Unhappy Mothers Day - Computer Infected

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Unhappy Mothers Day - Computer Infected

Options

J.A.C. View Member Profile	May 14 2008, 12:52 AM Post #1
New Member Group: Members Posts: 3 Joined: 13-May 08 Member No.: 208,843	Hi all, On Sunday evening my wife tried to user her computer and a dialog box popped up in the middle of the screen telling her she had spyware installed. (Black box, not normal Windows XP format.) She called me in and I tried to open the task manager but got "task manager is disabled by your security settings" or something like that. I let several expletives go under my breath. There was also a persistent popup from the system tray with a warning sign icon that would also warn about the computer being infected. Then I noticed that her desktop background had also been replaced with an HTML file that had a big "Your computer is infected" sort of message and a link to download anti-spyware softare. Finally, a Security Manager window (the real XP one) popped up and I thought this was real, clicked, and got a web page that had some spyware adds on it. Oops. So it had taken over the Security Manager as well. Note that Norton Internet Security was running the whole time. I did a couple of scans with it but all that it identifies were some tracking cookies. Being resourceful, I download Spybot S&D and ran it. It found a number of suspicious things and I removed them. (I'd google the .exe or .dll, and if it was bad, I'd have Spybot remove them.) Unfortunately, as soon as I removed them, they were back. this included some stuff with smitfraud in the name and some other things. Spybot did start teatime. During this time I googled the "task manager" issue and fixed it. When I changed the registry, teatimer saw the change and popped up a warning. I allowed it to change. It instantly popped up another warning that something was trying to change it back. At this point I download hijackthis and ran it. It noticed some startup stuff that wasn't usual and I killed t his and rebooted. When I rebooted, spybot ran before I got logged in and I cleaned up almost everything that wasn't a tracking cookie. There was something called virtumonde that I wasn't sure of and left it though recent googles indicate that this should go as well. I also had hijackthis "fix" the bad default.htm that it identified as a background problem. More googling led me to ComboFix, which I also ran. (Sorry - didn't have an account here and hadn't seen the "Don't run this until we tell you" warning.) However, the computer is still not well. I've had some new pop-ups, including a clever one that resized and hid my FireFox window behind a pop-up by the system tray. I've also had porn search pages sporadically pop up while using FireFox. Also, shortly after logging in, my wife's background is now replaced with a plain blue background, so that's broken as well. I did update Norton a bit ago and then rebooted and when I logged back in the computer complained about a couple of DLLs: Error loading C:\WINDOWS\system32\bogphutr.dll Invalid access to memory location Error loading C:\WINDOWS\system32\ngxpmuti.dll Invalid access to memory location Since that reboot (knock on wood) I haven't had a pop-up, but the background is still blue and I don't want to turn this over to my wife and daughter until it has a clean bill of health. I'm attaching my hijackthis and combofix logs. Please help! Thanks - Jim Attached File(s) hijackthis_safemode.txt ( 8.56k ) Number of downloads: 7 ComboFix.txt ( 9.73k ) Number of downloads: 7

J.A.C. View Member Profile	May 14 2008, 07:39 PM Post #2
New Member Group: Members Posts: 3 Joined: 13-May 08 Member No.: 208,843	Note that Norton just found and removed a virus called Trojan.LowZones. It also found Trojan Horse in the combofix quarantine directory and "fixed" it as well.

J.A.C. View Member Profile	May 17 2008, 11:25 AM Post #3
New Member Group: Members Posts: 3 Joined: 13-May 08 Member No.: 208,843	In case my last update was misleading, the computer is still not working correctly. No browser funniness since Norton removed Trojan.LowZones, but it still complains about missing DLLs when starting up and something changes the desktop background. My wife is still afraid to use it for her work so any help would be greatly appreciated.

miekiemoes View Member Profile	May 31 2008, 12:12 PM Post #4
Malware Killer Dog Group: HJT Team Posts: 14,999 Joined: 18-February 05 From: Belgium Member No.: 12,408	Hi, The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new Combofixlog in this thread. Don't start with a new thread. Then I'll take a look. Also, please redownload Combofix, because the version you are using is outdated. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

miekiemoes View Member Profile	Jun 9 2008, 07:24 AM Post #5
Malware Killer Dog Group: HJT Team Posts: 14,999 Joined: 18-February 05 From: Belgium Member No.: 12,408	Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog. My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here! Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 4th July 2008 - 09:55 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides