TechSpot

Red Biohazard wallpaper, "Error Cleaner/Privacy Protector" icons

By penkosey
Jun 26, 2008
  1. So my PC (Windows XP) got the red "biohazard" wallpaper ("YOUR PRIVACY IS IN DANGER! DOWNLOAD PRIVACY PROTECTION SOFTWARE NOW"), along with the new icons "Error Cleaner", "Privacy Protector", & "Spyware & Malware Protection".

    I get the window that says "Windows has detected an Internet attack attempt...someone's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from internet attacks, hijacking attempts, and spyware! Click here to download spyware remover for total protection."

    I've searched around and seen several posts regarding this malware. I may be a bit worse off, though, because I can't explore or run any programs! I tried inserting a disc of anti-spyware programs, and it wouldn't let me open/explore the disc. Not even in Safe Mode. The "Start" button at the bottom left of the screen is gone, and when I try to run anything, I get a message that says something like "Windows cannot find the .exe file"...

    That seemed to happen right after I ran KillBox and let it delete a file called "Spools.exe" that Ad-Aware found. Yes...my computer is really screwed up.

    I'm using a borrowed computer right now, and disconnected the other one from the internet. Since I can't run anything or explore on that computer, I'm not sure how I'm going to fix it, or run any kind of Hijack This log, etc.

    When I hit Ctrl/Alt/Del, my "Task Manager" button is greyed out. The time has changed to military time, like this: 6/10/2008 16:25: VIRUS ALERT! The time at the bottom right of my screen also says VIRUS ALERT.

    When this first happened, I did a search and tried to follow some instructions that said to download/run something called Smitfraud. I wonder if this was fake, because the SmitfraudFix.exe had yellow Biohazard icon (like the red Biohazard wallpaper)...?

    Anyway, this is obviously a mess. I greatly appreciate any assistance with getting it fixed. Thanks!
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You do need to run smitfraudfix by S!ri option 2 from safe mode. I would prefer to see a hijackthis log first though to give more specific instructions.

    First let's see what we can do to at least get you some control back.

    1) Can you boot into last known good configuration

    2) You can download this with your borrowed computer, but make sure you install it to the infected computers desktop.

    Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

    • Double-click FixPolicies.exe
    • Click the Install button on the bottom toolbar of the box that will open.
    • The program will create a new Folder called FixPolicies
    • Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
    • A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

    -------------------------------------------------------------------------------------

    If you can get it to work, I need a hijackthis log

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.


    Let me know how you make out
     
  3. penkosey

    penkosey TS Rookie Topic Starter

    Thank you for your reply. I will try to do that and post the results.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    just attach the logs when done
     
  5. penkosey

    penkosey TS Rookie Topic Starter

    Well, here's what happened.

    I burned a disc of the things you mentioned. The infected computer would not let me access the CD (neither in Safe Mode or normal mode). Interestingly, I noticed I could still access an external hard drive. So I went back to the borrowed computer, put the stuff on the external drive, and tried again.

    Unfortunately, I'm still not able to run any .exe. "Windows cannot find C/Windows/FixPolicies..." I tried running the Hijack This file with the same results.

    By the way, to even be able to use Safe Mode, I have to "trick" it. After Safe Mode boots up, I see all the Desktop icons for a minute, but then they all black out, and all I see are the "Safe Mode" words at the top + bottom of the screen. To even be able to use Safe Mode, I noticed I have to quickly click on any folder while it's loading...when the folder opens, the Desktop icons remain visible...then I have to use the folder window to do any searching or opening (since my "Start" button is gone).

    When using a folder window, I noticed (at the top of the window, where "File, Edit, View, Go, Help", etc, are) that those spyware icons added themselves to Favorites. So in any folder, under Favorites, it now says "Error Cleaner", "Privacy Protector", & "Spyware & Malware Protection". :rolleyes:

    Looking around the internet, I've seen mentions of running a .bat file or a "script" to fix the inability to run Explorer or an .exe file. But I have no idea how to do such a thing. I even saw something called XP Emergency Utilities...but again, it's an .exe file, which apparently I can't run right now. Hopefully we can figure this out...is there some missing component I can drag + drop? I read that malware often disables key Windows commands, so you have to replace + rename them so as not to be recognized by the malware.....? Ughh. :mad:
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Must have corrupted your registry.

    Question 1 - can you access regedit? hold windows key + R = type regedit

    if so...

    Navigate to
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]

    Right click the value
    Default

    Change the value to "%1" %*

    ----------------------------------------------------------------------

    If holding windows key + R opens the command prompt then you may also try typing explorer and hit enter to see if your desktop comes up
     
  7. penkosey

    penkosey TS Rookie Topic Starter

    When I held down the Windows key + R, "regedit" automatically came up.

    Unfortunately, I get the same message--when I click on it, it says "Windows cannot find..."

