Bugs eating background, background changed to blue with spyware warning ...

[ComputerTired]

Alright, I have a problem with a spyware infection. My screensaver seemed to change itself from the regular Windows XP sign floating around to some random bug screensaver where bugs munch on my background, and where they munch on, it turns blue.

Also, when that happens, my background COMPLETELY changes to blue, with a warning sign in the middle that is blue and yellow. It says : "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer."

Another thing is this annoying balloon/bubble [ I believe that's what they're called ] that always pops up every 2 seconds on my tray on the bottom right of the screen with the yellow warning sign with the black exclamation mark in the middle. That says : "Your computer is infected! Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware."   I haven't purposefully clicked on the balloon, because I'm aware that it's a bogus warning that only wants me to click it to further damage my computer. However, I've accidentally clicked on it a couple times because it pops up every couple seconds and is in the way of my entire screen. When I clicked on it, it automatically downloaded this thing called INSTALLER. I would immediately then go to that program and uninstall it from my computer.

I've searched the internet for ways to remove these problems, and I found a site that said to download Malwarebytes' Anti-Malware. I did, and it seemed to be a total success. The bugs went away, the yellow and blue warning went away, and the balloon from the system tray went away. However, after two days, it would always come back.

Please help. I'll be back later with screen shots.

=)

[ComputerTired]

Here's the screenshot of blue background with warning and balloon on system tray with warning.

[evilfantasy]

Start here > http://www.computerhope.com/forum/index.php/topic,46313.0.html

We need all of the logs to see whats going on.

[ComputerTired]

When I try to go here ---> http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx to download it, the page won't display.

[evilfantasy]

Are you sure you don't have SP1?

[ComputerTired]

=(

I'm not even sure what it is.

[evilfantasy]

Just scroll down to the removal tools and get the logs needed.

[ComputerTired]

Alright, I did the CCleaner, and downloaded the SUPERAntiSpyware Free Edition program. During that scan, my computer had blanked out and went into this blue screen with white lettering. The first line said "A problem has been detected and Windows has been shut down to prevent damage to your computer."

I'll re-do the scan. It went as far as 2 hours and so far, I remember it said it detected 351 items.

Re-doing scan now. Logs will be up when I finish all the steps.

=)

[ComputerTired]

Here are the three log files.

With the SuperAntispyware program, when I was restarting the computer to finish the clean-up process, the reboot process had froze, so I waited about ten minutes. Nothing happened, so I turned the computer off and followed the rest of the steps with getting the log.

Thanks for the help !!

=)

[recovering space - attachment deleted by admin]

[evilfantasy]

Your computer is infected by at least one Keylogger and various Backdoor Trojans. Please read all of this carefully.

Backdoor Trojans, IRCBots and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

Should you have any questions, please feel free to ask.

If you decide to continue with the cleaning process continue with the following.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

[ComputerTired]

During the scan, some of the stuff couldn't be cured, so I wasn't sure if I should move them or delete them.

The reboots worked soo much better. Fast and easy. I didn't get that blue screen of death.

On the scan tab, I didn't see a Hueristic analysis checkbox. There was only an Express Scan, Complete Scan, and Custom Scan.

Here's the results of the Complete Scan:

[next post]

[ComputerTired]

I added the results as an attachment, but if you want me to copy and paste the results as well, I'll do it.

[recovering space - attachment deleted by admin]

[evilfantasy]

Now run a new Hijackthis scan and post the log.

[ComputerTired]

Here's the HJT log:

[recovering space - attachment deleted by admin]

[evilfantasy]

Run the F-Secure online scan for Viruses, Spyware and RootKits:

This scanner works with Internet Explorer only

• Go to the F-Secure Online Virus Scanner
  
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
  
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
  
• Click Automatic cleaning
  
• When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take several hours, so please be patient

[/I]
.
----------

Now run a new Hijackthis scan and post that log also.