Warning: Spyware threat has been detected on your PC

[hofreb]

I know this has been posted before about the blue screen with the yellow and white warning on my desktop, and I have tried most of the things suggested, however the threat has not been removed. I notice alot of people are posting logs on the posts, and wondered if this is something I should do. I have downloaded about 15 spyware things, and run so many things on my computer. I am not sure where to go from here, I am worried that I am just making things worse. Is there anyone that can give me step by step instructions on how to fix this? Also, I am very worried about the security threat this imposes, as I do all of my banking and bills online. I don't have a recovery disk or anything like that. Is this something that I should still worry about once/if I get this cleared up. Thank you for any help you can provide.
Rebecca

 

[raybay]

It appears that perhaps you have the Smitfraud virus.
To remove, it we prefer Spyware Doctor, which costs, or Webroot Spyware which also costs. or you may try Your computer is infected with the SmitFraud removal tool. To get that, Download the spyware tool at www.sff.notlong.com. Then you can unzip Smitfraud.zip to run the SmitFraud repair called smitfraudfix.cmd, using the choice: 1,2,Q, then shut down your computer and then restart.
Then run either Spyware Doctor (my preference) or Webroot Antispyware. Run their scan, then shut down. Restart.
Now, you should have, or download, Spybot 1.2.5.20 from www.majorgeeks.com, and Adaware 2.0.0.7 as well., Finally, download AVG Antispyware free version by doing a Gurgle search for AVG Grisoft Free, and Windows Defender from www.microsoft.com.
Update each of these, then run all of them to scan your computer for spyware.

If you have been setting restore points periodically, If you don't know, I would want to get rid of all of them.I would go back to a restore point prior to when you had trouble. You can right-click My Computer, click Properties, then System Restore tab, click Turn Off System Restore on All Drives. when that has finished turn it back on to create a new clean restore point.
Then routinely build up a history of restore points whenver you are comfortable that you have no further problems.

 

[Blind Dragon]

If you are like everyone else on here lately, you have multiple infections that won't be removed by any one piece of software as explained above by raybay

I prefer to suggest programs that produce a log which you can post for review.

Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

1)AVG log
2)Combofix log
3)Hijackthis log (Step 15)

In addition to the above I would also suggest

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 

[hofreb]

Thank you, I have done the priliminary removal list and here are my logs. The Panda came up with nothing.

Hope these are the logs that I needed. Also, do I need to post the log from the malwarebytes program. Thank you for the help.

 

[hofreb]

Ok here is the log from the malware program.

 

[Blind Dragon]

You have a lot of infections still

First of all I see you have a full line of Mcafee products, but there are a few entries that relate to Norton. So if you had Norton and now use Mcafee please run this Norton Removal Tool

------------------------------------------------------------------------------------------------------------
Print out or save this portion into notepad onto your desktop so that you can see in safe mode

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndFibu7 IE Helper - {8041E642-8CFC-4720-BC9D-D2DB8904286F} - C:\Program Files\QdrDrive\QdrDrive12.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {A3E4E46E-0D71-4EF5-A6D8-5CEC6ACFF494} - C:\WINDOWS\system32\cbXNFwUn.dll (file missing)
O2 - BHO: (no name) - {C48B3BAC-F612-F9C3-139B-D38F71032991} - C:\WINDOWS\system32\dtrhe.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O4 - HKCU\..\Run: [Cpue] "C:\PROGRA~1\ASKS~1\svchost.exe" -vt yazb
O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
O4 - HKCU\..\Run: [Izq] C:\WINDOWS\??stem32\?ti2evxx.exe
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Hyperlinks Rotator
ISMonitor
Internet Speed Monitor

Please note any other programs that you don't recognize in that list in your next response.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\QdrPack
C:\Program Files\QdrModule
C:\Program Files\RcvSystem
C:\Program Files\ASKS~1<-Not sure on this exact folder name, if you find it great if not we will look another way

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\system32\dtrhe.dll
C:\WINDOWS\system32\cbXNFwUn.dll
C:\WINDOWS\System32\Ati2evxx.exe

After that, Reboot, and post a new HijackThis log here in a reply

 

[hofreb]

O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll

would not do anything.
Also in Add/Delete I was wondering about OCR Software by I.R.I.S 7.0?? None of the other 3 that you listed were there.

The only one that I could find in the other lists was C:\Program Files\RcvSystem
and that was deleted.

Thank you for helping me.

 

[Blind Dragon]

Disable any real time protection including Mcafee and run:

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[hofreb]

I keep recieving this error everytime I try and run Combofix:

Error
You cannot rename Combofix as Combofix[1] Please use another name, made up of alphanumeric charectors.

I was getting that error last time when I tried to run this so I ended up using DSS instead, can I do this again this time, or do you know how I can fix the problem I am having with Combofix?

 

[Blind Dragon]

You have an old version. You need to uninstall it, then reinstall through the above link in my instructions.

Go to start -> run
or hold the windows key down and press R ->type exactly combofix /u

 

[hofreb]

Here is the requested log from combofix and HJT. Thank you for your help.

 

[hofreb]

It appears that this problem is fixed...Thank you very very much! Is there anything else that I should do, as far as any other problems that you can see? Also, I am wondering if I have to keep all of these spyware things, or if I can get rid of some of them?
Thank you again, I am so happy to be rid of that problem.
R

 

[Blind Dragon]

It looks much better, sorry for the delay, I was very busy in my real life over the weekend.

Please run a kaspersky scan before we start the cleanup process

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[hofreb]

You mean you have other things to do than help me with my computer! ...Anyway, I appreciate everything and here is the report.

 

[Blind Dragon]

1 infected file left from that scan, the rest are in backups and restore points which we will clear

Delete this file:
C:\WINDOWS\system32\L99B4.tmp

Uninstall Hijackthis through add/remove programs

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2



Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

Additional info:

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

 

[hofreb]

Thank you, I have done all of the above with the exception of additional utilities which I will look over. Is there anything else that I should do? I really do appreciate everything and the time you have put into helping me!

 

[Blind Dragon]

If you have any more problems let me know, otherwise stay safe

Regards,

BD

 

[hofreb]

I have one more question. I still have Kaspersky-malwarebytes-adwatch can I delete these or should I leave them?

 

[Blind Dragon]

It is your choice, you can keep them or remove them. I'll leave it to you, to pick the programs that you are comfortable with. If you have any questions about different software I am familiar with most of them. Also before trying a new anti-malware software you check that it is not considered rogue through www.spywarewarrior.com


You should have 1 active antivirus, 1 firewall, and at least 2 anti-spyware programs

I would keep MBAM around as it is free and is a great product, run a scan every few weeks or so with it.