Need Help

[Nicolette]

Hi,

Yesterday while viewing my myspace account, a pop-up came on my screen that asked me if I wanted to download an activex plug-in. I chose 'yes' and since then my pc has been acting up. First, my desktop wallpaper is not the one I chose. Instead, it has been replaced with 'Warning: Spyware threat has been detected on your PC. Your computer has several fatal errors due to spyware activity. Click here to scan your PC for spyware.'. In addition, I get pop-ups that are from Windows Security Clearance Center that want me to purchase software and other pop-ups that want me to purchase software. One of these pop-ups is attached as 'top rated spyware removers.txt'.
As soon as these problems occurred, I ran a HJT scan (first HJT scan). I then followed all of the instructions in the thread that says something like read this before posting for assistance. I have attached all requested files, except the AVG anti spyware report. I am still having the same problems after following all of the instructions in that thread.
Please if anyone can tell me where to go from here. I work from my home for directv and have to have a PC for my job.

Thanks in advance,
Nicolette

[jholland1964]

Have no clue as to this Top Rated Spyware Remover...dump it...never heard of it.
You have major nasties on the computer.

• Download combofix.exe by sUBs to your computer's Desktop.
• Alternate Download
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Post the log for us

[Nicolette]

I did everything that you suggested and attached the log made by combofix.

[jholland1964]

Hi Nicolette,
Your computer has some nasties on there for sure. ComboFix did remove a a commercial spy/keylog program
These entries indicate that;

C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe

Here is an explanation of what this is;
Programs designed to monitor user activity. May be used with or without consent. Because it is sold commercially, many anti-virus vendors do not detect them. The most common form of a commercial monitoring tool comes in the form of a keystroke logger, which intercepts keystrokes from the keyboard and records them in a log. This can then be sent to whoever installed the software, or keylogger, onto the machine. Some Commercial Monitoring Software may take screenshots, or video and send the information to an outbound connection.

AceSpy monitors PCs by taking screenshots, keeping key logs, including chats, e-mails, web sites visited, searches performed, and more. AceSpy is completely hidden to the PC user, and the installer can have reports sent directly to their e-mail address. Keywords that specified by the installer trigger the program to send the installer instant alerts. Also the installer can set keywords to close a web browser if it encounters any of the listed words.

From their website:
"AceSpy is PC spy software for home or office use. Secretly see everything your spouse, child or employee does online. Instantly forward their emails and chats to your email address. Block web sites by keywords or site addresses. Get an hourly report email containing everything they do."

I am sorry to say but one would assume that somebody has pruposely installed this on your computer since it is a program which must be purchased in order to install it and use it.

Please run the ESET NOD32 Online Scanner again and attach the ScanLog with your post for assistance.
-- You will need to use Internet Explorer to to complete this scan.
-- You will need to temporarily Disable your current Anti-virus program.
-- Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\\Program Files\\EsetOnlineScanner\\log.txt. Please post that log for us.
Judy

[Nicolette]

Hi Judy,

Thanks--I am not sure about the AceSpy. I know I didn't download and buy it. The only people using this computer are me and my husband. My husband is more computer illiterate than I am and says he didn't do that either. Some random people that have visited our home have used our pc. If someone is paying to see what is done on this computer, their money is not well spent because we do pretty boring things on the computer like use it for work.
I did the eset online scanner again and attached the results. I attached 2 results because there were 2 logs in the folder and wasn't sure which one to choose.
Thanks,
Nicolette

[jholland1964]

Ok Nicolette, one thing you have to do concerning the AceSpy program is make sure it is gone so you need to search for it this way;

Double Click My Computer.
Then Double Click "C" Drive.
Then go to the Windows Folder, double click to open.
Then to the system32 folder, double click to open.
Then look for an Acer folder. If you find one, delete it all the way out.

Next go back to the ESET Online Scanner
and run it again, but this time Be sure the option to Remove found threats is checked. Because this time we want it to remove the Win32/Adware.Mirar that was found on the previous scan and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\\Program Files\\EsetOnlineScanner\\log.txt. Please post that log for us.
Also please run a new HJT scan and post that new log along with the ESET log in your next post.

