"Warning-message-desktop-wallpaper" spyware

[kbobba]

Apart from the wallpaper changing to the link specified down below, symptoms include

a. Spyware trying to send several e-mails (hundreds at the same time). But, norton doesn't send them.
b. Not being able to change the desktop wallpaper from Display Settings->Desktop.

So, I have followed the instructions given in the 8-steps article to get rid of the spyware.

I am not sure if the steps cleared my spyware. So, I am attaching my log files...

Please help me get rid of this Spyware.

Thanks in advance.

Wallpaper image looked exactly like the first picture posted on this web page.

www[dot]nuker[dot]com/hunterslog/20060228.php

So....please replace [dot] with dots.

 

[Bobbye]

Let see what we can do. To begin with, you have both Avira and Symantec (Norton) AV leading. I advise you to keep Avira, remove Norton:

Use Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

You have numerous infections in Temp files. Malwarebytes found some and removed them. SuperAntispyware found some and removed them. But some are still coming up in HijackThis:

Download ATF (Atribune Temp File) Cleaner© by Atribune HERE and save to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

When finished,:
Download SDFix HERE and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

Then update and run a new scan with HijackThis. Attach new log and SDFix Report.

Please resolve the 2 antivirus conflict BEFORE running the scans.https://www.techspot.com/vb/topic115941.html

 

[kbobba]

I will run the scan and will post you the logs.

Thanks.

Here are my logs after removing norton antivirus and running the SDFix.

Please let me know next steps.

 

[Bobbye]

Did you run the ATF (Atribune Temp File) Cleaner©? See Post #3

After that: Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if still present):

O4 - HKCU\..\Run: [qx82ztwdbl4jf] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\a9vq3amasou3.exe
O4 - HKCU\..\Run: [ljb0945le3us7h2t39gc] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\sjupos7o9x.exe
O4 - HKCU\..\Run: [kdzdvsshmyktdddfch588k5d2d6hj55] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\au331in82x.exe
O4 - HKCU\..\Run: [ut26e5xv8ch0q76n8bsnv906trgcwjjaai0si1h] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\us470fhv.exe
O4 - HKCU\..\Run: [e3r0c4wpfl1aj4gmvwmvzltr7y9m1jkmdfk2krr2w1qdnzi] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\dffswqf1c67q.exe
O4 - HKCU\..\Run: [l5ptpksl6vc0gsk34c5z0hftdyt8hogbxi] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\kemdfl9dsi.exe
O4 - HKCU\..\Run: [drol671jzk1bhu1r0x4rh] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\b4wcly0.exe
O4 - HKCU\..\Run: [gsnyfkahfky3ati5g63yyjcjumgfl3fvij0ls4yjk73kcb] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\azay3yld2xgaj.exe
O4 - HKCU\..\Run: [fxix5qu7omtn4r9evhcd90x9fibfzg8s7] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\jao7nd.exe
O4 - HKCU\..\Run: [ma25tfduxmexgi2svzz4kth] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\ytljo7.exe
O4 - HKCU\..\Run: [ekv6y44wkw7txz] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\fss472u4qelp.exe
O4 - HKCU\..\Run: [in9mwqvhqyyjl0yevm5pbyemr26sify] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\p9avv5yejsd24.exe
O4 - HKCU\..\Run: [q0ti7tgeucwax1r804wo3w] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\viz9ld.exe
O4 - HKCU\..\Run: [beq553hrtuz1p] C:\DOCUME~1\KIRANB~1\LOCALS~1\Temp\sl9d17ouzue5.exe
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Run ComboFix:
Please download ComboFix. HERE

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Update and run new HijackThis log. Attach ComboFix Report and HJ log.

FYI: IBM had pre-loaded a large number of Lenova and ThinkPad processes. You can review them in the HijackThis log. It would be in your best interest to search for each process and program, learn what it does, decide if you need/use it and if not, uninstall it.

In the mean time, if you would like to experience a brief burst of speed, do this:

Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything EXCEPT:
The processes for Avira
SynTPLpr.exe and SynTPEnh.exe (for your touchpad)
Then click on Apply> OK and Reboot

NOTE: when you reboot, you will get a nag message that you can ifnore and close after checking 'don't show this message again.' Stay in Selective Startup.

Some of these process may start again because they will need to be disabled in the program itself, but this should give you some idea what your system COULD be like without unnecessary startups running in the background.

 

[kbobba]

I really appreciate your help for giving detailed steps. Find logs in the attachments.

Thanks for tips on disabling ThinkPad applications. It helped a lot. Let me know next set of steps.

BTW, I forgot to answer this. I did run ATF and Report.txt is the log from that run.

Thanks.

 

[kimsland]

Still exists:

c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe

You may need to run the removal tool once more (Bobbye linked above)

Also Malwarebytes has updated to a whole new version
Please open Malwarebytes, select the Update tab, and update it fully (which will automatically download and install the new Malwarebytes program right over the top of the old one)

Then once updated, also confirm Avira Antivirus is updated (I usually just right click on the Avira tray icon and select "Start Update"

Then run a full scan with Malwarebytes again (pretty certain there are still more infections to remove) With Avira by default also protecting
Post back with the Malwarebytes log and a fresh HJT log

Edit:

Also if you need to add any further info to a new reply, please use EDIT if your is the last reply in the thread (presently not)
I have so far Merged 5 posts by you in this thread

 

[Bobbye]

Thanks for tips on disabling ThinkPad applications. It helped a lot.

23 of the "Running Processes" showing in the HijackThis log are from ThinkPad or Lenova. Toshiba and Sony Vaio also pre-load a bunch of trash. Most people don't use many of those options and most users don't even know the processes are running or that most can be disabled! I use to think Dell was bad- until I began looking at the logs from the other manufacturers.

Here's just one example of the trash loading:
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

Name: EzEjMnAp
Filename: EzEjMnAp.exe
Command: C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
Description: For IBM Thinkpad Notebooks. Quote: "The IBM ThinkPad EasyEject Utility makes removing multiple devices from your computer faster and easier by enabling you to stop more than one device at once, rather than stopping each device individually". Available via Start -> Programs
File Location: C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

Good grief! No one need a process like this starting at boot and run in the background! Even though they are legitimate programs and processes, few, if any, need to start on boot and run in the background.

I didn't catch this. Ad-Watch needs to be temporarily disabled during the scans, so do this before running the scans kimsland has suggested:

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
AD-AWARE AD-WATCH

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

Those TEMP files are finally gone but the following entry needs to be handled:
Active X entry: 016 in HJ log: Webex;

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T26L/webex/ieatgpc.cab

This has a CERT Security Advisory out on it. Follow the directions for disabling an Active X Object:
To begin: Open IE> Tools> Manage Add-ons> find the Webex entry and click to highlight> click on Disable. If you get an error message that will not allow you to do this, look on the Startup menu and if the process is checked to start on boot, uncheck it, then disable:

You will need to make sure though that it does not start when you boot, or it will not allow the uninstall:

Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> uncheck the process that is for this> Apply> OK.

Reboot> Close the nag message that comes up after checking 'don't show this message again'.
Disable the Active X entry and suggest you uninstall also.
Now do the uninstall in the Control Panel> Add/Remove Programs.

If you're having trouble getting rid of Norton, check this:
It is scheduled to do system scans. You may need to stop this in order to fully uninstall:
Control Panel> Schedule Tasks> Remove Norton if there.

Please tell us if the original problems have been resolved and if there are any new problems.