Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrojanSPM/LX


  • Please log in to reply
6 replies to this topic

#1 Coach64

Coach64

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 January 2010 - 10:17 AM

First off, I am new here and found this site while searching for info about the virus I am dealing with. As I am sure you will be able to tell, I am a relative noob, and don't know much about this kind of thing. In the past, I have "plugged nd chugged" my way through these kinds of issues until I found a fix, but this one is making me crazy. Thank you in advance for taking a loook at this, and I appreciate any help you might be able to offer.

I have two computers, my personal laptop and my business laptop. This is dealing with the problem on the business laptop.

A box appears before desktop fully loads:
“Security Warning! Worm32.NetSky detected on your machine. This virus is distributed via the Internet through e-mail and Active-x objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data. Viruses and can damage your confidential data and work on your computer. Continue working in unprotected mode is very dangerous.
Type: Virus
System Affected: Windows 200, NT, ME, XP, Vista, 7
Security Risk (0-5): 5
Recommendations: It is necessary to perform a full system scan.”

Once the desktop finishes loading, the desktop image is a green background, black box containing the follwing text: “Your system is infected (red text)! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use this computer before all spyware removed (white text).”

In the System tray in the bottom right corner, there is a red icon with a white x, displaying the following in a dialog window: “Click here to protect your computer from spyware! Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.”

For the most part, I cannot access Internet Explorer. I can access control panel—though, at times, have not been able to do so. As soon as I realized I couldn't get online, I went to check the status of my networking card.

When I log into Safe Mode as Administrator, I get the same “Spyware Alert! Security Warning” box that I mentioned previously.
After having read your instructions to another poster encountering a very similar issue (“Don’t know the name of the virus”), I downloaded the following using links on BleepingComputer:
Malwarebytes Anti-Malware
Dr. Web CureIt
ATF Cleaner
SUPERAntiSpyware

Using my personal laptop, I downloaded the 4 programs, saved them to a thumb drive, and moved them to my business laptop. When using these programs, I encountered the following results:

Malwarebytes: Could not run the program—dialog box appears, saying “Missing Shortcut—Windows is searching for mbam.exe. To locate the file yourself, click Browse.” When I do so, the file is not present in the folder containing the program. It then offers to point to a similar file, “mbamservice.” Needless to say, I haven’t been able to run a scan with it yet.

Dr. Web CureIt: I select the Scan option as instructed, selecting it instead of the Update option, and a window pops up containing a second Dr. Web logo. My laptop then shuts down and reboots. This happens every time I try to run CureIt.
ATF Cleaner: Seemed to run fine. I used the “Select All” option and deleted everything listed under “Select Files To Delete.”

SUPERAntiSpyware: A dialog box appears when I try to install and run the program, saying “Windows Installer—The system administrator has set policies to prevent this installation.” I attempted renaming the file with random letters and numbers, but received the same message.

After finding the DDS utility in another thread, I connected to the Internet and downloaded it to the desktop of my business laptop so that I could produce the log files that I hope will help to get it operational again.
While visiting BleepingComputer to get DDS, I received the following dialog box: “Message from Webpage—Warning!!! Your personal computer needs to install antivirus software! Personal Secuity can perform fast and free scan of your computer.” Then, on top of that one, I also got this: “Warning—Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)” When I clicked the X in the corner of the dialog boxes, a “scan” of some sort began. Another box appeared, saying “Message from webpage—Harmful spyware or adware software. Such vulnerabilities can destroy or steal your private info and mail. On-lines scan should install Personal Security utilities to fix your pc. Please click OK to download and install Personal Security tool.” I quickly disconnected from the net at this point.

My initial response was to download DDS on my personal laptop and save it to a thumb drive to move to my business laptop, but I am afraid of contaminating them both--though I am guessing this has likely already happened. What should I do?

Again, thanks for reading--I appreciate any advice anyone might be able to offer!

