Warning: spyware detected on your pc

By Heidic4u
Apr 7, 2008
Topic Status:
Not open for further replies.
  1. Hello, I am new to posting. I got this message shortly after downloading an infected file. Warning: Spyware has been detected on your PC. It has hijacked my desktop background. I've tried Adaware and Spybot search & destroy but nothing works. Also, there are popups warning me of an internet threat or some other problem. Also, it seems to have only affected one user account on my pc, not both. I appreciate any help that someone can give me. Thanks!
  2. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    HJT log

    Someone please help....Here is my scan using hijack this.
  3. kritius

    kritius TechSpot Guru Posts: 2,087

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  4. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    I can't attach my log
  5. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    sorry, trying to attach
  6. kritius

    kritius TechSpot Guru Posts: 2,087

    Try deleting your previous log or renaming it and see if that helps.
  7. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    still trying
  8. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    I don't see the paperclip icon to attach it. I only have the url attach, url image, and, quote
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    Hit the go advanced button beside post quick reply
  10. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    I attached my log file for malwarebytes. I wasn't able to install combofix for some reason. The program kept hanging shortly after double clicking on it. I never even got any prompts from it. I thought it might have been my spybot program that was running and popping up windows during the installation so I disabled it but the same thing kept happening.
  11. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    oops, thanks got it.
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Disable any realtime monitoring programs, disconnect from the internet, close down your antivirus,

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach the main.txt and the extra.txt in your reply.
  13. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    Here are the logs from the DSS program.
  14. kritius

    kritius TechSpot Guru Posts: 2,087

    Looking over now, ill post back later.
  15. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    Thank you so much!
  16. kritius

    kritius TechSpot Guru Posts: 2,087

    Blooming heck there was a lot in there!

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {EF64D236-E9D7-4FE1-8F6A-76D63C13FD54} - (no file)
    O4 - HKLM\..\Run: [0878296a] rundll32.exe "C:\WINDOWS\system32\vkksccqw.dll",b
    16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Ricochet%20Recharged/Images/stg_drm.ocx
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://www.gamefiesta.com/webgames/******-Poppers/PiratePoppers.1.0.0.32.cab
    O20 - Winlogon Notify: iifcbyVm - iifcbyVm.dll (file missing)
    O21 - SSODL: RamAlrt - {7c2eab23-723c-4f4e-b5ba-d6bac3e73ee7} - (no file)
    O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Program Files\Common Files\BOONTY Shared\
      C:\WINDOWS\system32\vkksccqw.dll
      C:\WINDOWS\system32winlogonpc.exe
      C:\WINDOWS\userconfig9x.dll
      C:\WINDOWS\FVProtect.exe
      C:\WINDOWS\system32hoproxy.dll
      C:\WINDOWS\a.bat
      C:\WINDOWS\system32taack.exe
      C:\WINDOWS\system32taack.dat
      C:\WINDOWS\system32sncntr.exe
      C:\WINDOWS\system32mwin32.exe
      C:\WINDOWS\system32hxiwlgpm.exe
      C:\WINDOWS\system32hxiwlgpm.dat
      C:\WINDOWS\system32psoft1.exe
      C:\WINDOWS\system32psof1.exe
      C:\WINDOWS\system32ps1.exe
      C:\WINDOWS\system32bsva-egihsg52.exe
      C:\WINDOWS\system32msnbho.dll
      C:\WINDOWS\system32ssurf022.dll
      C:\WINDOWS\system32medup020.dll
      C:\WINDOWS\system32medup012.dll
      C:\WINDOWS\system32netode.exe
      C:\WINDOWS\system32mtr2.exe
      C:\WINDOWS\system32msgp.exe
      C:\WINDOWS\system32temp#01.exe
      C:\WINDOWS\system32h@tkeysh@@k.dll
      C:\WINDOWS\system32ssvchost.exe
      C:\WINDOWS\system32ssvchost.com
      C:\WINDOWS\system32regm64.dll
      C:\WINDOWS\system32dpcproxy.exe
      C:\WINDOWS\system32regc64.dll
      C:\WINDOWS\system32msvchost.exe
      C:\Documents and Settings\Lake\Desktopfilemanagerclient.exe
      C:\WINDOWS\system32thun32.dll
      C:\WINDOWS\system32thun.dll
      C:\WINDOWS\system32Rundl1.exe
      C:\Documents and Settings\Lake\DesktopFWebdEditor.exe
      C:\Documents and Settings\Lake\Desktopfwebd.exe
      C:\WINDOWS\winsystem.exe
      C:\WINDOWS\system32vcatchpi.dll
      C:\WINDOWS\system32newsd32.exe
      C:\WINDOWS\system32emesx.dll
      C:\WINDOWS\system32anticipator.dll
      C:\WINDOWS\system32akttzn.exe
      C:\WINDOWS\system32WINWGPX.EXE
      C:\WINDOWS\system32winsystem.exe
      C:\WINDOWS\system32sysreq.exe
      C:\WINDOWS\system32mssecu.exe
      C:\WINDOWS\system32bdn.com
      C:\WINDOWS\system32awtoolb.dll
      C:\WINDOWS\system32vbsys2.dll
      C:\Documents and Settings\All Users\Application Data\toluhedu
      C:\WINDOWS\system32\2A52BD
      C:\WINDOWS\system32\iifcbyVm.dll
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\0878296a
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}
      HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbyVm\\iifcbyVm.dll 
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.
  17. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    OMoveIt2 log attached

