Serious Virus on My Hands

[nothing123]

Hi everyone,

This is going to sound a little urgent but bear with me. About a day ago, a virus completely took over my computer. Here are the symptoms:

- Changes desktop background every time I restart computer and log on to Windows to "Warning! Spyware detected on your computer! Install antivirus or spyware remover to clean your computer". I am unable to change it by simply right-clicking the desktop because they have removed the tab with that option. I can go to a picture and set is as the background but again, it will get change upon the next time I start Windows.
- Upon logging into Windows, a pop-up is there asking me to agree to some AntiVirus program installation. In my task manager, when I end the process called tmp59.tmp.exe (I think), the pop-up goes away.
- When I try to conduct a Google search, all the 'hit' links redirect me to some unrelated site which usually have to do with spyware.
- I can't load G-mail and several other sites properly.
- I tried running an Ad-Aware scan but get an error. However, with the Internet disabled it works. The scan did not correct the problem unfortunately.
- My computer periodically freezes; it's basically unusable.
- It also occasionally freezes up at the log-in screen to Windows (after I put in my password).

Now, I hope this is all one virus because all this together started occurring at the same time.

I've attached a HJT log I ran when the problems first started occurring. I hate to sound selfish, but I really need my computer back within the next couple days. I have a major standardized test coming up very soon.

Thanks so much for any help.

 

[Bobbye]

In order to clean your system, you need to run the current version of HijackThis and the additional programs suggested. You have run an old version and do not have logs for the additional programs. See this:

New malware cleaning instructions from TechSpot: [B]https://www.techspot.com/vb/post645589-1.html[/B]

The above will point you to the correct version. You must also run SuperAntispyware. The games you have on your system produce an abundance of Tracking Cookies. Once the scans are completed and the logs are attached, you will be assisted.

 

[InsaneVr6]

The only way that you are going to be able to rid this problem of yours for good is to do a system wipe. I suggest you backup the files you NEED to a CD or Flash Drive. Dont backup any system files because you dont know which ones are infected, same for programs. Once that is done you must reinstall your OS with the disk that came with your computer. When your OS is reinstalled your virus problem will be gone. (be sure to hit format to NTFS filesystem. NOT format to NTFS filesystem QUICK. Doin it quick will not rid you of your problem.

 

[nothing123]

Oh boy, that's not good. At any rate, I'm currently performing the Superantispyware scan and have downloaded the updated HJT and will post the corresponding logs when I'm done. If it shows definitively that I need to reinstall the OS, then I will do so.

 

[nothing123]

Here are the logs. Hopefully there's some good news. Thank you guys very much for the help, much appreciated.

 

[nothing123]

A little update, last time I restarted my computer, the desktop background did not change so that's a good sign. However, the other problems are still persistent. Any advice?

 

[Bobbye]

You're going to have to follow the full cleaning instructions here:
https://www.techspot.com/vb/post645589-1.html

Have SuperAntispyware remove ALL of those Tracking Cookies! I can tell anyone who has a lot of games on their system just by looking at the Tracking Cookies.

Open IE> Internet Options> Privacy tab> Advanced> check to Accept first party Cookies, BLOCK third party Cookies.

Your Java is way behind. Download tot he current version, v6u7 here:
https://www.techspot.com/downloads/6463-java-se.html

Go into the Control Panel> Add/Remove Programs and uninstall ALL earlier versions of Java.

DO NOT use System Restore. The restore points are infected. When the cleaning is finished, you will drop off the old restore points.

The go and run scans with all the recommended programs and attach the logs for review. You have numerous entries needing removal.

 

[nothing123]

I have followed your instructions and have some good news to report! The changing desktop background seems to have disappeared for good. There is no longer a pop-up when I restart Windows asking me to install the antivirus software. My google searches are working again and the sites that previously did not load are loading fine now. I've attached the corresponding logs for you to view. This is great news and I'd like to thank you so much for your help so far.

P.S. how do I remove old system restore points...?

 

[InsaneVr6]

To delete the system restore points you will have to:

Go to start, right click My Computer, click Properties, then click 'System Restore'
Check the 'Turn off system restore' or 'Turn off system restore on all drives'
Now click apply and it should give you a message "blahblah all points will be deleted"

Doing this will delete all existing restore points so click Yes and then OK


If you want you will then need to enable the system restore again since your virus problem is gone. To do this, you have to go to:
Start
Right click My Computer>then Properties
Click the 'System Restore' tab
Uncheck 'turn off system restore' or 'turn off system restore on all drives'
Click Apply, and then OK

You are good to go.

