pop-up did not occur thereafter the steps. Do I still have any problems? I'm just afraid there is more lurking within. Could these malware also infect my server? I look forward to your advise and will instruct my staff not to surf on the web any more. Thnaks a million.


    Mongooseba:eek:
     

    Attached Files:

    mongooseba, Oct 26, 2008
    #1
  2. mongooseba

    mongooseba Corporal

    Here are the other files. Thanks.
     

    Attached Files:

    mongooseba, Oct 26, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not wrong, just something that could help you recover if something goes wrong during the cleaning procedure.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 28, 2008
    #3
  4. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    Thanks for helping out with my problem and the explanation. I wish to inform you that the computer initially kept shutting down when the pop-up appeared after two minutes of cold boot. My antivirus detected a new Trojan on the autodetect mode today and has automatically deleted it.

    The first run on the ComboFix changed all my time settings. The instructions from MajorGeeks informed me that the time will be reset after the run, but in this instance it did not. Is there a problem? I have manually reset the time back to normal under "Regional and Settings."

    Will run the ComboFix and send the information to you. rolleyes

    Mongooseba
     
    mongooseba, Oct 28, 2008
    #4
  5. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    Enclosed are the new files that you need. Followed your instructions. Just wanted you to know that ComboFix requested my computer whether to update to a newer version. Could not update the newer version. Is there a problem?

    Meanwhile, Symantec detected multiple incidences of Trojan, Virantix, C. The computer boots up with a quick "black" screen of some windows selection. Thanks and waiting for more instructions.

    Mongooseba
     

    Attached Files:

    mongooseba, Oct 28, 2008
    #5
  6. mongooseba

    mongooseba Corporal

    mongooseba, Oct 28, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have this infection. At least not anymore. Where is Symantec reporting this? Is it in System Restore? If so, final steps will delete restore points.


    Your logs are all clean.



    I don't know what this means.
    • what is a quick black screen?
    • if the screen is black, what do you mean by "some windows selection"?
    • Are you just referring to the Recovery Console selection that was installed with ComboFix? It just appears for a second or two waiting for a key press to choose the Recovery Console and then just continues to normal Windows if you do not press key. This is normal.
     
    chaslang, Oct 28, 2008
    #7
  8. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    During the cold boot, my initial "black" screen will have a couple of lines regarding two windows selections prior to having the normal windows screen. This will flash for only half a second before the regular windows start. The windows screen will then run normally. The black screen is not related to the secondary screen from ComboFix after initiaing the program.

    Normally, these selection lines do not appear during my regular start before the infection.

    Like you mentioned, could it be that I have installed the recovery mode from Combofix without knowing about it?

    Meanwhile, this virus was detected when the computer was idle for about an hour. Symantec detected this automatically and deleted it.

    Should I proceed with removing what is left from system restore? Please instruct. Thanks again.

    mongooseba:-o
     
    mongooseba, Oct 28, 2008
    #8
  9. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    I located the virus origin that was deleted by Symantec.

    C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP306\

    Should I disable the XP restore? Could it be that the autorestore is causing the virus to appear? Thanks.

    Mongooseba
     
    mongooseba, Oct 28, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and as I stated this is from installing the Recovery Console. It is not a problem.


    From what you posted it is just in System Restore. So just do my final instructions.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Oct 30, 2008
    #10
  11. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    Completed all your instructions and the problem did not appear. Can you remove the Recovery Console from the start up? I do have a side issue... how do you remove these irritating pop-ups from Adobe or Zone Alarm that keep on reminding you to update? Should I repost? Thanks a bunch and your help is most appreciated.

    Mongoosba:)
     
    mongooseba, Nov 1, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Why do you want to remove it? It is installed on purpose to use as a safety net if your PC runs into problems either due to malware, malware removal, or just due to Windows problems. If you do not have a bootable copy of your Windows CD, the RC could be a life saver. It does not interfere with any normal PC operation and just flashes a momentary notice on the screen giving you the choice to use it. If no key is pressed, it just boots to normal windows in about 1 to 2 seconds.

    Post in the Software Forum but if you want to avoid notices, purchase full versions of the software and stop using free versions.
     
    chaslang, Nov 2, 2008
    #12
  13. mongooseba

    mongooseba Corporal

    Dear Chaslang,

    How do you use the recovery console? Thanks for all your help and you've been great. My staff say thanks as well. :)

    Mongooseba
     
    mongooseba, Nov 6, 2008
    #13
  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You choose the option when it prompts to start the Recovery Console. From here you can do a lot that you can't do in normal mode. In some cases when malware alters your system to where you can't boot to Windows you can get into the Recovery Console and address the issues.

    FYI, the recovery console is for advanced users and shouldn't be used without an advanced user present or requesting you to use it.
     
    bjgarrick, Nov 9, 2008
    #14
  15. mongooseba

    mongooseba Corporal

    Dear Bjgarrick and Chaslang,

    Thanks for all your help and clarification. Will chat with you later. You are the best!!!!!!!

    :-D:-D:-D

    Mongooseba
     
    mongooseba, Nov 26, 2008
    #15
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You're Welcome!:major
     
    bjgarrick, Nov 27, 2008
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds