Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems removing "Warning Dangerous Spyware"


  • This topic is locked This topic is locked
15 replies to this topic

#1 flyingowl

flyingowl

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 March 2009 - 09:15 AM

Hi,

Recently I got this problem of "Warning Dangerous Sypware" (saying that my computer is infected by lots of viruses etc) messages poping up on my desktop and disallow me to change my desktop setting. I have tried to run Malwarebytes Anti-Malware to fix the problem but the infection seems keep coming back and this time with the generix host process for win32 services pop up and also "Warning! Security report" from windows security center.

I am wondering if anyone could help me solve this out??

Thanks a million~~

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 March 2009 - 09:29 AM

Hi,

Please do a new, full scan with MBAM, and post that logfile in your next reply. :thumbsup:

Also, download BIT to your desktop.
Unzip the file.
Now, doubleclick BIT.exe.
Choose option 3 - Create a startup report
Post the logfile in your next reply. :flowers:

#3 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 04 March 2009 - 09:48 AM

Hi Superbird,

Thanks for the reply.

I just realised that I got 20 infected objects which are difficult to remove and need reboot of system. i found that each reboot can only remove one infected object, which means i need to reboot 20 times... now i am still working on it...it seems that the generic host thing has gone with my last reboot...

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 March 2009 - 09:50 AM

Hi,

Ok, I'll wait for your reply. :thumbsup:

#5 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 March 2009 - 10:28 AM

Hi,

By using MBAM quick scan, i was able to narrow down the infected objected to 2, but after restarting the system, the infected objects has increased to 4 and the generic hos process and security report messages pop up again~~

this was my last two MBAM report and BIT

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 3

04/03/2009 23:13:30
mbam-log-2009-03-04 (23-13-30).txt

Scan type: Quick Scan
Objects scanned: 69894
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\2052z.exe (Trojan.Dropper) -> Delete on reboot.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.





Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 3

04/03/2009 23:20:35
mbam-log-2009-03-04 (23-20-35).txt

Scan type: Quick Scan
Objects scanned: 70016
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\acctresy.exe (Trojan.Dropper) -> Delete on reboot.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.



BIT report:

Blackbird's Information Tool (BIT) STARTUPREPORT
BIT v1.1

Microsoft Windows XP [Version 5.1.2600]
-----------------------------------------------------


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"AlcoholAutomount"="\"d:\\Program Files\\Alcohol Soft\\Alcohol 120\\axcmd.exe\" /automount"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"flyingowl"="C:\\Documents and Settings\\flyingowl\\flyingowl.exe /i"


Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IntelWireless"="D:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel

PROSet/Wireless"
"EOUApp"="D:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"NWEReboot"=""
"GrooveMonitor"="\"D:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"FinePrint Dispatcher v5"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe\"

/source=HKLM"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"D:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"egui"="\"C:\\Program Files\\ESET\\ESET Smart Security\\egui.exe\" /hide /waitservice"
"NodLogin"="C:\\Program Files\\ESET\\ESET Smart Security\\nodlogin.exe"
"UserFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,75,00,\
00,00
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00






Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------




--- End of file ---

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 March 2009 - 10:48 AM

Hi,

Do you recognize this file?:
C:\Documents and Settings\flyingowl\flyingowl.exe

#7 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 04 March 2009 - 10:58 AM

hi,

I don think i know the file flyingowl.exe

my recent quickscan came back 21 infected objects....quite frustrating..

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 04 March 2009 - 11:47 AM

Hi,

WARNING:
(The information provided above, requires a registry edit) (The recommended program, will make changes to the registry.)
Improper changes to the registry could render your computer inoperable.
Remember to backup the registry, before making any changes.
Instructions, on how to do that, can be found here:
How to back up, edit, and restore the registry
(I highly recommend, you make a copy of this article, before proceeding.)

1. Open Notepad.
Copy this into the Notepad file:

REGEDIT4

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"=-
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"flyingowl"=-


Go to File - Save as...
Fill in these values:
Save in: Desktop
Filename: fix.reg
Filetype: All files (*.*)
Now, click "Save"

Double click on fix.reg on your desktop, and add the values to the registry.

2. Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"C:\Documents and Settings\flyingowl\flyingowl.exe") DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.


Do a new full scan with MBAM and post that logfile in your next reply, together with the log from del.bat.

#9 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 04 March 2009 - 06:31 PM

Hi,

this is the registry fix log:
Deleting files
"C:\Documents and Settings\flyingowl\flyingowl.exe" deleted


my last full scan log:
Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 3

05/03/2009 06:33:20
mbam-log-2009-03-05 (06-33-20).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 193696
Time elapsed: 57 minute(s), 46 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\accesss.exe (Trojan.Dropper) -> Delete on reboot.
D:\Thunder_5.8.7.639\Thunder_5.8.7.639\Thunder 5.8.7.639\Components\ExplorerHelper\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
E:\Program DL\EvID4226Patch223d-en(connection)\EvID4226Patch.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\656.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

#10 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 04 March 2009 - 10:47 PM

hi,

thanks for your help. after trying to fix the problem the whole night. i found my computer system is pretty clean now, except for one problem which i have posted on a new thread for solution http://www.bleepingcomputer.com/forums/t/208507/how-to-repair-userinitexe/.

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 05 March 2009 - 01:41 AM

Please, reply in that topic that you are already get help here... I was not ready with this one, so we can do it here too.
Also: Please use only tools I have requested you to do so. It is to dangerous to use those tools on your own.

So, if you've replied there, please reply here you have done so. I'll help you then. :thumbsup:

#12 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 05 March 2009 - 01:46 AM

Hi, sorry about that...was too desperate on solving the problems...

my current scan log show this:

Malwarebytes' Anti-Malware 1.34
Database version: 1817
Windows 5.1.2600 Service Pack 3

05/03/2009 10:37:06
mbam-log-2009-03-05 (10-37-06).txt

Scan type: Quick Scan
Objects scanned: 71251
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)



Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 05 March 2009 - 09:25 AM

Hi,

Which problems do you still have? :thumbsup:

#14 flyingowl

flyingowl
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 06 March 2009 - 04:19 AM

Hi,

my computer seems to be troubled by the 2 infected objects as shown

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.


eventhough i could delete them (as it says), but the same infection seems still remain there for every scan after reboot of system.

any idea what is going on?

#15 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 March 2009 - 01:17 PM

Hi,

Yes. One of your systemfiles is infected, so MBAM can't repair it.
Go to Start > Control Panel. Doubleclick on "Add/Remove programs". In this list, delete: Windows XP Service Pack 3
Now, restart your computer.

Then, do a new full system scan with MBAM, and post that logfile in your next reply. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users