Exclamation mark in system tray saying PC is infected with spyware

[waggywheel]

Hi All,

I 'm facing one problem.

Exclaimation mark appears in system tray saying my PC is infected with spyware.

Also, when I tried to right-click on taskbar, task manager option is disabled.
I 'm attaching the screen shots and HijackThis log report.

Also, I tried to run combofix, but it got closed and the exe file was deleted.

Please help ..

Thanks in Advance.

 

[kritius]

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[waggywheel]

Malwarebytes' Anti-Malware exec completed ...
i 'm running combofix on infected machine, it restarted machine once and now it still not responding ... its been one hour i run combofix.

shall i restart machine ? please advise.

 

[kritius]

has it just frozen?

 

[waggywheel]

task bar is busy ... and command window of combofix is not showing anything ...

 

[kritius]

Nevermind ComboFix, reboot and dont use it,

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
• Attach the main.txt and the extra.txt in your reply.

 

[waggywheel]

scanning completed ...

to update u, i dont see that exclaimation sign anymore ... also "task manager" button is enabled.

i'm attaching log for MBAM and for DSS

 

[waggywheel]

Hi Kritius,

since the symptoms are gone, is my system secure again ?

there r few things i observe ...
1. i 'm not able to change desktop background.
2. i dont see icons for many of my folders(when opened in windows explorer), and the others the folder icon is not clear.

hv i missed any step ?

Thanks ....

 

[kritius]

Ill post back later with results, im in work now and having to do this on my lunch.

 

[kritius]

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\Windows\epizgvon.dll
O4 - HKCU\..\Run: [dhzdfbio] C:\Windows\system32\pohwzkhc.exe
O4 - HKLM\..\Policies\Explorer\Run: [oxe7TmQmTn] C:\ProgramData\nifupode\xmnojutc.exe

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Program Files\180search assistant
  C:\Program Files\180searchassistant
  C:\Program Files\180solutions
  C:\Users\All Users\nifupode
  C:\ProgramData\nifupode
  C:\Windows\uprjiefj
  C:\Users\All Users\pahazwfc.dll
  C:\Windows\system32\pohwzkhc.exe
  C:\Windows\system32\rqRLcyXq.dll 
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dhzdfbio
  HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\oxe7TmQmTn
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{826A5ED9-1316-4EFD-87F8-AA400C5D551A}

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post along with a fresh HijackThis log.

 

[waggywheel]

i ran HJT and fixed those 3 entries, but OTMoveIt2 is still running for last half hour and its stuck at "C:\Users\All Users\pahazwfc.dll".

 

[kritius]

If it hasnt worked after a while then just abandon it. We'll try something else.

 

[waggywheel]

now its not responding at all ...

 

[kritius]

Just restart then. Ill have to think of something else.

 

[waggywheel]

no change even after a restart