[jholland1964]

As long as you know where this program came from then that is all right. If it was installed without you knowing then that is when I would worry. But since you use this for work then I wouldn't worry about it.
Nicolette this list has to be incomplete. It should be much longer. Look in your Add/Remove and see if there is more there, if so there is something wrong with the way you ran the Uninstall list. If not..then...well I have never seen a list this short. Your start up listings in HJT show 20+ programs...not all would be in Add/Remove but even your anti-virus program or Quicktime are not showing in the list here.

[Nicolette]

I ran the uninstall list thru hijack this and got the same thing? I looked in my add/remove program and there are more there. Below is everything located there...

Adobe Reader 7.0
AVG Anti-Spyware 7.5
Bantec Service Agreement
Bantec Service Agreement
Bat
Dell Networking Guide
Dell Solution Center
Dell Support
EarthLink Setup Files
ESET Online Scanner
Help and Support Customization
Hijack This 2.0.2
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 11
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Microsoft Encarta Encyclopedia Shared 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Professional Edition 2003
Move Networks Media Player for Internet Explorer
MSXML 4.05SP2 (KB927978)
MSXML 4.05SP2 (KB936181)
Norton AntiSpam
Norton AntiSpam
Norton Internet Security
Norton Internet Security
Sonic DLA
Sonic Record Now!
Sonic Update Manager
SPSS 12.0 for Windows Student Version
Symantec Antivirus Client
WebEx
WebFldrs XP
Windows Defender

Thanks,
Nicolette

[PhilliePhan]

Hello Nicolette,

I counted three or four spy/keylogging programs on your computer. It is pretty safe to say that any and all personal data on the machine has been compromised. If you do online banking and the like with this computer, you ought to look into changing passwords/creditcard info etc... (from an uninfected machine). I’m sure Judy will be happy to advise you further.

-- There should definitely be more to the Uninstall List. Stuff like Viewpoint and SpyNoMore should be there.... Perhaps there is an uninstaller in the Program Files\SpyNoMore folder??


For Viewpoint, lets do this:

-- Download http://prm753.bchea.org/viewpointkiller.zip

Unzip all of the contents of "ViewpointKiller.zip" to a location such as your desktop.

Browse to the folder that contains ViewpointKiller and run ViewpointKiller.exe. Select the "File" menu, and select "Viewpoint Installed?". If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper "Kill" option in the File menu.

Follow the prompts and instructions very carefully, answering "Yes" or "No" depending on which option you are most comfortable with.

ViewpointKiller will then attempt to remove the Viewpoint variant(s) specified. It will give you a short output on the main screen, and write more detailed information to a logfile called "ViewpointKiller.log" in your main hard drive folder. To access this log, select the "File" menu, and select "Open Logfile".



Here are the next steps:

--- Download ATF-Cleaner.exe by Atribune to your Desktop. Leave it for now...

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop. Leave it there for now.
-- Download the attached file CFScript.txt to your Desktop as well.
You will be using that later in the fix process.

--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install

NEXT:
Look in ADD or Remove Programs and try to UNINSTALL the following, if found:

J2SE Runtime Environment 5.0 Update 11
Bat --> unless you know what this is...


THEN:
Please locate ATF-Cleaner on your Desktop
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT



Please scan with HijackThis and Check the Boxes for the following, if they remain:
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe,

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Batco\bat.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O15 - Trusted Zone: newcitrix.newcorp.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.



NEXT:
-- Locate CFScript.txt on your DeskTop
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Allow Combofix to run as before and save the log.


LASTLY:
Update your Java here ---> http://www.java.com/en


Please submit the new ComboFix Log along with a fresh HijackThis Log for Judy. I imagine she will have a good deal of advice for you with regard to securing your computer and dealing with the security breaches. You are likely going to need to re-install your Norton AV suite, among other things.


Best Luck
PP

[Nicolette]

Yes, I do online banking and such from this computer. Will definitely go about changing all of my passwords and such.

I followed all of your instructions.
-Was not able to delete J2SE Runtime from add/change programs.
-015 Trusted Zone: newcitrix.newcorp.com wasn't there for me to delete, but I need this for my directv job.

I attached the combofix log and another HJT scan.

If I need to re-install Norton AV then I think I'm going to have to buy it because I never owned it to begin with. The company I used to work for installed it for me on my pc, but chose 'administrator' or something like that so I wouldn't have to buy the license. I don't really know all of the details, but know I don't have the disk for it.

The funky message on my desktop has since disappeared!!!

Thanks,
Nicolette