 

[kimsland]

Clear system restore points

• 
  Clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[Bobbye]

Did you note what mbam had handled in the log? Bo wonder the system it setter. We can clean up a few things though- they're not malware, but most are being loaded either from Startup or the Registry when you boot. That means you'll 'carry' them around:

Reopen HijackThis and check the following:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

Check Fix and reboot into Safe Mode:

Make sure the following Services are set to Manual. They do not need to be on Automatic:

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Open the following programs and uncheck the auto-update function:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

Go to Start> Run> type in 'msconfig' without the quotes>enter> Selective Startup> Startup tab> UNCHECK everything except the antivirus program, firewall, touchpad if laptop and the network processes> OK> Reboot into Normal Mode.
Close the nag message that comes up after checking 'don't show this message again'. Stay in Selective Startup.

What you did above does not mean you can't use the programs or apps. When you need them, call them up- don't drag them around just because they are on Startup. I think this will show you increased speed.

You need to control the Tracking Cookies. As long as you have the games, you're going to keep getting them-unless you change this setting:
Open IE> Internet Options> Privacy tab> Advanced> Check 'accept first party Cookies' and check 'BLOCK' for third party. Check 'allow per session'> Apply> OK.

Let me know how it goes.

 

[nothing123]

Unfortunately, I did not know I was supposed to note something about the mbam log so I don't have that. I fixed everything you said to check but had some problems with the further instructions. How do I change the three Services you listed from automatic to manual? The two .exe programs also did not do anything when I opened them. I have made the Cookie changes to my IE but I am curious as to what you mean by 'games'. I don't think I have played any type of computer game in over a couple years.

Anyways, looking forward to your reply!

 

[kimsland]

Make sure the following Services are set to Manual. They do not need to be on Automatic:

Start-->Run--> Services.msc

Also games
I think that refers to PartyPoker (in your log)

 

[Bobbye]

Games,:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

After you access the Services, scroll down to each of three Services and right click> Properties> the Startup box should be changed to Manual. You can stop the Service also. It will start when or if needed.

The Tracking Cookies were reflected in the SuperAntispyware logs. The first log had almost 150 and the second log, only 3. I notice those with the games on their systems appears to get numerous Tracking Cookies. Of the games above, Party Poker is the most likely to drop the most-and consistently.

What are you referring to here:

The two .exe programs also did not do anything when I opened them

 

[nothing123]

Games,:

Should I fix these then?

After you access the Services, scroll down to each of three Services and right click> Properties> the Startup box should be changed to Manual. You can stop the Service also. It will start when or if needed.:

Done, thank you.

The Tracking Cookies were reflected in the SuperAntispyware logs. The first log had almost 150 and the second log, only 3. I notice those with the games on their systems appears to get numerous Tracking Cookies. Of the games above, Party Poker is the most likely to drop the most-and consistently.:

What are you referring to here:

I was talking about the two items in Program Files.

Also, when I went into msconfig and sorted the programs on startup, I think I disabled the arrow key functions on my laptop touchpad (i.e. not the movement of the mouse but the scrolling of pages up and down). Do you happen to know which process this is?

 

[Bobbye]

UNCHECK everything except the antivirus program, firewall, touchpad if laptop and the network processes

The Dell touchpad process should show as "Apoint". That needs to be left checked. To check the settings:
Control Panel> Mouse> Touchpad tab> adjust the settings for your own touch> Gestures tab> CHECK 'use scroll function'> Apply> OK.

I don't think I have played any type of computer game in over a couple years.

Remove all the game entries. And you may find this: C:\Program Files\PartyGaming\PartyPoker which needs to be uninstalled.

I was talking about the two items in Program Files.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

Control Panel> Java> Update tab> UNCHECK 'check for update automatically'> Say Yes to confirm> Real Player> Update tab> UNCHECK for updates automatically'> say Yes to confirm> Apply> OK

This may sound like extra work for you and in a way it is. But it will result in improved performance and that is something we all want!

 

[nothing123]

Hi all,

I got everything fixed that I needed and wanted to thank all of you again for all your help, very much appreciated. I'll definitely be recommending and coming back to this site in the future but hopefully not too soon!

Thanks again.

 

[Bobbye]

You're welcome. It's like the TV repair person or the plumber- their help is needed, but you don't want to 'need' them often!