Spyware attack messed my desktop "Help"

[Candy_girl]

Hello!

Last night I was downloading something off a file hosting site and I accidently clicked on an ad that popped up and then froze my computer, later I got an error message from my windows security centre (I used windows xp professional edition) said that "my computer is infected with a spyware "and that I have to click on that balloon so as to get rid of it! so it downloaded some program called "Bravesentry" that kept scanning my computer and got a result of like 65 infected objects in my registry! whenever I tried to get rid of it it kept opening again and again.

Then I closed the connection and the computer and when I came back I found that my desktop wallpaper is gone and all I have is the background color only! I tried to open windows task manager so as to see what's going on it was gone!

I paniced so I googled "How to fix the task manager" and it got me to this website that directed me to use the "group policy command via "Run" I got to finally understand what's going on , that the spyware disabled my desktop and my task manager so I enabled them again!

Everything went back to normal but this came up;

1- The Hightlights under the folder names , ironically that color is the color of the theme's background!

2- I tried to go back to the "group policy thingy" but the damn luck I was in the elecricity went off so when it came back , I opened it , it gave me this error message in the pic above!

My questions are;

1- How do I get rid of that highlight?

2- How to restore the group policy?

3- After the attack my connection is kinda slow, do you think it has something to do with it? I mean could the spyware still be there? if so, how do I get rid of it?

Knowing that I don't use a spyware porgram and my antivirus is AVG free edition!

I'm very sorry for being long but I have no one to ask!

Please respond asap.

Thank you very much.

 

[howard_hopkinso]

I have moved this thread to our security and the web forum.

Let`s make sure you have no nasties lurking on your system.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard


This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok thank you very much!

 

[Candy_girl]

HJT and AVG results!

I took screencaps of the virus vault of the remaining items after the full system scan, (I deleted the other infected trojans that were in the temp) I hope that's not bad!

Another thing, my connection is sending and recieveing even when there's no browser open, I'm afraid the spyware is downloading somehting , that's why my connection slow?

 

[howard_hopkinso]

Threads merged. Please continue to post in this thread regarding this issue. Thanks.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: (no name) - {E761881D-B2C9-4E1C-ABC2-086FF039A286} - C:\WINDOWS\system32\htuitrs.dll (file missing)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

O8 - Extra context menu item: Copy to Semagic - C:\Documents and Settings\Administrator\My Documents\Semagic\copy.htm

O8 - Extra context menu item: Semagic - C:\Documents and Settings\Administrator\My Documents\Semagic\link.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{5189214E-73A7-4E83-8180-B159F95A4AEA}: NameServer = 163.121.128.134,212.103.160.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
O17 - HKLM\System\CS3\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
O17 - HKLM\System\CS4\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18

Only fix the above 017 entries, if you don`t recognise the domain or they don`t belong to your ISP.

O20 - AppInit_DLLs:

O20 - Winlogon Notify: htuitrs - htuitrs.dll (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\pkrjnb.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\pkrjnb.dll
C:\WINDOWS\system32\rpcc.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as well as an AVG antispyware log. Let me know how your system is running.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

The numbers at the end of the the 017's are my tcp/IP numbers , shall i fix them?

Also do i have to un the HIJ in safe mode?

 

[howard_hopkinso]

If the 017 entries are from your ISP, don`t fix them.

Apart from that, it`s very important you follow the instructions exactly, including booting into safe mode when asked.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok I did everything you said! I gotta say the connection is fast again! and there were no viruses detected in the AVG scan!

Thank you soo much.

But the stupid highlights under the filenames in the desktop is still there! I'm guessing something's still disabled or something regarding the desktop?

Is there a command in the registry or something that could tell me if my desktop is running normal?

Well that's it I guess , hopefully there will be nothing wrong in the log!

Thank you soo much again for your help

 

[howard_hopkinso]

Your HJT log is clean.

Have HJT fix this inactive entry.

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

You still haven`t posted an AVG antispyware log. In fact you`ve not even installed or run it. Please do so.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Oh I totally forgot , here it is (attachment)

As for the one entry that needs to be fixed, fix it in safe mode or normal?

Thanx again

 

[howard_hopkinso]

That is not an AVG Antispyware log. It looks more like an AVG Antivirus log. Spot the difference lol.

Have HJT fix that entry in normal mode. If I had wanted you to fix it in safe mode, I would`ve said

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Oh silly me I'm sorry I'm practically awake since yesteday so the concentration level is wayyy low! lol!

Actually I don't have the spyware or is it somewhere that I'm not aware of?

I deleted the unnecessary entry you told me too!

Now do I have to run that antispyware thing or can it wait till tomorrow? also is my compiuter good to go now? I mean can I use the net and other programs?

Thank you soo much for everything

 

[howard_hopkinso]

The instructions for downloading/installing/running AVG Antispyware are in this thread HERE.

If you`re tired, get some sleep and continue tomorrow. I`ll still be here lol.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok Mr. Howard I'll sleep now and tomorrow first thing in the morning I'll run it and get back to you ok?

You take care and thank you a zillion!

Bye bye.

 

[Candy_girl]

Good morning Mr. Howard!

I finally installed and runned AVG antispyware and this is what I got (attachments)

1st one - is the registry alone scan.

2nd - Full system scan reports.

As for the captures they are the analysis of basically everything.

Hopefully these results will fix my desktop

Thank you very much!

 

[howard_hopkinso]

Go HERE and follow the instructions for removing Bravesentry.

Once done, run the Ccleaner programme as per the instructions in this thread HERE.

Then, post fresh HJT and AVG Antispyware logs.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ok so I'm now running the spyhunter scan but after it's done shall i delete all what it detected?

And as for the list of things to remove in that site regarding bravesentry where could I find those items?

 

[howard_hopkinso]

Spyhunter? Where did you get that from?

The site I gave you the link for apparently has a downloadable removal tool for Bravesentry, use that.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Yes I know I downloaded this http://www.spywareremove.com/SpywareScanner98673p2s2.exe and when I installed it , apparently its name is spyhunter!

 

[howard_hopkinso]

Ah, I see. In that case, delete whatever it finds.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

Ah dammit! inorder to remove the infections I have to purchase the program!

Shall I run CCleaner instead?

Oh btw I didn't remove the items found from the earlier AVG antispyware scan, shall I now?

 

[howard_hopkinso]

Bugger, in that case you need to follow the manual removal instructions.

This is a relatively new infection and I`m currently researching to find an easier fix.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Try this tool HERE. Follow the instructions exactly.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Candy_girl]

The manual way? ok! where do I find those extensions/dll's and such? in the registry? and once done that, I begin running that tool thing?

 

[howard_hopkinso]

Try running the tool in my post above, if that doesn`t help, I`ll give you manual removal instructions.

Regards Howard

This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.