Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? strange computer happenings


  • This topic is locked This topic is locked
1 reply to this topic

#1 Penlord

Penlord

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 02 December 2009 - 11:25 PM

OS: Windows XP

The desktop is all one random color which changes depending on when it's started up, and in the middle it reads:
"YOUR SYSTEM IS INFECTED!

System has been stopped due to a serious malfunction.
Spyware activity has been detected.

It is recommended to use spyware removal tool to prevent data loss.
Do not use the computer before all spyware removed."

this came after my symantec internet security system asked me for permission for a program "Winupdate86" to get access to the internet, my response was Block All Access, then the computer changed as well as my desktop. My browser began constantly opening a tab to a random web address that I did not select, and when I click on a google link it may sometimes send me to an entirely unrelated web-page to the one I intended to go to by clicking on it.

I looked closely at my computer files and removed some stuff, but installed in my Windows\System32 folder was a few malicious looking things:
-Critical_warning (the XML file that is placed over my desktop so that I cannot change it)
-GEARSec application (a non-windows file in the windows folder. Every time I delete, it comes back immediately, it came with its own DLL which I deleted also and it doesn't seem to have re-appeared with the application, it's a process that's constantly running in my HijackThis task manager but I cannot physically remove it from the system32 folder, this is the response I get:
Error Deleting File or Folder

Cannot delete gearsec: Access is denied.

Make sure the disk is not full or write-protected
and that the file is not currently in use.
)
-winupdater86
-winlogon86

and a couple of other things related to windows, updating, logons, and the number 86, that I removed, which were created in the windows folder on the day that the virus was received.

To note, Hijack this revealed two malicious looking things in the scan, which I managed to remove by removing the files in system32 that they accessed, these were specifically:

F2 - REG:system.ini: Shell=Explorer.exe logon.exe
F2 - REG:system.ini: UserInit=C:WINDOWSsystem32winlogon86.exe

"Worm.Win32.NetSky" was what the virus told me that my computer had when I started it, but when I managed to remove the WinLogon86.exe application, all of the ad notices stopped.

I am quite positive that I attained spyware and adware, and due to not being top dog with computers (no classes, all self taught) I am at a bit of a disadvantage in my efforts.

Suggestions on how to remove entirely everything that was conceived?

Further issues:
-Laptop computer unable to hibernate, or start in safe mode (instead of safe mode, the computer presents a blue screen with two characters at the top left of the screen: ` ¬)
-Unable to change the desktop background in Right Click->Properties->Desktop tab
-Unable to access Task Manager (on admin account, but says "Task Manager has been disabled by your administrator.")

I would like all of these problems to cease as soon as possible. So, if you can help me fix it, great, if you can help me identify the virus that I have, great, if you're in the same predicament, feel free to tune in.

Thanks everyone..

Edited by Penlord, 02 December 2009 - 11:35 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:01 AM

Posted 03 December 2009 - 03:55 PM

You have a log posted in HJT, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.


To avoid confusion, I am closing this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users