Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware! Not Sure What Kind


  • This topic is locked This topic is locked
6 replies to this topic

#1 Liberty I.

Liberty I.

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 12 April 2008 - 12:32 PM

Hello,

My roommate's friend was using my computer the other night, and when I turned it on yesterday morning, it was quite obviously infected with something. The desktop is bright blue and says,

WARNING!

YOU'RE IN DANGER!
YOUR COMPUTER IS INFECTED WITH SPYWARE!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND E-MAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browsers, with all images, and all downloaded and maybe later removed movies or mp3 songs - RE STILL THERE and could broke your life!

It says exactly that, even with spelling and grammatical errors. There's also a bright yellow caution sign blinking in the taskbar, and it's always popping up with warnings. The one that's there now says,

System performance monitor: Warning

Summary:
System performance slowed down by: 47%
Internet connection speed decreased by: 39%
Probably reason: Spyware applications/Adware popup windows
Click this balloon to download spyware scan tool to remove spyware/adware application.

Some say other things naming specific trojans and/or worms my computer is supposedly infected with, and every time I open my internet browser the home page is some security warning designed to look like it's from Microsoft. It lists my IP address, browser, and system info. Popups that attempt to download spyware and malware removal programs constantly pop up from the internet. I have Avast! Antivirus and AVG AntiSpyware, as well as Windows Defender and Firewall. I have attached the highjackthis file that appeared after I ran DSS.

Thank you ahead of time for any help you can give me. I do appreciate it.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 AM

Posted 18 April 2008 - 11:33 PM

Hello Liberty I,

Looks like you have several nasty infections on this computer. :thumbsup:

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Disable Windows Defender before running SmitFruadFix.

To disable Windows Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.


Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process.

Please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log. DO NOT attach your logs, as that makes it hard to read.

The SmitfraudFix report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by SifuMike, 18 April 2008 - 11:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Liberty I.

Liberty I.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 23 April 2008 - 09:39 PM

My computer isn't letting me download Smitfraudfix:( When the window pops up, it won't let me choose 'save,' only 'cancel.' Thank you so much for helping me, by the way.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 AM

Posted 23 April 2008 - 11:17 PM

Hi Liberty I,

You are very welcome. :thumbsup:

Did you turn off your Avast AntiVirus before trying to download SmitfraudFix?



We need to run this tool.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Edited by SifuMike, 23 April 2008 - 11:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Liberty I.

Liberty I.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:15 AM

Posted 24 April 2008 - 07:27 PM

It won't let me download that either :thumbsup: I turned off Windows Defender, Avast, and AVG.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 AM

Posted 24 April 2008 - 09:01 PM

I turned off Windows Defender, Avast, and AVG


You mean AVG and AVAST antivirus? Or AVG Antispyware and Avast antivirus?

You should NEVER have two antivirus programs (AVAST and AVG) on your computer, as they will cause major problems.
Uninstall one of the antivirus programs and try the download again.


You can try running downloading SmitFraudFix using
SAFE MODE WITH NETWORKING

How to Reboot into Safe Mode with NetWorking
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode with Networking" from the menu......,then press the "Enter" key.




Whhn you bootup to the safe mode menu screen, select from the following option:
Safe Mode with Networking
This option loads all these files and drivers and the services and drivers necessary to start networking.

Now that you are in SafeMode with Networking, see if SmitfraudFix will download. If it will download, then run it with the directions in my previous post - except you will use Safe Mode with Networking in place of Safe Mode.

Edited by SifuMike, 24 April 2008 - 09:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:15 AM

Posted 03 May 2008 - 01:55 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users