Warning: Spyware threat has been detected on your PC

By Zartan22
Apr 8, 2008
Topic Status:
Not open for further replies.
  1. Hi there,

    Like a quite a few others on these boards, i have recently had this annoying piece of spyware infect my pc the symptoms are:

    1. Desktop pic changed to the 'Warning: Spyware threat has been detected on your PC' screen
    2. Frequent pop-ups from the task bar telling me vaious things are wrong, click here to download etc
    3. Task manager has been disabled
    4. Internet Explorer keeps opening with links to the aforementioned downloads

    I ran through the 15 steps and have 3 logs, combofix, HIjack this, and AVG antispyware. As far as i can tell i did everything that i was supposed to for the AVG scan, and i quarantined the results, but my log still says no action taken at the end of each result line.

    I see many others have had some excellent help in getting rid of this spyware from you guys, any help would be greatly appreciated.

    Thanks

    Attached Files:

  2. Tbolo

    Tbolo Newcomer, in training Posts: 25

    Personally I would just format and save yourself a headache and some time probably. But Spybot Search & Destroy is a good free one too.
  3. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Welcome Zartan22,


    I see anti-virus, but no firewall, please correct me if I am wrong.
    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm


    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Afterwards Reboot your computer and run a fresh scan with Hijackthis for me, attach the log here along with the MBAM log
  4. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Hi Blind Dragon,

    Thanks for the reply. I'll post the new MBAM and Hijackthis file shortly, and i do have windows firewall protection but would one of your recommendations be better?

    Thanks muchly for the Help!
  5. kritius

    kritius TechSpot Guru Posts: 2,087

    Windows doesnt protect both inbound and outbound traffic so a thrid party firewall would be highly beneficial, I recommend Comodo.
  6. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Thanks. I will install Comodo then!
  7. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Good choice, it will be a pain at first with warnings, but after it gets to know you, you wont even notice its there, unless running a new program, just make sure you check remember this decision
  8. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Warning: Spyware threat has been detected on your PC - Help Please!

    ok, the anti malware scan has finally finished, so please find attatched that and the HJT log. Thanks again for the help with this, its driving me nuts!

    Attached Files:

  9. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Looks like that got a lot of infections off there.

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
  10. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Typing Y doesn't appear to do anything.

    The only options are 1,2,3,A,B,C,D,U or E and it says at the top to reboot in safe made to run SDFix tool.

    What should i do?
  11. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Restart the computer

    Boot into safe mode by tapping the F8 key before windows loads -> select safe mode

    Try using Y first, if it doesn't work, use option 2
     
  12. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    OK, SDFix all done, I've attached the report.
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Can you please run and attach a fresh hijackthis log
  14. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Sure thing, here it is. Sorry i didnt get back to you sooner, i've been at work all day!
  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    First of all, while I work on typing up your instructions you need to pick whether you want AVG free anti-virus or Avast Anti-virus. 2 Anti-virus programs is not a good idea, it eats a lot of resources. Please uninstall through add/remove programs the one that you don't want. (This is not AVG Anti-spyware, but AVG anti-virus only that conflicts with Avast)

    Also I see some things that should be removed by SuperAntiSpyware, which you appear to already have, please update it and run a full scan, then attach the log back here by doing the following:

    Click on Preferences
    [​IMG]

    Click on Statistics/Logs then double click the log to open it, Save it to your desktop so it is easy to find
    [​IMG]







    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
    O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
    O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
    O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
    O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/coventry/support/plugins/ebraryRdr.cab
    O16 - DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} (VPlayer Control) - http://video.vividas.com/CDN1/5029_paramount/en/web/player/vivid_ocx.jpeg


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\wmsdkns.exe <-This file only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
  16. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Ok, everything's looking alot better already, the desktop pic can now be changed back, without switching back to the spyware background and the pop-ups seem to have stopped. The task manager is still disabled though.

    Some of the entries in the hijackthis log weren't there, i guess this was to do with the Super AntiSpyware? And the C:\WINDOWS\system32\wmsdkns.exe wasn't there either, which again i guess is a good thing?!

    This is all fantastic though! The PC feels alot better!
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Where is the SAS log, after I made you those great instructions for retrieving the log

    Hijackthis looks much better, let's look deeper.

    Can you run combofix again and attach the new log here
  18. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    My bad! Forgot to attach it!
     
  19. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Here's the Combofix log
  20. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    File threats detected : 466

    That's why I love SAS


    Lets see what kaspersky says your logs are looking much better, are you still having any symptoms?

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  21. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    I'll post the Kaspersky log as soon as it's done. As far as symptoms go, everything seems good. The desktop pic is clean, no pop ups and i can access the task manager again! Things are looking great! Again, thanks so much for the help!
  22. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Here's the Kaspersky log.
  23. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Looks good, time to clean up and secure the work we have done.

    First Launch Spybot S&D and click on the Recovery Icon in the left panel. Check all the boxes and select "purge selected items" Then confirm to delete all backups.
    ------------------------------------------------------------------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
  24. Zartan22

    Zartan22 Newcomer, in training Topic Starter

    Fantastic stuff! You are a star Mr.Blind Dragon! If i could buy you a beer, i would!

    I have AVG Anti-Spyware and SuperAnti Spyware as well as Avast Anti-Virus, will this suffice then?

    Thanks again for all of your help, it's nice to know that message boards can be used to help your fellow man as opposed to complaining about everything under the sun!

    All the best sir!
  25. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Yes,

    If you got AVG AS through our link it is probably only a 30 day trial and you can remove it. Superantispyware is just as good.

    Occasionally you also want to clear temp files with either ATF cleaner or CCleaner

    I would also keep spybot, as long as you purge those backups. Re-enable tea-timer to protect changes to your registry without your knowledge.

    And make sure you keep your firewall enabled, and windows firewall disabled.

    Good luck to you! and if you have any more issues you know where to find me.

    Regards,

    Blind Dragon
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.