Laptop catched another spyware infection. Red background, spyware attack warning

[ComputerTired]

 

I went from the blue desktop background [ had the ctfomona bug virus ] to a red desktop background. The message says:

" Warning: Your computer is under spyware attack!
Your computer is infected by anonymous spyware program.
Operating System has several fatal errors due to spyware activity.
It is strongly recommended to install an antispyware software to eliminate all security vulnerabilities. Click HERE [ gives a link to a website ] to protect your PC ... "

Those words are in yellow and white. My desktop basically has a link sitting in the middle of it, so I make sure to avoid it because I think it's a false and bogus link.

Really, I'm unsure of what caused this new infection. I haven't downloaded anything recently.

I get messages saying that my computer is slow and it will be running slow because of the spyware activity. Also, when I tried to do a restore point, I tried three times and to no success. It said restoration incomplete.

I get a from my system tray saying: "Windows Security Manager - Your computer is running slowly due to malware activity."

Also, popups come on my computer that says "Spyware activity is found on your computer."

My Task Manager is also disabled. It says that task manager has been disabled by your administrator, but I am the administrator and I haven't went through my user accounts and disabled anything.

This infection just surfaced for me YESTERDAY so I'm trying to quickly get rid of it and not let it sit on my computer and further damage it.

Thanks to whoever takes the time and reads this.

[Saving space - attachment deleted by admin]

[evilfantasy]

Have you gotten windows validated yet?

[ComputerTired]

Yes.

[evilfantasy]

I need to see the log.

Download this from Microsoft and run it on your computer
Filename = MGADiag2.exe
http://go.microsoft.com/fwlink/?linkid=52012

Press "Copy to clipboard" and then you can paste it in this thread.

[ComputerTired]

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.2.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {6A475E22-4688-4C5C-AF55-0DE6FF40078A}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 101 Not Activated
Microsoft Office Standard Edition 2003 - 101 Not Activated
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6A475E22-4688-4C5C-AF55-0DE6FF40078A}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.2.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-354348320-3626668711-587776703</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Inspiron 5150                   </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A38</Version><SMBIOSVersion major="2" minor="3"/><Date>20041210000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>8D7B3F07018400D2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell Computer Corporation</name><model>Dell INSPIRON I5150</model></SBID><OEM/><BRT/></MachineData>     <Software><Office><Result>101</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>42BA952905EC862</Val><Hash>M0rx/A4ZJryB5D6Xfwq57CKExZ4=</Hash><Pid>70141-049-4039831-56200</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="101"/><App Id="18" Version="11" Result="101"/><App Id="1A" Version="11" Result="101"/><App Id="1B" Version="11" Result="101"/></Applications></Office></Software></GenuineResults> 

[evilfantasy]

Thank you.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Now then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally copy and paste the contents of the results file Report.txt with a NEW HijackThis log in your next reply.

If SDFix won't run or you get errors, follow the link for instructions on running SDFix. How to use SDFix

[ComputerTired]

Here you go. Both logs. So far, so good. The red background is gone.

 

[Saving space - attachment deleted by admin]

[evilfantasy]

Looks better but that didn't get it all.

Download Combofix by sUBs from one of the below links.

• Link #1
  
• Link #2
  

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of combofix.

----------

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

.
----------

Next post
Combofix log
Uninstall list

[ComputerTired]

ComboFix ran smoothly.

 



[Saving space - attachment deleted by admin]

[evilfantasy]

Download

OTMoveIt2 by OldTimer

• Save it to your desktop.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2e790fdd-3996-497e-a3ab-29a954949d29
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

----------

Now run a new Hijackthis scan and post the log along with the OTMoveIt log.

[ComputerTired]

Here's the results from the OTMoveIt2 program :

Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2e790fdd-3996-497e-a3ab-29a954949d29 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2e790fdd-3996-497e-a3ab-29a954949d29\\ not found.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06092008_201426

[Saving space - attachment deleted by admin]

[evilfantasy]

Didn't work.

Download RegASSASSIN.exe to the desktop.

Open RegAssassin and copy the Registry Key in the Code box below.

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\2e790fdd-3996-497e-a3ab-29a954949d29

Now paste it in RegAssassins window and click Delete.

[ComputerTired]

It said the registry key has been deleted succesfully.

[evilfantasy]

OK, new hijackthis log.

[ComputerTired]

Here's the HJT log.

[Saving space - attachment deleted by admin]

[evilfantasy]

Looks good.

.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
----------

The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

---------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
----------

Install this. Let me know if it interferes with your web surfing and we can remove it. It  will help to keep you away from dangerous sites and future infections.

Save DelDomains.inf to the desktop.

• IE users Right-click on the link and select Save As.
  
• Firefox users Right-click on the link and choose Save link as...
  
• Save it to the desktop.

• From the desktop Right-click on DelDomains.inf
  
• Select Install making sure Internet Explorer is closed.
  
• You won't see anything happen so give it several seconds.

Note:, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

----------

It is possible that you will need to reinstall the programs and drivers related to these entries if the infections come back again. If so, and you need help finding out how then start a new topic in the software forum asking for help.

These are the ones that have been patched,

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
c:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe

----------

How is everything now?

[ComputerTired]

Thanks again for your help !!

 

Everything seems to be running pretty smoothly.

With the DelDomains thing, thanks !! I really need something that will keep me away from dangerous sites.

If I do stumble upon a site that will automatically try and download malware or spyware or anything of that nature, will the DelDomains program alert me somehow?

[evilfantasy]

It will actually block the site so you can't get infected.

[ComputerTired]

 

Well, that's PERFECT !!

Thanks [ again  ] for your time, patience, and help !!

[evilfantasy]

No problem.

I don't know if you did last time or not but another thing I would suggest installing is SiteAdvisor. (Thanks Savior )

[ComputerTired]

Cool. I'll get that one right now.