Spyware

[op4dc]

I got a bluebackground screen that says:

Warning: Spyware Threat Has Been Detected on your PC!

it creates random popups of webpages to buy antispyware software.
it messages my buddies on AIM about random things to do to protect them
it creates popups telling me ive been infected
etc. etc.

it has a link on my desktop background as well

i ran hijack this and have attached the results. plz help me asap!

i have to do a million assignments for school

thank you!!!

 

[op4dc]

bump (10 chars)

 

[op4dc]

AHHH!!! can anyone help me?

 

[grayline]

Hi I have the new Update Virus Running in the background of my xp pro!
it's so wonderful it runs in the background slows everything down and also hijacks all of my internet requests
An one with this great addition that wants to get rid of or any one want mine?
Thanx

 

[kritius]

Hi op4dc, :wave:

I need you to follow all the steps HERE and then post back with the three requested logs as

attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit

scan.

Good luck and welcome to techspot.

This thread is for the use of only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.only.

 

[op4dc]

thanks alot krit. ill be glad the second this crap is gone.

antirootkit found nothing.

 

[kritius]

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

--------------------------------------------------------------------------------------------------------

Step <insert number>: Remove HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
  O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
  O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
  O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
  O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
  O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
  O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
  O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
  O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
  O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
  O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
  O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
  O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
  O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
  O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
  O8 - Extra context menu item: Quick &Search (Yisou.com) - res://C:\Program Files\YiSou\yisou.dll/232
  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Reboot.

Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\sbwltbxa.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then post the results in your next response.

Run HijackThis and select do system scan and save a logfile, attach it here when done.

In your next reply you should have,

• Results of Jotti scan
• New HijackThis scan

This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

hey id really like to get rid of the viewpoint foistware, but my task manager has been "disabled by the administrator". could be a sideeffect of the virus? how could i get about this?

 

[op4dc]

also, the gotti upload server is too busy and cannot let me upload the file.

is there another one i can use?

 

[kritius]

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

-------------------------------------------------------------------------------------------------------------

Upload a File to Virustotal
Please visit Virustotal

Copy/paste this file and path into the white box at the top:

C:\WINDOWS\system32\sbwltbxa.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.


This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

ok i managed to upload the file on gotti and attached the results

i ran the fixpolicies program and i can get in control panel, but i still cannot use task manager, the same error appears.

i also attached my hijackthis log

 

[op4dc]

also, yesterday when i had to unhide my hidden files to do a scan in safe mode, i set it back, but it keeps reverting back to the unhidden state...

i keep setting it back to the defaults, but it keeps unhiding stuff..T_T

 

[kritius]

DELETE FILES ON REBOOT

• Start Hijackthis
• Click on the Config button
• Click on the Misc Tools button
• Click on the button labeled Delete a file on reboot...
  A new window will open asking you to select the file that you would like to delete on reboot.
• Navigate to this file and click on it once, and then click on the Open button.
  

  C:\WINDOWS\system32\sbwltbxa.exe

• You will now be asked if you would like to reboot your computer to delete the file.
• Click on the Yes button if you would like to reboot now.

Ill look over your HJT log now.

This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

done, deleted.

 

[kritius]

Can you post a fresh log with that deleted and let me review it instead?

Ill post back in a few hours with the results.


This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

hey. it seems that that worked. i have no more sideeffects, my background is the same. i went back in hijackthis and deleted the last of those pesky files and they ahvent come back. i have attached a log, just to show u.

any other precautions i should take?

also, how can i fix my task manager. it says:
Task Manager has been disabled by your administrator.

THANK YOU!!!

 

[kritius]

Try the fix policies thing again, that should have worked.

Ill keep thinking about what else to do while I review the log, ill also post back with other instructions about further precautions.


This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

EDIT||||||||||||||||||||||||||||

Lets get rid of Viewpoint then

Download Viewpoint Killer,

• Extract the file to your desktop
• Close all browser windows including this one
• Open Viewpoint killer and press start
• Allow it to remove anything viewpoint related, Dont worry about the AIM warnings.

Let me know how it goes.

I don't see an anitivirus program installed.

Today's internet is simply suicide without an up to date antivirus.
Not much point in you and I cleaning up the system if you refuse to protect yourself.
However -- if you don't understand or cannot install an antivirus -- please let me know.

Please download ONE of the following antivirus programs and install it.

• Avast:
• AVG:
• AntiVir:

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
Reboot if it fixed anything.


This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

its working again XD. thanks, i guess i just need some precautions?

 

[kritius]

See the edit above, use it or the previous instructions to get rid of viewpoint then post a fresh log for me,

Hopefully were nearly there.


This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[op4dc]

yea, heres the blog, and i deleted viewpoint like u said

 

[kritius]

What about your Antivirus?

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

#) Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  + Extended (If available, otherwise use standard)
  o Scan Options:
  + Scan Archives
  + Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file KasScan-ddmmyy (or similar)
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

Remove Combofix

Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.

Delete the three tools from step 10 by dragging them to the recycle bin, and then emptying it.

This thread is for the use of op4dc only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.