Spyware threat wallpaper

Status
Not open for further replies.
O

onewinged_angel

Posts: 11   +0
So, this has probably been seen a thousand times on this forum, but no matter what I do, the problem persists. I've got the annoying wallpaper thing that says my computer is infected with spyware, I need to download everything out there in order to protect it, click here for full scan, yadda, yadda, yadda.

Since this first occured, I have downloaded Spyware Doctor (which got rid of a ton of stuff, and fixed some of my problems, bless it.), as well as Malwarebites' Anti-Malware, and the SmitfraudFix tool. This problem is supposedly called the Smitfraud virus, but when I followed the instructions to get rid of it, nothing changed. Also, even time I run a scan on Spyware Doctor since getting rid of a ton of Spyware, Adware, Trojans, etc., it finds and "deletes" the same old problems...

That's not to say that all of my problems are still here. Since downloading Spyware Doctor, there have been less bogus pop-up adds, no more random internet sites, the little triangle/exclamation point comes on occasionally instead of frequently, and it's been awhile since the Abebot/TrojanDownloader has popped up. But, I really want this to be fully resolved and would appreciate it eternally for whatever help I can get!
 
Please confirm all these steps have been done with SmitfraudFix (that you have done)

Download Smitfraud Fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Clean:

Reboot your computer in Safe Mode
(before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infected files.

You will be prompted: Do you want to clean the registry ? answer Y (yes)
and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:

To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
----------------------------------------------------

Additional Steps:

(Start -Run)
sc stop Messenger
sc config Messenger start= disabled

Restart

Then continue to Viruses/Spyware/Malware, preliminary removal instructions
 
Ok, I've done all of the Smitfraud steps as well as the preliminary removal instructions.

The Panda Antirootkit programme said that my system was clean of rootkits, and I have attached my Hijackthis log, my AVG log, and my DSS logs. As for my symptoms, they have basically remained the same: wallpaper hijack is still present as well as the yellow triangle/exclamation point messages, the so-called Security System Warnings, and the fake Spyware protection site.

Once again, help is forever appreciated.
 
Thank-you onewinged_angel, I'm going to PM (private message) to Blind Dragon or possibly Kritius (spyware specialists here at TechSpot) to ask them to have a look over your logs.

As a good option whilst waiting for a reply from them, you may want to run Kaspersky online scanner, referring to this post as a guide: https://www.techspot.com/vb/post600494-11.html

I will continue to watch this thread to gain further skills in analyzing these issues.
 
Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\zqdavopg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKLM\..\Run: [rqjsfgri] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rqjsfgri.dll"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Owner\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [uucuoctw] C:\WINDOWS\system32\wfsxgxyp.exe
O4 - HKLM\..\Policies\Explorer\Run: [8lxwFUZU1x] C:\Documents and Settings\All Users\Application Data\orglqbgt\cfgryngb.exe

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Delete Files and Folders
  • Right Click on the start button and chose explore
  • Show all hidden files and folders, see how HERE
  • Navigate to the following files and folders and delete them(if still present)
C:\WINDOWS\system32\wmsdkns.exe<---------This File
C:\WINDOWS\zqdavopg.dll<---------This File
C:\WINDOWS\system32\wfsxgxyp.exe<---------This File
C:\Documents and Settings\All Users\Application Data\rqjsfgri.dll<---------This File
C:\Documents and Settings\All Users\Application Data\orglqbgt<---------This Folder
  • Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

ATF Cleaner

  • Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:

    • Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Java Cache
      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:

    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:

    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\WINDOWS\2020search2.dll
C:\Program Files\zango
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\bokja.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\180ax.exe
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\winsb.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\ntnut.exe
C:\Program Files\Sysmnt
C:\WINDOWS\browserad.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\asferror32.dll
C:\Documents and Settings\All Users\Application Data\orglqbgt
C:\WINDOWS\zqdavopg.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\000090.exe
C:\WINDOWS\system32\000060.exe
C:\WINDOWS\system32\000080.exe
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}\\C:\WINDOWS\zqdavopg.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\uucuoctw
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run\\8lxwFUZU1x
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

You say youve downloaded Malwarebytes? Can you run it again and post the log that it produces?

