Spystorm infection: think I got it but want to make sure

By MilkmanAl
Jul 14, 2008
  1. I recently got a Spystorm infection and had the following (apparently typical) symptoms:

    1. Desktop pic changed to the 'Warning: Spyware threat has been detected on your PC' screen
    2. Frequent pop-ups from the task bar telling me vaious things are wrong, click here to download etc
    3. Task manager has been disabled
    4. Internet Explorer keeps opening with links to the aforementioned downloads

    I went through the 15 suggested steps (which were difficult given my lack of computer savvy), but most of the processes were being blocked. I got Malwarebytes to run and then SDFix suddenly decided to work. After going through the 15 steps a second time, I think I took care of the problem. All of the symptoms appear to be alleviated, but I want to make sure I'm in the clear.

    I've attached my MBAM, HJT, and ComboFix logs below as per the 15 suggestions list and can also post SDFix and SAS logs if necessary. Any help is greatly appreciated.
  2. MilkmanAl

    MilkmanAl TS Rookie Topic Starter

    Oops, I forgot to rename my HJT.exe. Here's a new log.
  3. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Do you know the following entries if not please let me know

    O2 - BHO: mysidesearch search enhancer - {1f0d9e47-516f-a811-edcc-2820437b9261} - C:\WINDOWS\system32\eukhavzounbi.dll

    O4 - HKLM\..\Run: [wanActivate] C:\Program Files\lenovo\ActivateWan\WanActivate.exe -check

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
    O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):


    After that, Reboot, and post a new HijackThis log here in a reply
  5. MilkmanAl

    MilkmanAl TS Rookie Topic Starter

    I'm not familiar with that O4 - HKLM file, but I left it alone pending further instruction. It does appear in the most recent HJT scan. Thanks for your help!
  6. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    it looks better also the entry below looks like it belongs to a thinkpad do you have a thinkpad or a lenovo laptop

    O4 - HKLM\..\Run: [wanActivate] C:\Program Files\lenovo\ActivateWan\WanActivate.exe -check
  7. MilkmanAl

    MilkmanAl TS Rookie Topic Starter

    Yep, I have a T61p.
  8. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    ok then we can leave that alone

    Please run an on-line virus scan at[b][color=blue]Kaspersky OnLine Scan[/color][/b] or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)


    If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Now we need to create a new System Restore point.

    Click Start Menu > Run > type (or copy and paste)


    Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

    Next goto Start Menu > Run > type


    Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

    To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

    After you do the steps above hoe is your laptop running
  9. MilkmanAl

    MilkmanAl TS Rookie Topic Starter

    Okay, that's all done. Below are the results of the TrendMicro scan - I couldn't get Kaspersky to work. I downloaded the indicated security updates for every noted vulnerability except for the MS06 thing which TrendMicro had no information about. Everything seems to be running smoothly at this point. Thanks again! :)

    Detected vulnerabilities
    Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
    Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)
    Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
    Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
  10. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    ok that's good to hear. If you have any problems just post back here
  11. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    One last thing lets clean up all of the tools

    Uninstall ComboFix
    • Click Start then Run
    • Now Type Combofix /u in the runbox
    • Make sure there's a space between Combofix & /u
    • Then hit Enter

    The above procedure will Delete the following:
    • ComboFix & it's associated files & folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide system/hidden files, if required.
    • Set a new, clean Restore Point.


    OTCleanit! by Oldtimer

    • Download OTCleanIt
    • Click the CleanUp! button.
      (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...