Re: Bugs eating background, background changed to blue with spyware warning ...

[jesiava]

Hello,
my sisters Dell pc has this "bug screensaver/fake blue wallpaper" virus as well... can I follow along in order to restore her pc ??
thank you for all your help

Jesse

[evilfantasy]

I moved this to a new thread.

Start here http://www.computerhope.com/forum/index.php/topic,46313.0.html

Post the logs back in this thread.

[jesiava]

Thank you for your time. I have begun some of the steps:
Step 1: Add/Remove Programs - Done
Step 2: CCleaner Slim - Done
Step 3: SuperAnitspyware - Done & Log Attached
Step 4: MBAM - Done & Log Attached
Step 5: Java Update - most updated version installed
Step 6: HijakeThis (renamed Sniper) - Done & Log Attached

Also just completed a run of DrWeb (Express and Full Scan), no viruses were found at that time and no logs were available for me to save.
Rebooted from that point and then re-ran HijakeThis - Log Attached

as of now, the yellow warning box that used to be on the desktop is gone and the "bugs" screensaver seems to be gone, but task manager still seems to be disabled.

I hope this is enough information to get started.
Thank you for your help.

Jesse

[recovering space - attachment deleted by admin]

[evilfantasy]

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post.

If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix

----------

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See Viewpoint to Plunge Into Adware

It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

If you have trouble removing Viewpoint, I suggest that you use ViewpointKiller

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop.
Run ViewpointKiller, and select File > Do All Killings
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.

----------

Next post add
SDFix log

[jesiava]

Thank you for all the help you have provided as well as your time. It is all very much appreciated.

I have completed the last tasks:
SDFix - Done & Log Attached
Viewpoint removal utilizing viewpoint killer

Jesse

[recovering space - attachment deleted by admin]

[evilfantasy]

There is an entry in the Hijackthis log that I hoped SDFix would get but it didn't so we need to run CF and get a log from it.

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

[jesiava]

I did not initially run HijackThis after the SDFix, but I just ran it now and have attached the file for your review.

I am running Combofix in the meantime just as an extra measure.

Jesse

[recovering space - attachment deleted by admin]

[jesiava]

I have just completed the combofix scan and have attached the log for your review.

Thank you very much

Jesse

[recovering space - attachment deleted by admin]

[evilfantasy]

Looks good. How is everything now?

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.

[jesiava]

All remaining steps have been completed with full success! My sisters pc is back to where it should be.
Thank you so much for all of your help!

Jesse

[evilfantasy]

Glad it worked.

Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.