Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rouge Spyware And/or Malware


  • Please log in to reply
12 replies to this topic

#1 pcandmaceric

pcandmaceric

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 26 August 2008 - 01:13 PM

Hello everyone,

I'm new to this website, and to pc viruses in general, so I'm in need of some help! I want to preface my post by saying two things: Firstly, my problem WAS the red background saying "privacy in danger" and my clock being in military time saying VIRUS ALERT! I couldn't access many of the start menu functions or any local hard drives--the whole works. Secondly, I have taken every necessary step I've read about before posting. I followed the tutorial for combofix, I downloaded and ran ATF-Cleaner and ERUNT along with Malwarebytes' Anti-Malware, spybot, etc. I have saved the logs of combofix, hijackthis, and malwarebytes.

So, through all of this I've made tremendous progress but there's still just a few minor problems that I was hoping to receive some help with. My internet is working again and everything seems to be fine as far as the background, virus alert message and the start menu and hard drives. The only things are that the clock is still in military time and my desktop icons still have a dark blue outline to them. Other than that, though, all of these steps really seemed to help me. So, I'm asking for some help on where to go from here regarding the little things that are still acting up, and any further steps to take after analyzing the logs. If someone could respond and tell me which log to post to be analyzed I'd greatly appreciate it. Thanks so much to anyone and everyone for their help!

Edited by Orange Blossom, 26 August 2008 - 04:18 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 26 August 2008 - 10:09 PM

I am going with an XP system here...

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

Security Info
Warning Message
Security Desktop
Warning Homepage
Privacy Protection
Desktop Uninstall


If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

When done go back into your Desktop Settingsand see if you can change the color/theme to whatever you want.


For the clock if still needed.

To change your time, go to Start > Control Panel and double-click Date, Time, Language and Regional Options.
Note: Depending on your settings (classic view) it may show as Regional and Language Options.
In the Regional Options tab, under Standards and formats click the Customize... button.
Click the Time tab, and then click the down arrow next to the Time format box.
Select: h:mm:ss tt
Click Apply then OK to exit out.

Edited by boopme, 26 August 2008 - 10:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 28 August 2008 - 07:47 AM

Thank you very much! That did it for both things. Now the only thing is, the computer restarts every now and then. Just by itself. Any suggestions? Should I continue further after the hijackthis logs and stuff, or am I okay. It seems okay to me, but I'll listen to you. Thanks for your response!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 28 August 2008 - 08:42 AM

The symptoms you describe could be due to hardware or overheating problems caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, etc. If the computer is overheating, it usually begins to shutdown/restart on a more regular basis. If you're not finding any malware then its sounds like one of the latter problems.

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast. You should be able to see the error by looking in the Event Log. However an easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.
Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information that will allow you to better trace your problem. Write down the full error code and any files/drivers listed, then provide that information in your next reply so we can assist you with investigating the cause.

Some rootkits can also trigger BSODs, shutdowns and various stop error/shutdown messages so it would also be wise to perform a scan for this type of problem. Download and scan with Sophos Anti-rootkit, Panda AntiRootkit or AVG Anti-Rootkit.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 September 2008 - 04:57 AM

I'm soo sorry for the late resonse, I've been so busy at work that my home computer has been the least of my worries. I followed the steps you outlined, and I disabled the automatic shutdown. Everything has seemed to help, but I've noticed just one more problem. When I shut down or reboot the computer freezes. I'm not too sure if it does it all the time, but 9 times out of 10 it will freeze on the "windows is shutting down" screen. Any suggestions?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 05 September 2008 - 08:24 AM

Are you getting any error messages? Shutdown problems can be symptomatic of a variety of things to include hardware/software issues, mismatched RAM, other programs hanging or unresponsive in the background, unsigned device drives and even malware.

XP Shutdown & Restart Troubleshooting
Troubleshoot shutdown problems in Windows XP
XP Shut Down and Automatic Reboot Problems
Troubleshooting Windows Shutdown Problems
Windows stops responding during Windows XP shut down

Another thing to try is download and install the User Profile Hive Cleanup Service which helps to ensure user sessions are completely terminated when a user logs off. System processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 September 2008 - 10:04 AM

Thanks for the quick response. Yes, I'm getting error messages. For the past hour the computer has shut off periodically and the blue screen has come up. This is what it said:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical information:

*** STOP: 0X000000D1 (0x00004014, 0x00000002, 0x00000000, 0xAABFA78E)

*** SYMTDI.SYS - Address AABFA78E base at AABEE000, Datestamp 484736b6

I'm also getting an error report when windows starts back up. It traces a file something like this (I don't remember the exact file name, but this is close):

C:\Documents and Settings\HP_Owner\Local\Temp....and then something with a few symbols and something that says HP LOCAL KEY.

