Spystorm infection: think I got it but want to make sure

Status
Not open for further replies.
I recently got a Spystorm infection and had the following (apparently typical) symptoms:

1. Desktop pic changed to the 'Warning: Spyware threat has been detected on your PC' screen
2. Frequent pop-ups from the task bar telling me vaious things are wrong, click here to download etc
3. Task manager has been disabled
4. Internet Explorer keeps opening with links to the aforementioned downloads

I went through the 15 suggested steps (which were difficult given my lack of computer savvy), but most of the processes were being blocked. I got Malwarebytes to run and then SDFix suddenly decided to work. After going through the 15 steps a second time, I think I took care of the problem. All of the symptoms appear to be alleviated, but I want to make sure I'm in the clear.

I've attached my MBAM, HJT, and ComboFix logs below as per the 15 suggestions list and can also post SDFix and SAS logs if necessary. Any help is greatly appreciated.
 
Do you know the following entries if not please let me know

O2 - BHO: mysidesearch search enhancer - {1f0d9e47-516f-a811-edcc-2820437b9261} - C:\WINDOWS\system32\eukhavzounbi.dll

O4 - HKLM\..\Run: [wanActivate] C:\Program Files\lenovo\ActivateWan\WanActivate.exe -check


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\eukhavzounbi.dll

After that, Reboot, and post a new HijackThis log here in a reply
 
I'm not familiar with that O4 - HKLM file, but I left it alone pending further instruction. It does appear in the most recent HJT scan. Thanks for your help!
 
it looks better also the entry below looks like it belongs to a thinkpad do you have a thinkpad or a lenovo laptop

O4 - HKLM\..\Run: [wanActivate] C:\Program Files\lenovo\ActivateWan\WanActivate.exe -check
 
ok then we can leave that alone

Please run an on-line virus scan at http://www.kaspersky.com/virusscannerKaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++

If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

---------------------------------------------------------------------------------------
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
-----------------------------------------------------------------------------------------------

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

After you do the steps above hoe is your laptop running
 
Okay, that's all done. Below are the results of the TrendMicro scan - I couldn't get Kaspersky to work. I downloaded the indicated security updates for every noted vulnerability except for the MS06 thing which TrendMicro had no information about. Everything seems to be running smoothly at this point. Thanks again! :)

Detected vulnerabilities
Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
MS06-056
Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
 
One last thing lets clean up all of the tools

Uninstall ComboFix
  • Click Start then Run
  • Now Type Combofix /u in the runbox
  • Make sure there's a space between Combofix & /u
  • Then hit Enter

The above procedure will Delete the following:
  • ComboFix & it's associated files & folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide system/hidden files, if required.
  • Set a new, clean Restore Point.

------------------------------------------------------------------

OTCleanit! by Oldtimer

  • Download OTCleanIt
  • Click the CleanUp! button.
    (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot
 
Status
Not open for further replies.
Back