Spyware attack messed my desktop "Help"

By Candy_girl
Oct 24, 2006
Topic Status:
Not open for further replies.
  1. Hello!

    Last night I was downloading something off a file hosting site and I accidently clicked on an ad that popped up and then froze my computer, later I got an error message from my windows security centre (I used windows xp professional edition) said that "my computer is infected with a spyware "and that I have to click on that balloon so as to get rid of it! so it downloaded some program called "Bravesentry" that kept scanning my computer and got a result of like 65 infected objects in my registry! whenever I tried to get rid of it it kept opening again and again.

    Then I closed the connection and the computer and when I came back I found that my desktop wallpaper is gone and all I have is the background color only! I tried to open windows task manager so as to see what's going on it was gone!

    I paniced so I googled "How to fix the task manager" and it got me to this website that directed me to use the "group policy command via "Run" I got to finally understand what's going on , that the spyware disabled my desktop and my task manager so I enabled them again!

    Everything went back to normal but this came up;

    [​IMG]

    1- The Hightlights under the folder names , ironically that color is the color of the theme's background!

    2- I tried to go back to the "group policy thingy" but the damn luck I was in the elecricity went off so when it came back , I opened it , it gave me this error message in the pic above!

    My questions are;

    1- How do I get rid of that highlight?

    2- How to restore the group policy?

    3- After the attack my connection is kinda slow, do you think it has something to do with it? I mean could the spyware still be there? if so, how do I get rid of it?

    Knowing that I don't use a spyware porgram and my antivirus is AVG free edition!

    I'm very sorry for being long but I have no one to ask!

    Please respond asap.

    Thank you very much.
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I have moved this thread to our security and the web forum.

    Let`s make sure you have no nasties lurking on your system.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok thank you very much!
  4. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    HJT and AVG results!

    I took screencaps of the virus vault of the remaining items after the full system scan, (I deleted the other infected trojans that were in the temp) I hope that's not bad!

    Another thing, my connection is sending and recieveing even when there's no browser open, I'm afraid the spyware is downloading somehting , that's why my connection slow?
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Threads merged. Please continue to post in this thread regarding this issue. Thanks.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    O2 - BHO: (no name) - {E761881D-B2C9-4E1C-ABC2-086FF039A286} - C:\WINDOWS\system32\htuitrs.dll (file missing)

    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html

    O8 - Extra context menu item: Copy to Semagic - C:\Documents and Settings\Administrator\My Documents\Semagic\copy.htm

    O8 - Extra context menu item: Semagic - C:\Documents and Settings\Administrator\My Documents\Semagic\link.htm

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll (file missing)

    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5189214E-73A7-4E83-8180-B159F95A4AEA}: NameServer = 163.121.128.134,212.103.160.18
    O17 - HKLM\System\CS2\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
    O17 - HKLM\System\CS3\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18
    O17 - HKLM\System\CS4\Services\Tcpip\..\{12893023-8D4B-4200-8169-60420B34F7A1}: NameServer = 163.121.128.134,212.103.160.18

    Only fix the above 017 entries, if you don`t recognise the domain or they don`t belong to your ISP.

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: htuitrs - htuitrs.dll (file missing)

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\pkrjnb.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\pkrjnb.dll
    C:\WINDOWS\system32\rpcc.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG antispyware log. Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    The numbers at the end of the the 017's are my tcp/IP numbers , shall i fix them?

    Also do i have to un the HIJ in safe mode?
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    If the 017 entries are from your ISP, don`t fix them.

    Apart from that, it`s very important you follow the instructions exactly, including booting into safe mode when asked.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok I did everything you said! I gotta say the connection is fast again! and there were no viruses detected in the AVG scan! :)

    Thank you soo much.

    But the stupid highlights under the filenames in the desktop is still there! I'm guessing something's still disabled or something regarding the desktop?

    Is there a command in the registry or something that could tell me if my desktop is running normal?

    Well that's it I guess , hopefully there will be nothing wrong in the log!

    Thank you soo much again for your help :)
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    Have HJT fix this inactive entry.

    O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

    You still haven`t posted an AVG antispyware log. In fact you`ve not even installed or run it. Please do so.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  10. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Oh I totally forgot , here it is (attachment)

    As for the one entry that needs to be fixed, fix it in safe mode or normal?

    Thanx again :)
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That is not an AVG Antispyware log. It looks more like an AVG Antivirus log. Spot the difference lol.

    Have HJT fix that entry in normal mode. If I had wanted you to fix it in safe mode, I would`ve said :p

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Oh silly me I'm sorry I'm practically awake since yesteday so the concentration level is wayyy low! lol!

    Actually I don't have the spyware or is it somewhere that I'm not aware of?

    I deleted the unnecessary entry you told me too!

    Now do I have to run that antispyware thing or can it wait till tomorrow? also is my compiuter good to go now? I mean can I use the net and other programs?

    Thank you soo much for everything :)
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The instructions for downloading/installing/running AVG Antispyware are in this thread HERE.

    If you`re tired, get some sleep and continue tomorrow. I`ll still be here lol.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  14. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok Mr. Howard I'll sleep now and tomorrow first thing in the morning I'll run it and get back to you ok?

    You take care and thank you a zillion!

    Bye bye.
  15. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Good morning Mr. Howard!

    I finally installed and runned AVG antispyware and this is what I got (attachments)

    1st one - is the registry alone scan.

    2nd - Full system scan reports.

    As for the captures they are the analysis of basically everything.

    Hopefully these results will fix my desktop :)

    Thank you very much!
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go HERE and follow the instructions for removing Bravesentry.

    Once done, run the Ccleaner programme as per the instructions in this thread HERE.

    Then, post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ok so I'm now running the spyhunter scan but after it's done shall i delete all what it detected?

    And as for the list of things to remove in that site regarding bravesentry where could I find those items?
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Spyhunter? Where did you get that from?

    The site I gave you the link for apparently has a downloadable removal tool for Bravesentry, use that.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ah, I see. In that case, delete whatever it finds.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    Ah dammit! inorder to remove the infections I have to purchase the program!

    Shall I run CCleaner instead?

    Oh btw I didn't remove the items found from the earlier AVG antispyware scan, shall I now?
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Bugger, in that case you need to follow the manual removal instructions.

    This is a relatively new infection and I`m currently researching to find an easier fix.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  23. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Try this tool HERE. Follow the instructions exactly.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. Candy_girl

    Candy_girl Newcomer, in training Topic Starter Posts: 54

    The manual way? ok! where do I find those extensions/dll's and such? in the registry? and once done that, I begin running that tool thing?
  25. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Try running the tool in my post above, if that doesn`t help, I`ll give you manual removal instructions.

    Regards Howard :)

    This thread is for the use of Candy_girl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.