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:03:46 PM

Posted 09 January 2010 - 10:44 AM

What you seemed to have picked up is a rouge malware scam...Steps for removal of Personal Security can be found here:

http://www.bleepingcomputer.com/virus-remo...rsonal-security

As you will see it wants you to download and run MBAM...You may have to download it again...Pay close attention to directions about RKill (not shutting down...etc...).

It is quite possible that you may need more expert advice in removal and you can find it here:

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Does this look like an OldGrumpyBastard or what?

#3 Coach64

Coach64
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 09 January 2010 - 11:20 AM

Thanks Grumpy! I will try this today.

How worried should I be about passing the virus back and forth between my laptops on a thumb drive? I was going to download Malwarebytes and move it to the second computer, as I am not sure I can get online at all with it.

#4 longtooth

longtooth

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Location:bath
  • Local time:08:46 PM

Posted 09 January 2010 - 11:26 AM

I wouldn't interchange pen drives untill your virus is rid of!!

longtooth

#5 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:03:46 PM

Posted 09 January 2010 - 11:31 AM

There is always a slight risk when using flash drives but as I see it (if you can't access the internet with the infected computer) that may be your only option. I guess that under your circumstances I would try usung the infected computer first...B4 the flash drive....As long as you don't open up the little red x in the system tray and run any of the scans or purchase the software you should be relatively safe to access the internet for downloading. I would limit my use to just downloading RKill and MBAM or posting in the link that I previously provided for assistance...(I personally wouldn't use this computer for any online purchases, banking, and the like until it is clean)...
Does this look like an OldGrumpyBastard or what?

#6 Coach64

Coach64
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 10 January 2010 - 09:53 AM

Okay, after spending most of yesterday and last night on this, here is an update.

I cannot get rkill to run, no matter what I do. I ignore the pop up messages that claim it is a virus, restarting rkill after the machine has shut them down. At this point, with the dialog box still open, rkill will run for approximately 20 to 30 seconds before (assuming this is what happens) my desktop crashes and then comes back with the "Active Desktop Recovery" dialog onscreen. Needless to say, I haven't made it any farther than that.

As for MBAM, I am still having the same problem, that the virus seems to be deleting the .exe file that I need to make the program work before I can use it. To try and get around this, I loaded it and several other antivirus and anti-malware programs to a jump drive to transfer them to the infected laptop and try to run them from the drive. I opened the folder near the end of installation of the program, and I could see the file I needed. The only problem was that a second later, it was deleted. I have tried running it from a CD as well as the thumb drive, and this happens every time.

After talking with a family member who is more versed on this stuff than I am, I ran C Cleaner, SpywareBlaster, Spybot Search and Destroy, and Avira Antivirus. C Cleaner fixed some issues, and the system seemed to run better after use. Avira has deleted and removed numerous threats and malicious programs, but it keeps giving me error messages when I boot, asking what to do with 2 of the programs it seemingly can't get rid of. Have tried deleting repeatedly with no success, and am now just telling it to quarantine them. Spybot runs very well until it freezes up (maybe 1/4 of the way through a scan), and it identifies 7 issues that need repair/deletion--but I can't do anything with it, as the thing is frozen.

I have managed to get online since installing Mozilla, and will never EVER use IE again.

What should I do now? The red tray icon is still there, the "Your System Is Infected" image is still on my desktop. Functionality has improved a lot, but there are still these issues and the continuing popups about infections and needing antivirus.

Thanks again for your help--and your patience!!

#7 Coach64

Coach64
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 10 January 2010 - 11:51 AM

I don't know if I managed to click on something accidentally or not, but some obviously fake virus scan started up a few minutes ago. I clicked the x to get out of it, and now I have an "Internet Security 2010" icon on my desktop, I dialog box in the bottom corner that keeps popping up saying "New database update is available" urging me to update now, and an Internet Security 2010 Security Alert box in the middle of the screen, claiming "Your computer is being attacked from a remote machine! Block internet access to your computer to prevent system infection. Attaker IP: 183.172.207.199. Attack type: lsass.exe.exploit" I can block or allow.

AHHHHHHHHHHHHHHHHH! This sucks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users