Warning: spyware detected on your pc

Status
Not open for further replies.

Heidic4u

Posts: 18   +0
Hello, I am new to posting. I got this message shortly after downloading an infected file. Warning: Spyware has been detected on your PC. It has hijacked my desktop background. I've tried Adaware and Spybot search & destroy but nothing works. Also, there are popups warning me of an internet threat or some other problem. Also, it seems to have only affected one user account on my pc, not both. I appreciate any help that someone can give me. Thanks!
 
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix
  • Download this file to your desktop from either of the two below listed places :

    HERE or HERE
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Attach that log in your next reply
WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
I attached my log file for malwarebytes. I wasn't able to install combofix for some reason. The program kept hanging shortly after double clicking on it. I never even got any prompts from it. I thought it might have been my spybot program that was running and popping up windows during the installation so I disabled it but the same thing kept happening.
 
Disable any realtime monitoring programs, disconnect from the internet, close down your antivirus,

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Attach the main.txt and the extra.txt in your reply.
 
Blooming heck there was a lot in there!

Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {EF64D236-E9D7-4FE1-8F6A-76D63C13FD54} - (no file)
O4 - HKLM\..\Run: [0878296a] rundll32.exe "C:\WINDOWS\system32\vkksccqw.dll",b
16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Ricochet%20Recharged/Images/stg_drm.ocx
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} (CPlayFirstPiratePoppersControl Object) - http://www.gamefiesta.com/webgames/******-Poppers/PiratePoppers.1.0.0.32.cab
O20 - Winlogon Notify: iifcbyVm - iifcbyVm.dll (file missing)
O21 - SSODL: RamAlrt - {7c2eab23-723c-4f4e-b5ba-d6bac3e73ee7} - (no file)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\Program Files\Common Files\BOONTY Shared\
    C:\WINDOWS\system32\vkksccqw.dll
    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\a.bat
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32h@tkeysh@@k.dll
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32dpcproxy.exe
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32msvchost.exe
    C:\Documents and Settings\Lake\Desktopfilemanagerclient.exe
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32Rundl1.exe
    C:\Documents and Settings\Lake\DesktopFWebdEditor.exe
    C:\Documents and Settings\Lake\Desktopfwebd.exe
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32vbsys2.dll
    C:\Documents and Settings\All Users\Application Data\toluhedu
    C:\WINDOWS\system32\2A52BD
    C:\WINDOWS\system32\iifcbyVm.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\0878296a
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbyVm\\iifcbyVm.dll
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.
 
That worked nicely, can you run another HijackThis scan for me please?

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.
 
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine<=======Delete the contents of this folder
C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\CODES\PALM\_PDA__Palm_OS_Software_Over_100_Programs.zip<======Delete this file
C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\nero\nero 8\Nero-8.2.8.0_eng_trial.exe<======Delete this file
C:\Documents and Settings\All Users\Documents\SOFTWARE SHORTCUTS\nero 8.rar <======Delete this file
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5<=======Delete the contents of this folder
C:\Documents and Settings\Lake\Local Settings\Temp\NERO14399\Toolbar.exe <======Delete this file
C:\Downloads\AmpedFreestyleSnowboardingP-dm[1].exe<======Delete this file
C:\Downloads\BackyardBasketball-dm[1].exe<======Delete this file
C:\Downloads\CodesCheatsSpring2007PrimaO-dm[1].exe<======Delete this file
C:\Downloads\DraculaTwinsSetup-dm[1].exe<======Delete this file
C:\Downloads\RobotArena-dm[1].exe<======Delete this file
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/data0004<======Delete this file
C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe<======Delete this file
C:\Program Files\Online Services\Vonage\Xtras\regxtra121.x32<======Delete this file
C:\Program Files\SpongeBob SquarePants Diner Dash 2\sdszpkb.exe<======Delete this file
D:\I386\APPS\APP25742\src\CompaqPresario_Spring06.exe<======Delete this file
D:\I386\APPS\APP25742\src\HPPavillion_Spring06.exe<======Delete this file
G:\Downloads\setup_ares.exe/data0020<======Delete this folder
G:\Downloads\setup_ares.exe/data0021<======Delete this folder
 
Kritius, I just want to thank you for taking the time to help me. My computer seems to be working better now. I no longer have the issue I did when I started this post. Thank you so much!!!
 
Status
Not open for further replies.
Back