Hi all,
On Sunday evening my wife tried to user her computer and a dialog box popped up in the middle of the screen telling her she had spyware installed. (Black box, not normal Windows XP format.) She called me in and I tried to open the task manager but got "task manager is disabled by your security settings" or something like that. I let several expletives go under my breath. There was also a persistent popup from the system tray with a warning sign icon that would also warn about the computer being infected. Then I noticed that her desktop background had also been replaced with an HTML file that had a big "Your computer is infected" sort of message and a link to download anti-spyware softare. Finally, a Security Manager window (the real XP one) popped up and I thought this was real, clicked, and got a web page that had some spyware adds on it. Oops. So it had taken over the Security Manager as well.
Note that Norton Internet Security was running the whole time. I did a couple of scans with it but all that it identifies were some tracking cookies.
Being resourceful, I download Spybot S&D and ran it. It found a number of suspicious things and I removed them. (I'd google the .exe or .dll, and if it was bad, I'd have Spybot remove them.) Unfortunately, as soon as I removed them, they were back. this included some stuff with smitfraud in the name and some other things.
Spybot did start teatime. During this time I googled the "task manager" issue and fixed it. When I changed the registry, teatimer saw the change and popped up a warning. I allowed it to change. It instantly popped up another warning that something was trying to change it back.
At this point I download hijackthis and ran it. It noticed some startup stuff that wasn't usual and I killed t his and rebooted. When I rebooted, spybot ran before I got logged in and I cleaned up almost everything that wasn't a tracking cookie. There was something called virtumonde that I wasn't sure of and left it though recent googles indicate that this should go as well. I also had hijackthis "fix" the bad default.htm that it identified as a background problem.
More googling led me to ComboFix, which I also ran. (Sorry - didn't have an account here and hadn't seen the "Don't run this until we tell you" warning.)
However, the computer is still not well. I've had some new pop-ups, including a clever one that resized and hid my FireFox window behind a pop-up by the system tray. I've also had porn search pages sporadically pop up while using FireFox. Also, shortly after logging in, my wife's background is now replaced with a plain blue background, so that's broken as well.
I did update Norton a bit ago and then rebooted and when I logged back in the computer complained about a couple of DLLs:
Error loading C:\WINDOWS\system32\bogphutr.dll
Invalid access to memory location
Error loading C:\WINDOWS\system32\ngxpmuti.dll
Invalid access to memory location
Since that reboot (knock on wood) I haven't had a pop-up, but the background is still blue and I don't want to turn this over to my wife and daughter until it has a clean bill of health.
I'm attaching my hijackthis and combofix logs.
Please help!
Thanks - Jim
Full Version: Unhappy Mothers Day - Computer Infected
Note that Norton just found and removed a virus called Trojan.LowZones. It also found Trojan Horse in the combofix quarantine directory and "fixed" it as well.
In case my last update was misleading, the computer is still not working correctly. No browser funniness since Norton removed Trojan.LowZones, but it still complains about missing DLLs when starting up and something changes the desktop background. My wife is still afraid to use it for her work so any help would be greatly appreciated.
Hi,
The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new Combofixlog in this thread. Don't start with a new thread.
Then I'll take a look.
Also, please redownload Combofix, because the version you are using is outdated.
The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new Combofixlog in this thread. Don't start with a new thread.
Then I'll take a look.
Also, please redownload Combofix, because the version you are using is outdated.
Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.