    Sorry...
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    see below, I was going to suggest booting to the recovery console, but I would need to walk you through that
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I have to leave in just a minute, so wanted to give you a better option but I wont be able to help you fix it tonight

    *Restart your computer, press F8 at the Windows XP Startup menu, and then select Safe Mode with Command Prompt.

    *At the command prompt, type regedit, and press ENTER.

    *HKEY_CLASSES_ROOT\exefile\shell\open\command

    If the above registry key is set to C:\recycled\sirc32.exe "%1" %*, your computer is infected with the W32/SirCam worm virus:

    This is what the value should be: "%1" %*

    -------------------------------------------------------------------------

    We need to know if this is the problem before treating it.

    If you find that it is indeed this infection set the value of the registry to "%1"%*

    At a command prompt, type cd \, and then press ENTER.
    At a command prompt, type del /f /s /a sirc32.exe, and then press ENTER.
    At a command prompt, type del /f /s /a scam32.exe, and then press ENTER.
    At a command prompt, type shutdown -r, and then press ENTER.

    Upon reboot hopefully it wont be running and you can run a full virus scan.

    -----------------------------------------------------------------------------

    If you are not infected with this, or you can't access the registry still - this may be only option -

    1. Boot from your XP installation CD.
    2. At the welcome screen, choose enter.
    3. Once at the license agreement, press F8.
    4. At the next screen, choose to repair the selected Windows XP installation by pressing R.
    5. The files will begin to install and then your PC will reboot. During the reboot you will be presented with option of booting from the CD again by pressing any key. Don't press anything. Allow it to finish the install without booting from the CD again.

    You shouldn't lose all your data but you will have to reinstall service packs/ updates from MS


    Either way let me know how you make out and I will help when I can
     
  10. penkosey

    penkosey TS Rookie Topic Starter

    No problem about tonight; I'll read over what you just said and try to do either/or. I'll post/check back here in the next day or two. Thanks!
     
  11. EEI

    EEI TS Rookie Posts: 47

    I have the same Red Biohazard screen came up. I got rid of that, but the Error Cleaner", "Privacy Protector", & "Spyware & Malware Protection keeps popping up. Also, I know that its a dummy task bar with the time etc. I'm a novice at computer cleanup so I need help.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This thread is for the use of the original poster.

    If you can please run a hijackthis scan for me to get started

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.


    Then start your own thread in our security section -> http://www.techspot.com/vb/menu28.html

    Thanks
     
  13. EEI

    EEI TS Rookie Posts: 47

    I got hit with the Red biohazard last night. I'm a novice at this clean up stuff.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Not a problem - just run the hijackthis program per my instructions above, then click the link and select New Thread to start your own thread instead of taking over somebodies existing thread
     
  15. EEI

    EEI TS Rookie Posts: 47

    I'm using another computer. I got the red screen off, but the fake task bar, etc is still there, and the short cut icons keep popping up. I can get to safe mode, but can't get into registry.
     
  16. EEI

    EEI TS Rookie Posts: 47

    Should I run it on the infected computer? I've not tried to get online since it happened
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You can download it with this computer and transfer it with a usb stick or any kind of external storage device.

    But please start your own thread this one is for somebody else, I will talk to you after you have started it - in this forum -> http://www.techspot.com/vb/menu28.html
     
  18. EEI

    EEI TS Rookie Posts: 47

    If I put the Hijackthis on a thumb drive from this computer, I'm not sure I can access it from the infected computer, when I try to open up My Computer, I don't see the Drives as before?
     
  19. penkosey

    penkosey TS Rookie Topic Starter

    I'm the original poster, and I'm checking back in. Sorry this is taking me a while; it's been difficult since I've had to borrow a computer. Thanks! I'm still on top of this...
     
  20. penkosey

    penkosey TS Rookie Topic Starter

    Man, this is really frustrating. I tried to run Safe Mode With Command Prompt, but my computer said I didn't have "administrative privileges" when I typed in "regedit".

    Also, when I've tried to run it in Safe mode, it shows all the normal desktop icons for a few seconds...then the screen turns black. It's all black except for the words "Safe Mode" in all 4 corners. There's nothing to see, at all...

    How annoying, to not be able to access the computer at all, to get the problem fixed...
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Your best bet at this point is to insert your windows disk, boot from that, and do a clean install - or do a repair install then attempt to clean it
     
  22. penkosey

    penkosey TS Rookie Topic Starter

    OK.

    I have a ton of important photos, documents on that computer that I don't want to lose. If I take the hard drive out to move the files to a different computer (or if by some chance, in Safe Mode, I can dump them onto an external hard drive)...am I going to give another computer that virus? I'm not sure how that works...hopefully moving some photos won't cause the virus to find its way to another computer, right?
     
  23. penkosey

    penkosey TS Rookie Topic Starter

    I'd like to save all the photos, etc, that are on that computer. So, could I take the C drive out, and install it as a secondary drive in a different computer? Then I could hopefully make backups of everything, before re-installing Windows?
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yea you can do that - I am not going to guarantee that infection wont be transferred as well - I haven't seen logs of what you even have so its impossible to say
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...