Help, spyware i think!

superstar_2

Ok, something happened and my desktop background has gone blue with some red writings.This is what it says in full:

WARNING!

You're in Danger! Your Computer Is Infected With Spyware!

All you do with computer is stored forever in your hard disk. When you visit sites, send emails...all your actions are logged and it is impossible to remove them iwth standard tools. Your data is still available for forensics. And is some cases for your boss, your friends, your wife, your children.

Every site you or somebody or even something, like spyware, opened in your browers, with all images, and all downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

Secure Yourself Right Now! Remove All Spyware From Your PC!"

What do I do? Cant seem to open the internet or even the windows task manager either? Help! I am using a different PC now.

DCFC79

Id download superantispyware and run that on infected machine but you will have to do it on the clean machine and stick on a usb drive,

superstar_2

DCFC79 wrote: »

Id download superantispyware and run that on infected machine but you will have to do it on the clean machine and stick on a usb drive,

My firefox isnt working on that machine, so would you suggest me getting a pendrive to do this?

Reluctant_spender

Yes that would help. I would also download the following and run that too.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

superstar_2

Thanks reluctant spender. It seems to have infected my whole laptop such that I cant access the Internet. So, shall i get a pendrive and save it as an .exe file, transfer and do the deed?

Browntoa

yes , transfer it over that way

superstar_2

Need to buy a new pendrive for that. Is 2GB big enough for one time use?

Browntoa

cannot burn it to CD on the PC you are using ??

if using a CD then also put this on it

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

as I think we may need it

Reluctant_spender

I would go with the CD option -as we don't know the infection the last thing you want to do is infect the clean computer too.

superstar_2

I have downloaded both and run them. Ran superantispyware twice and it came up with 140+ and 160+ infections. Deleted them all.

Just ran the malware anti-bytes and there were 90+ that was removed. I have copied and posted the log below: What else should i do now??

*************
Malwarebytes' Anti-Malware 1.40
Database version: 2624
Windows 5.1.2600 Service Pack 2

14/08/2009 18:39:57
mbam-log-2009-08-14 (18-39-57).txt

Scan type: Quick Scan
Objects scanned: 95155
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 27

Memory Processes Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\b.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7b5394e-d013-3545-35d0-45376236a8dc} (Backdoor..Bifrose) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\av care (Rogue.AVCare) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\AV Care (Rogue..AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\AV Care (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\17291874 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACbqqlkfquji.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACchxdikpmbi..dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjwahqamprh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACsnbmsxxokr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACyblhahhxor.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACyfvaswuxdu.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\B9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\rasvsnet.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\AV Care\avc..ico (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Program Files\AV Care\AVCare.dat (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Program Files\AV Care\AVCare.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Program Files\AV Care\AVCare.ini (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Program Files\AV Care\Uninstall.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\SystemBackup\browserui.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\main\browserui.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\addho.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crqh32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshtmllib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACqpuhovbomc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACynkvwwkntf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
*****************

What should i do next? Is it safe now?

GunJack

depends....do you still have the fake warning showing on your desktop ?? can you access the 'net again ??

if you can access the net, you desperately need to update both MBAM and SAS and run FULL scans again, then get CCleaner from filehippo.com (install, update and do both Registry clean and normal clean) also HiJack This from filehippo, run a scan and post the log up on here..DO NOT TRY AND FIX ANYTHING IN HJT WITHOUT ADVICE, and we'll take it from there...

If you're still having trouble accessing the net, then restart the pc in Safe Mode With Networking (keep tapping F8 as soon as you turn on the pc) and do the above