Spyware Infection Has Detected!

[Hijacked007]

Hi, and thank you for this forum.

I believe the CMD.exe is infected in addition to registries and other hidden malware.

I had installed a Guild Wars set of three files I had downloaded from some website of ill-repute. They were named Guild Wars.exe, Patch.exe, and Crack.exe. The URL I found these files at were from http://www.freeserials.ws/?q=Guild Wars Keygen

I wanted to see what they do. Then the Icon with the White X and Red Shield popped up stating that Spyware Infection Has Detected!, bad grammar so I was curious, clicked it and it started to scan and install something, and then I saw DOS mode and CMD.exe being altered.

I get the various pop-ups when I went through the website here to initiate the Removal steps outlined on this forum.

I use Ad-Aware SE Personal and Trend Micro 14 Anti-virus. But these did not remove the problem with some Spyware. I am glad I got this noticeable spyware because I found other unwanted programs using detection by the Hijackthis 2.0, Combofix, Spybotsd14, CCsetup138, and Smitfraudfix.

I get popup ads from broadcaster.com, it's a wanna-be YouTube site.

AVG Spyware is running while I post this. I'll attach the AVG Spyware Log when it is done in addition to any other additional information you request.

Thanks.

 

[TimeParadoX]

I had installed a Guild Wars set of three files I had downloaded from some website of ill-repute. They were named Guild Wars.exe, Patch.exe, and Crack.exe

Well... That's why you dont install Cracked / Hacked versions of games ( Unless you know a good site :haha: )

Too bad I dont know how to read HJT logs, howard_hops will read it though

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is badly infected with malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Make sure you rename HijackThis to Analayze.exe.

Regards Howard :wave: :wave:

This thread is for the use of Hijacked007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Hijacked007]

Well... That's why you dont install Cracked / Hacked versions of games ( Unless you know a good site :haha: )

Too bad I dont know how to read HJT logs, howard_hops will read it though

I knew the crack downloads had unwanted programs in there. I don't even play Guild Wars.

I can always do a fresh reformat and reinstall the OS since I don't have any important files. Quick and easy way to solve this dilemma.

What I wanted to find out was how things work. So I have a library of hardware and software programming books I got for Christmas. It is a learning process and I wanted to have my hard drive infected because I already know how to fix it by reformating since I do a daily backup of important files for work.

Anyway, I would appreciate it if Geniuses like you STFU if you do not know jack.

It is here for the pros to look at, not some opinionated simpleton who has nothing better to do than flame people who want to learn programming software and hardware.

The AVG Anti-Rootkit Beta does not reveal anything. Zero rootkits.

Here is the AVG Spyware Log. Thanks. If there is anything else you require to help us learn more about these unwanted programs, please feel free to let me know, Mr. Howard Hopkins. Thanks, again.

My computer is spywareless for now. The systematic approach to purging the Spyware popup is extremely useful.

But they'll be back eventually.

Thanks to your system. It works. I'll be seeing your sales pitch on those Television Commercials soon. Everyone needs this service.

Only way to get people to buy your system, should you decide to market this, is to make it simplified, doing less work and less wait time.

People are lazy. They do not want to spend hours researching, and taking the required steps to clean crap out of their Hard Drive.

If it's money that you want, then that's my input after testing your Anti-Spyware Systematic Method.

Thanks again.

 

[howard_hopkinso]

Pleae post the requesed logfiles, then I can check to see f your system is clean.

Regards Howard

This thread is for the use of Hijacked007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Hijacked007]

Thanks

My Anti-Virus deleted the Combofix log and interrupted a part of the Combofix scan.

Here the HJT and AVG logs.

Combo is running again.

 

[howard_hopkinso]

I really need to see a Combofix log. Temporarily disable your antivirus programme, run Combofix and post the log. Re-enable your antivirus programme.

Regards Howard

This thread is for the use of Hijacked007 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Hijacked007]

Ok hope this helps. THanks. I attached the requested file, Combo, and added some Vundofix and Yserver


It took a while to send the Combofix because the protocols you prescribed removed the unwanted program that infected my system.

So far no problems with my computer except an occasional reboot or could be what used to be a bluescreen protection protocol built into the Windows XP.


scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-25 20:54:45
C:\ComboFix-quarantined-files.txt ... 07-05-25 20:54

 

[Hijacked007]

New Computer System Built

At first, I had to install the Windows XP OS to get it to boot the Windows. I had thought I had to do something fancy. It seems that there is one particular program that crashes and reboots. But that is no surprise because initially, the system crashes and reboots by itself when it was first built fresh with Intel Core 2 Quad, 2048 mb ram, but I plan to maximize it to 32 gig ram eventually when there is an 8 gig stick available.