    I attached my log for this program. Thank you.
  18. kritius

    kritius TechSpot Guru Posts: 2,087

    That worked nicely, can you run another HijackThis scan for me please?

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
  19. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    Logs

    Here are my latest logs. Thank you.
  20. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    I think my post got lost or overlooked. I attached my last logs on the previous post. Thank you.
  21. kritius

    kritius TechSpot Guru Posts: 2,087

    Ill look over them later for you, I was away for a while.
  22. kritius

    kritius TechSpot Guru Posts: 2,087

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine<=======Delete the contents of this folder
    C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\CODES\PALM\_PDA__Palm_OS_Software_Over_100_Programs.zip<======Delete this file
    C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\nero\nero 8\Nero-8.2.8.0_eng_trial.exe<======Delete this file
    C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\nero 8.rar <======Delete this file
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5<=======Delete the contents of this folder
    C:\Documents and Settings\Lake\Local Settings\Temp\NERO14399\Toolbar.exe <======Delete this file
    C:\Downloads\AmpedFreestyleSnowboardingP-dm[1].exe<======Delete this file
    C:\Downloads\BackyardBasketball-dm[1].exe<======Delete this file
    C:\Downloads\CodesCheatsSpring2007PrimaO-dm[1].exe<======Delete this file
    C:\Downloads\DraculaTwinsSetup-dm[1].exe<======Delete this file
    C:\Downloads\RobotArena-dm[1].exe<======Delete this file
    C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/data0004<======Delete this file
    C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe<======Delete this file
    C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32<======Delete this file
    C:\Program Files\SpongeBob SquarePants Diner Dash 2\sdszpkb.exe<======Delete this file
    D:\I386\APPS\APP25742\src\CompaqPresario_Spring06.exe<======Delete this file
    D:\I386\APPS\APP25742\src\HPPavillion_Spring06.exe<======Delete this file
    G:\Downloads\setup_ares.exe/data0020<======Delete this folder
    G:\Downloads\setup_ares.exe/data0021<======Delete this folder
  23. Heidic4u

    Heidic4u Newcomer, in training Topic Starter Posts: 18

    Kritius, I just want to thank you for taking the time to help me. My computer seems to be working better now. I no longer have the issue I did when I started this post. Thank you so much!!!
  24. kritius

    kritius TechSpot Guru Posts: 2,087

    Post back one final HJT log and ill lok over it for you.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.