PC Anti-spyware Popup

Status
Not open for further replies.

justinash79

Posts: 9   +0
Hi. I need help with the PC Anti-Spyware.

I have these pop ups

1)
" Security System Protection Control Panel " TrojanDownloader.XS.
It is a White and Blue window that says 'Security system Waring"

2)
A red box mentioning something to the extent of:
Alert Details
File: C:\WINDOWS\wml.exe
Threat:Abebot

3)
System Integrity Scan Wizard
Warning: Your computer may have critical errors in Windows registry and file system!

and 4)
Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.

Attached is my hijack log.

Appreciates.
 
Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\Windows\TEMP\TMP0000007A2E5674C837A24AD1.exe

Folder::
C:\ProgramData\trvwjtcq
C:\ProgramData\cxsxuhox

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

CCleaner
  • Download from HERE
  • Close all browsers.
  • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
  • Click the run cleaner button. Do this several times
--------------------------------------------------------------------------------------------------------------------------------------------
Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\Program Files\leftsider103\leftsider.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
---------------------------------------------------------------------------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply


Attach:
1)Combofix log
2)Hijackthis log ran after
3)Virustotal results
4)Kaspersky
 
Hi Blind Dragon,

thanks as always!

Here is my Virustotal Results

Antivirus Version Last Update Result
AhnLab-V3 2008.4.15.1 2008.04.15 -
AntiVir 7.6.0.85 2008.04.15 -
Authentium 4.93.8 2008.04.14 -
Avast 4.8.1169.0 2008.04.15 -
AVG 7.5.0.516 2008.04.15 -
BitDefender 7.2 2008.04.15 -
CAT-QuickHeal 9.50 2008.04.14 -
ClamAV 0.92.1 2008.04.15 -
DrWeb 4.44.0.09170 2008.04.15 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5700 2008.04.15 -
Ewido 4.0 2008.04.15 -
F-Prot 4.4.2.54 2008.04.15 -
F-Secure 6.70.13260.0 2008.04.15 -
FileAdvisor 1 2008.04.15 -
Fortinet 3.14.0.0 2008.04.15 -
Ikarus T3.1.1.26 2008.04.15 -
Kaspersky 7.0.0.125 2008.04.15 -
McAfee 5273 2008.04.14 -
NOD32v2 3028 2008.04.15 -
Norman 5.80.02 2008.04.15 -
Panda 9.0.0.4 2008.04.14 -
Prevx1 V2 2008.04.15 -
Rising 20.40.11.00 2008.04.15 -
Sophos 4.28.0 2008.04.15 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.15 -
TheHacker 6.2.92.278 2008.04.15 -
VBA32 3.12.6.4 2008.04.14 -
VirusBuster 4.3.26:9 2008.04.15 -
Webwasher-Gateway 6.6.2 2008.04.15 -
Additional information
File size: 74752 bytes
MD5...: 5feeb2a45ef421006c978d0e02aeff06
SHA1..: 75d908af7c525bc93ae76ac87ab4137fc45b7536
SHA256: 98fcc34aa501eb312ef2f184babbc0f93187029aebf34bfae78609015592ebac
SHA512: 41053a7bcd5743c843d2e35e6de61a67db4e768078d727a407b019ded2736b5f
fd3be09a2cf7f8986e613ca5c821b6284489e5b8e5dbbc1d79335f9deeb54f53
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401c55
timedatestamp.....: 0x46eb56e8 (Sat Sep 15 03:52:08 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xff2 0x1000 5.85 23b8725da11ab2d486f635b073a38860
.rdata 0x2000 0xd4c 0xe00 5.09 76e6a73f588cfca8e0f5378de04e0eb4
.data 0x3000 0x3b9 0x200 2.67 e368e4779ecb280c4a571b84736c1538
.rsrc 0x4000 0xfe60 0x10000 5.29 fb7eec872cf3ddd8b6162d865af0df15

( 6 imports )
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _setmbcp, memset, __CxxFrameHandler, strrchr, memcpy
> KERNEL32.dll: HeapFree, HeapAlloc, SetProcessWorkingSetSize, FreeLibrary, DeleteFileA, GetSystemDefaultLangID, LoadLibraryExA, GetProcAddress, GetShortPathNameA, GetEnvironmentVariableA, lstrcpyA, GetCurrentProcess, SetPriorityClass, GetCurrentThread, SetThreadPriority, SetProcessPriorityBoost, MoveFileExA, ReleaseMutex, CreateMutexA, GetLastError, CloseHandle, FindResourceA, SizeofResource, LoadResource, LockResource, GetModuleFileNameA, lstrcatA, CreateFileA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, ExitProcess, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetProcessHeap
> USER32.dll: IsIconic, SetForegroundWindow, RegisterWindowMessageA, GetCursorPos, GetSubMenu, SendMessageA, MessageBoxA, GetDesktopWindow, LoadMenuA, EnableWindow, GetSystemMetrics, GetClientRect, DrawIcon, LoadImageA, KillTimer, SetTimer, ModifyMenuA
> SHELL32.dll: Shell_NotifyIconA, ShellExecuteExA, SHChangeNotify
> SHLWAPI.dll: PathRemoveFileSpecA

( 0 exports )​


Attached also are
1. Combofix Log
2. Kaspersky
3. Hijack log

~cheers!
 
Good work. How is your computer running now? Everything looks good from this end.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.
-----------------------------------------------------------------------------------------------


I recommend you keep
1 anti virus program
1 firewall
Multiple Anti-Spyware (Spybot S&D and MBAM, will list more options below)
1 program to clean temp files (CCleaner or ATF cleaner)

  • See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
 
Hi Blind Dragon,

so far the pop ups are gone =)
i hope its for good too.

Will definitely follow your advise and step to further protect my pc.

Thanks loads!

~cheers!
 
No problem, glad I could help

If you run 1 Anti-virus, 1 firewall, and multiple anti-spyware you should be fine. And I also highly recommend cleaning temp folder with ATF or CCleaner

Regards,

BD
 
Experiencing same problem as the last post

I'm experiencing the same problem as the last post. I'm following your instructions and running the scan now. Can I provide you with the log and hopefully receive help/instructions through this?

I'm not sure how long the scan takes so I may re-address this in the morning when it's done.

Thanks in advance for any help you may have.
 
New and need help please... Blind Dragon

Blind Dragon,
I saw that you were able to help this person and I'm experiencing the same problem... hoping you can help. I ran the scan you recommend. Attached is my log.


Can you please help me proceed?

Thanks again in advance for your help.
 
Status
Not open for further replies.
Back