Since I am new to PC building, I think I am getting the hang of it since it is reasonable to configure the BIOS and CMOS just by reading the Motherboard documentation provided.

Now I have been testing it out, clicking all kinds of URLs that are inappropriate according to my Firewall, Antispyware, and Antivirus softwares.

The Problem: I am including a new combofix document for your perusal. My new PC does not crash and reboot as much as it use to. Maybe because I used the abundant software that is available at your excellent site. Seldomly do I get a popup, but I just got a popup when I uploaded the 2 Combofix attachments to your forum just now.

Thanks.

 

[momok]

Hi,

I notice it has been sometime since you last replied. Therefore I require you to do the preliminary scans and other instructions again.

Very Important: Malware infections can possibly lead to identity theft, loss of funds from bank accounts, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

For Step 12 regarding ComboFix, please do the following instead.

Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Continue with the rest of the steps as given.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of Hijacked007 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Hijacked007]

Fixed

The Trend Micro online scanner/remover works really well to remove the Smitfraud-C.toolbar888

No crashes and popups anymore.

 

[momok]

Hi,

Please continue with the remaining steps and post all required logs. I am quite sure your system will not be fully clean with just a simple scan from the online scanner.


Regards,
Your friendly momok =)

This thread is for the use of Hijacked007 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Hijacked007]

Thank you, momok

Here are the requested files. Thanks again, momok.

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "CFScript.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE

1. Go to start > run and type msconfig. Press the enter key.
   Search for the following services and disable them by unchecking the box beside them. Click ok but do not restart yet.
   
   icq.com
   
   
2. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
   O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
   O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\wbddtoxn.dll
   O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\vkjojymc.dll",forkonce
   
   Close HJT.
   
   
3. Please check your system for these following folders and let me know if you had installed/created them. If not, please delete them.
   C:\Program Files\DV 4100M
   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Anti Bias Scr Bike
   C:\DOCUME~1\YINYAN~1\APPLIC~1\multi else sign
   
   
4. Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to Combofix.exe and release.
   
   
   
   
   
   This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.
   
   
5. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Hijacked007 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[BlackScarlet]

Yes, that is malware.
(Even though this point may seem random, just in random passing I thought I'd mention it: the best thing to do in all situations is if something is warning you of spyware, and it isnt a program you installed, or if something is offering you an URGENT and FREE scan then say eff you to it.)
Do you have anything such as Avg Anti-Spyware, Spybot S&D, or CounterSpy? These are all good programs, as well as OutPost Firewall, which keeps a tight eye on the things coming and going from your network. Although I usually am very stuck to AVG antispyware 7.5, I discovered Counterspy, which in addiction to scanning also monitors execution of potentially harmful programs.
Spybot also monitors changes in the registry as well as scanning.


Files in quarantine are safe and cannot harm your computer.
Also, don't be afraid to try and manually delete malware if your scanner is having a hard time with it, to see firsthand what error messages you might get, which give a very good indication of why it can't be deleted, at that time. If your scanner gives you the exact file and path, to the system file or registry key, then you needn't worry about ****ing anything up by deleting something you shouldnt have, because you will only be deleting that malware file or folder.

After you install one or more of these programs (spybot can be used with any other scanning software, but using more than one antivirus at a time could cause conflicts) get all updates, then restart your pc in safe mode, and do a huge scan. Make sure you disconnect your internet while you do this, because some malware can contact its server to say 'hey, im being deleted, replace me'.
The reason why you want to go into safe mode is because in normal startup certain malware cannot be removed because they are constantly 'in use' by some unknown source. In safe mode the system is loaded with minimal drivers and no startup programs, etc, which almost guarantees the file will not be in use.





Let me know how that goes. =)


~BlackScarletLove~

 

[momok]

Hi,

BlackScarlet: Right now we are in the midst of the cleaning instructions. Please refrain from adding such posts as it may confuse the reader who needs our help. Your advice is certainly useful; however, our stickies have similar advice. The reason the user has posted is to request for further help to do a more thorough cleaning - which is what we are here to do.

Do read our stickies especially the Read before deciding... Cleaning or Formatting and our Viruses/Spyware/Malware, preliminary removal instructions threads. Right now, our forums could do with more log readers, so you may wish to contribute in that area.


Regards,
Your friendly momok =)

This thread is for the use of Hijacked007 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.