Run HijackThis again and post a fresh log.
 
In addition to the above instructions you also need to run:

Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Alright, so far the triangle thing and the pop-ups along with it have dissappeared. Also, my Task Manager has resumed working. I still have the Spyware "wallpaper," my home page keeps changing, and at times, my computer is excruciatingly slow.

Below are my OTMoveIt2, Malwarebytes, and HijackThis logs.

I was unable to follow the SDFix program. I downloaded it and extracted the files, but when I double-clicked on RunThis.bat, it came up, but none of the options were related to typing "Y". They were mostly numbers, and it said in order to function properly it needed to be run in safe mode under the administrator. Since your instructions said nothing about this, I was unsure of what to do...
 
Looking better,

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.
 
@ kritius - combofix will automatically detect/delete that last one

@onewinged_angel - Did you have problems with Combofix?
 
To Blind Dragon - I was able to download it, but went I went to follow the instructions in the Preliminary Removal Instructions, no prompts or warning came up, and there was nowhere to type "1" to begin the fix.
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall
 
Ok, I tried to run Combofix again, but nothing happened. Besides the "Are you sure you want to run this program?" option, the only thing that came up was a window with a blue background that could be typed in, which quickly vanished. Otherwise, I got nadda...
 
ok, 2 more questions then we will give up on it.

1) is it installed to your desktop and not a temp folder.
2) are you logged on to an account with administrative privileges
 
Combofix, it seems, is installed on my desktop as well as in a folder.
I believe I do have administrative privileges. When I right-click on start, the options "Open All Users" and "Explore All Users" are available. (Another site instructed me that that shows that I have Admin privileges.)
 
Completely disregard my last post. I decided to delete everything I had on Combofix, and then I downloaded it again to my desktop this time. It ran exactly as instructed.

Here is the log report:
 
Kaspersky says = C:\WINDOWS\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped

Combofix says = Other Deletions = C:\WINDOWS\default.htm
------------------------------------------------------------------------------------

I will let kritius finish up with you as I didn't really go through all your logs
 
Alright, thanks for all your help. You're a lifesaver! Seriously.

In case anyone wants to know, my wallpaper is back. No more annoying Spyware message! YAY! The nightmare's almost over.
 
Kritius!

I know you're probably busy with other people, but I just wanted to make sure that you read my Combofix log and made sure that everything was fine. Blind Dragon said that he'd let you finish up with me.

Once again, thank you so much for everything.
 
Looks fine, just need to clean up

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • check Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.
 
Okay... You're gonna think this is friggin ridiculous, but when I started my computer today, all of this crap that we had already deleted is back again. Yeah. Everything. wmsdkns.exe, 2020search.dll, etc. Wallpaper's back, and the triangle. It won't let me delete any of it (it comes right back even if I try), and wmsdkns.exe says it's write-protected and being used by another program. I know that's a load of crap... So, what are my options? I really don't want to go through this whole process again, seeing as I have school this week, but I also realize that I don't have much choice...

Oh, and it won't let me go back to my restore point, either...
 
Blind Dragon please hold off from replying for the moment (unless you're about to)

onewinged_angel can you please go to www.hitmanpro.com
Download the tool
Turn off your firewall, and even disable system restore
Also turn off any other resident protection program
And... turn off screen saver from comming on

Then at last run the tool
During the process you will need to accept all
The Internet must be left on (who cares anyway, ie machine is stuffed at the moment lol)

Allow it to automatically do its full scanning; downloading all that.

Once finished (about 3 Hrs later)
Please let me know if it worked (actually make sure too)
 
Status
Not open for further replies.

Similar threads

Daniel Sims
"Triangulation" iPhone spyware used Apple hardware exploits unknown to almost everyone
Replies
13
Views
429
jeffbert
J
E
WhatsApp scores major legal victory over Pegasus spyware maker, forcing it to provide...
Replies
5
Views
191
BuckarooBonzaii
B
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
388
Fastturtle
F

Latest posts

Back