TechSpot

Malware/Spyware - Can't remove and can't run removal programs

By Combat Yeoman
Dec 31, 2008
  1. I've got what I believe to be malware.spyware on my computer and can't seem to figure out how to get rid of it. It's taken over my desktop turned it black and has a message Warning Dangerous Spyware. I also have a pop-up stating Warning! Security report in the lower right hand corner.

    I've run McAfee virus scan (nothing found) and done a quick windows update (no luck).

    I have Malwarebytes' ANti-Malware and I was able to run it initially and it found nothing however I saw it hadn't been updated since Sep 08 so I then attempted to download the updated version. I am unable to successfully install or run it now. I get numerous application error window pop-ups that states "exception EInvalidop in module MBAM-Setu-.tmp ... and a pop up stating INvalid Floating point operation. Basically, I'm unable to execute the 8 recommended steps to prevent malware/spyware. Heck when I try to get into "my computer" to get to my files to try and change the name of malware it get an IE webpage system warning.

    Also while at techspot I received this warning while poking around "ERROR! Connection was RESET by remote server.
    This can be a reason for system faults, errors or critical data corruption. To prevent your critical data loss please do the full system scaning!"


    Now I'm also getting a window stating MSKDetct.exe has encounted a problem and needs to close. prompting me to either debug or close.

    I've alos tried to download and install super-anti spyware and spybot. I can download them but not run them (invalid floating point operation).

    I'm not sure what to attempt to do from here. Any advice is greatly appreciated.
     
  2. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    MSKDetct.exe McAfee spamkiller ;( spyware has beat McAfee maybe ;)

    thinking on this
     
  3. brucethetech

    brucethetech TS Enthusiast Posts: 229

    That popup is from Mcafee. you definately are infected and the infection is making your programs misbehave since they are tying up resources/files that your legitimate programs need access to to run properly. I am not a fan McAfee. there are several other free AV programs out there that I would use instead of that.
     
  4. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    download SMITFRAUDFIX

    When you save it to your deskyop rename it to SMITFRAUDFIX.TXT reason for this is McAfee intrusion prevention will want to delete it
    once on your desktop rename it back to SMITFRAUDFIX.EXE

    OK since you are hindered BOOT in the safe mode but without a network connection.
    run it and select 2

    Right Click on MyComputer icon and go to properties
    Turn Off system restore
    open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
    do a disk cleanup in your Start/accessories/system tools/ Menu

    After the reboot
    download malwarebytes www.malwarebytes.org and install
    run hijackthis and malwarebytes at the same time
    select any files and or keys in the attachment I posted in hijackthis but on both maiwarebytes and hijackthis click fix at the same time.
    then reboot immediatly.
    if you forget to turn off system restore it will return no matter

    reboot once complete, run hijack this and post your log here again
     
  5. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    Sadly we bought and paid for McAfee so we will let our subscription run out. But yes, I've had a couple of free AV programs recommended and will definitely be going that route. Thanks.
     
  6. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    I was able to do all the steps to the reboot. Once I rebooted my desktop continued to have the "warning" background and I immediately got a window pop-up stating "invalid Floating Point Operation". When I tried to download malewarebytes and then select run I get the "invalid floating point operation" pop-up and it prevents me from continuing with the install.
    I verified that system restore is turned off. I'm not sure what the next option is?
    attached is my current hijack this log:
     
  7. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    Uggh. I need to have over 5 posts to list the rest of the log...
     
  8. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    no URL's or Images for those with under 5 posts...
     
  9. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    self-delete
     
  10. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Don't past it your post go to advanced and Attach it
    this does not seem to be a trojan issue but a software issue at this point.
    Go to ADD REMOVE Programs in the control panel and emove things you do n't use or need.

    Then run HijackThis and CHECK ALL matching key's before clicking fix
    to try and clean up this system
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

    O4 - Global Startup: Digital Line Detect.lnk = ?
    O10 - Unknown file in Winsock LSP: c:\docume~1\mom\locals~1\temp\ntdll64.dll
    O10 - Unknown file in Winsock LSP: c:\docume~1\mom\locals~1\temp\ntdll64.dll
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) -
     
  11. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    I've removed some unused programs and re-ran the hijackthis (file attached). Still no luck.

    Couple of other things that are happening. When I open, or rather try and open programs like malware bytes or ad-adware to run them I webpage opens for real-antivirus. When I click on my computer the same wepage opens and it re-happens each time I open a folder in my computer so I end up with multiple wepages open to a real-antivirus add.

    I also cannot manipulate my desktop theme. It's locked to the warning message. and the my documents file continually is forced open when I do various things.

    I'm really at a loss here...
     
  12. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    Here and looking at it
     
  13. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    I really appreciate it.

    I just verified it's affecting all 4 users on the computer. So it's not isolated to me.

    Thanks and let me know if there is any additional info I can provide that will help.

    Here's a screen shot from earlier in the day showing the variety of messages I'm getting
     
  14. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    are you checking the google key's ?
     
  15. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    run Hijack this and check these keys


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

    O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16

    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

    O10 - Unknown file in Winsock LSP: c:\docume~1\mom\locals~1\temp\ntdll64.dll
    O10 - Unknown file in Winsock LSP: c:\docume~1\mom\locals~1\temp\ntdll64.dll

    O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
     
  16. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

  17. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    checked them ran the fix and rebooted.
    File attached.
     
  18. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    I ran it and it said no problems found...
     
  19. Combat Yeoman

    Combat Yeoman TS Rookie Topic Starter

    I was able to run malwarebytes and superantispyware in safe mode and that "seems" to have cleaned things up. Thanks for the help.
     
  20. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 151

    try run hijackthis and post the log to be sure
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...