Warning: Spyware threat has been detected on you PC

[wharfrat11]

hello everyone,

i just started receiving the same errors as chris this morning (from a similar issue in a previous thread). Ran adware and avg but nothing helped. In addition to the errors he's spoken of (popup warnings, spyware warning background on the desktop) the following has been occuring too:

1. I cannot d/l any new programs (hijackthis, etc..) per kritius' second post (in the previous thread regarding the similar issue). When I try I receive the error message: IE cannot download ____.exe from ______.com IE was not able to open Internet site. The request is either unavailable or cannot be found. Try again later. This happens with everything i've tried d/ling at the moment.

2. When trying to access task manager I receive the following error: Task Manager has been disabled by you admin.

3. I could not access hotmail from my cpu to register here. Had to do this from another cpu to be able to post.

4. Even notepad will not open and i receive a message saying windows has blocked due to protection.

Not sure where to go from here. Please advise and thanks for the help in advance.
Mike

 

[wharfrat11]

sorry about the post in the other thread. please advise where to from here.

 

[kritius]

The first thing that I need you to do for me is to download and install HijackThis for me,

i need these programs to help you so if you have to get them from another computer,

in regards to the task manager

Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
• After installing, the program launches automatically, close it.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Finally run HijackThis AFTER the other two scan and attach a log.

Do not attempt to fix any item yet.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

 

[wharfrat11]

kritius,

sorry for the delay in getting back to you. took some time to run down the programs, get them on my cpu, but it looks like everything you needed me to do is complete. attached are the logs for malware, combofix & hijackthis. thanks for the help and let me know where to from here.

besides these three programs i ran the ratschedder but am still unable to access task manager and receive the same error message as previously stated (not sure if it was even supposed to be fixed but figured i'd let you know)

mike

 

[kritius]

Looking over now, will post back after I have the results.

 

[kritius]

My goodness this was infected,

Rename HijackThis.exe to wharfrat11.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to wharfrat11.exe

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Delete Files on Reboot

• Start Hijackthis
• Click on the Config button
• Click on the Misc Tools button
• Click on the button labeled Delete a file on reboot...
  A new window will open asking you to select the file that you would like to delete on reboot.
• Navigate to each file and click on it once, and then click on the Open button.

C:\WINDOWS\system32\wmsdkns.exe

• You will now be asked if you would like to reboot your computer to delete the file.
• Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\wmsdkns.exe
  C:\WINDOWS\system32\beep.sys
  C:\WINDOWS\mspphe.dll
  C:\WINDOWS\2020search2.dll
  C:\WINDOWS\2020search.dll
  C:\WINDOWS\cdsm32.dll
  C:\WINDOWS\updatetc.exe
  C:\WINDOWS\salm.exe
  C:\WINDOWS\180ax.exe
  C:\WINDOWS\saiemod.dll
  C:\WINDOWS\bokja.exe
  C:\WINDOWS\bjam.dll
  C:\WINDOWS\mssvr.exe
  
  Folder::
  C:\Program Files\seekmo
  C:\Program Files\zango
  C:\Program Files\Sysmnt
  C:\Program Files\stc
  C:\Program Files\180solutions
  C:\Program Files\180searchassistant
  C:\Program Files\180search assistant
  C:\Program Files\FixVTS.exe
  
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  "DisableTaskMgr"=-
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
  "DisableTaskMgr"=-

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ATF Cleaner

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

Manually clear cache

• Open an Explorer folder window (for example, double-click My Computer).
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
• You should see a series of four or more folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.
• If desired, reset the folder options you changed in step 1.

Run HijackThis again with its new name and then post back with the results as well as the new combofix log that was produced.

 

[wharfrat11]

working on this now. looks like i got a mess going. post back as soon as i'm done. thanks for the help.

 

[wharfrat11]

kritius,

i'm at the step of using hijackthis to remove the files. have not rebooted yet chose to reboot later and only selected this first two files (userinit.exe & wmsdkns. exe) what do i do with these or where are these located when i browse?

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)

 

[kritius]

Just put a check beside them all and select fix cehcked.

 

[wharfrat11]

i did that and maybe thats all i needed to do. i'm at the misc tools tab choosing files to delete upon reboot. i selected userinit.exe & wmsdkns. exe from the system 32 folder. have not rebooted. should i reboot and move onto the combo script step?

 

[kritius]

ONLY THIS ONE C:\WINDOWS\system32\wmsdkns.exe not this one C:\WINDOWS\system32\userinit.exe

 

[wharfrat11]

****....now what? sorry, sorry.... did the comboscript step and save the new log to desktop. i have not rebooted at all yet. but did select both exe files to be deleted upon rebooting. the userinit.exe file is still in the folder but how do i stop it from deleting when i reboot?

 

[kritius]

Have you rebooted yet?

 

[wharfrat11]

no reboot yet. file still in the folder edited above post with more info.

 

[kritius]

Make a copy of the file userinit.exe and move it to the desktop, once the reboot happens move it back to the system32 folder.

I have to head out now, ill review the logs when I get back.

 

[wharfrat11]

moving along nicely. ran atf cleaner and made sure that i have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files". Started Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files and IE opened up a folder window, with the name of C:\Windows\......\Temporary Internet Files. there are 35 objects in this folder.

**This is where I'm lost for a second. I dont see and address area where i can add the info you need me to below, i'm sure this is just a setting that i need to check to display this addy info but drawing a blank:

"Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5."

 

[wharfrat11]

i have to head out for awhile.... baseball game. be back later in the afternoon est time. thanks again for the help.

 

[kritius]

At the top of the folder,

Click on this area, and this will show,
c:\Windows\Temporary Internet Files

add \content.ie5 to the end of it.

 

[wharfrat11]

above the file - edit - view - favs- tools - help bar i have the old school blue display that maxs the window when you double click on it. if you click once nothing happens and you cannot alter the txt

 

[kritius]

Never worry then, move on with the next steps.

 

[wharfrat11]

what should i do with the 35 objects in the folder. ignore/delete/nothing?

 

[kritius]

Ccleaner
Download CCleaner from HERE.

• Double click on the ccsetup.exe file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location.
• Under Install Options, choose all the default settings except install the Yahoo! Toolbar.
• Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• In advanced deselect "Old Prefetch Data."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• After CCleaner has completed this process several times until no more errors are found, click Exit.

 

[wharfrat11]

installed and ran ccleaner. kept hitting to run cleaner until it came back 0 bytes found, then exited. where to from here?

 

[wharfrat11]

went back to check the temp folder and was now down to 19 objects after running the cleaner.

 

[kritius]

Thats good, you can move on now with the rest of the things I mentioned.