When I look through my computer to find the file-I can't. Also the error report on startup this past time gave a long report with a bunch of the zeros like I've typed above (0x000000....etc, etc.)

I have just done the following things:

Installed Windows XP SP3, uninstalled Norton 360 and am using Kaspersky (I had two anti-virus programs), I ran malware bytes anti-malware again and it found nothing. I ran spybot and it found 3 problems, but it can't delete them-even on a reboot. So, that's what I'm working with. Also, when I try to shut down I get the end now dialog box with some various program running, but I don't know what it is. I'll try the things you mentioned in the previous reply and wait for you to resond again. Thanks so much for all of your help!!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 05 September 2008 - 10:32 AM

SYMTDI.SYS appears to be a device driver related to Norton Anti-virus/Internet Security. A search reveals simliar complaints to yours so removing it was an option I would have suggested.

I had two anti-virus programs

Using more than one anti-virus program is not advisable. The primary concern with using more than one anti-virus program is due to conflicts that can arise when they are running in real-time mode simultaneously. However, even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 September 2008 - 11:03 AM

I uninstalled Norton but I was still getting an error message; primarily on startup. It said System settings protector, and it traced a certain .exe file. That file was associated with Spybot. I just uninstalled spybot; the error message went away and I think my problems might be coming to an end. I hope so. If you can recommend anything else I should do, just as a pre-emptive measure please let me know. Thanks again.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 05 September 2008 - 11:09 AM

Because of the seriousness of your original infection, I would like you to rescan with MBAM and post a new log. MBAM was updated to v1.26 a few days ago. Please update to the most current one. If you encounter any problems while downloading the database updates, manually download them from here and just double-click on mbam-rules.exe to install. Perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 September 2008 - 02:02 PM

Here's my current mbam log. As of this report, I deleted the 4 problems but haven't rebooted yet:

Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 3

2:57:09 PM 9/5/2008
mbam-log-09-05-2008 (14-57-09).txt

Scan type: Quick Scan
Objects scanned: 48319
Time elapsed: 18 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSA.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.

I'm about to reboot now, do you need another log?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 05 September 2008 - 07:06 PM

Yes, reboot, rescan and post a new log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 pcandmaceric

pcandmaceric
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 12 September 2008 - 10:27 AM

I'm sorry again for the late response. I'm at work, but when I get home I'll post an updated mbam log. My problems have changed, somewhat. Here's what is currently happening:

When I access some websites, the computer shuts down. It only happens on a few websites, but the same one every time. I don't even remember which website, I was searching google for resolutions to my problems and clicked a link. But more importantly, and more often, the computer will hang on shutdown or reboot. It used to take a few minutes for the shutdown options to show up; now it shows up right away but it still freezes. I've read a few shutdown troubleshooting guides (2 of the most common I've found) and they have been unable to help me. Every resolution I seek points to device driver/hardware problems; but I don't know how to fix it. I ran a device scan and it showed which drivers needed to be updated and which were bad. When I look at them in the device manager, though, it says they're running properly. I keep reading about my realtek high definition audio driver, and how the sound often is the problem. Now, I've noticed that the speaker symbol is no longer on my taskbar; it's replaced with a red symbol for "sound effects."

Microsoft's website said that the problem would be solved by updating to the current service pack. I couldn't update through their website; there was an error of some sort (and when I troubleshooted that error it couldn't help me.) So, through an external Microsoft server website I updated to SP3, but the computer still freezes on shutdown and reboot. After the SP3 update some things seemed to have returned to normal. The speaker icon returned to the taskbar, as well as the "eject device" icon. (I keep a USB wireless network adapter pluged in all the time). But now those icons have disappeared again.

I haven't tried UPHClean because when I start it it brings up a dos type command box and I don't know where to go from there--and I can't find anything online to tell me how to use the program. I'm convinced that it might be a device/hardware/software issue, but I just don't know how to tell which issue is the problem. I completely uninstalled Norton, but that seems to not have helped much. I'm using Kaspersky 2009 now.

Also, I haven't got the BSOD in awhile, but I got it last night. The same message as in my previous post--DRIVER_IRQL_NOT_LESS_OR_EQUAL, etc.

So, I'm sorry for the long post. I'll re-run mbam tonight and I'll post a log. Thanks very much. Again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users