Need Help

[Nicolette]

Hi,

Yesterday while viewing my myspace account, a pop-up came on my screen that asked me if I wanted to download an activex plug-in. I chose 'yes' and since then my pc has been acting up. First, my desktop wallpaper is not the one I chose. Instead, it has been replaced with 'Warning: Spyware threat has been detected on your PC. Your computer has several fatal errors due to spyware activity. Click here to scan your PC for spyware.'. In addition, I get pop-ups that are from Windows Security Clearance Center that want me to purchase software and other pop-ups that want me to purchase software. One of these pop-ups is attached as 'top rated spyware removers.txt'.
As soon as these problems occurred, I ran a HJT scan (first HJT scan). I then followed all of the instructions in the thread that says something like read this before posting for assistance. I have attached all requested files, except the AVG anti spyware report. I am still having the same problems after following all of the instructions in that thread.
Please if anyone can tell me where to go from here. I work from my home for directv and have to have a PC for my job.

Thanks in advance,
Nicolette

[jholland1964]

Have no clue as to this Top Rated Spyware Remover...dump it...never heard of it.
You have major nasties on the computer.

• Download combofix.exe by sUBs to your computer's Desktop.
• Alternate Download
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Post the log for us

[Nicolette]

I did everything that you suggested and attached the log made by combofix.

[jholland1964]

Hi Nicolette,
Your computer has some nasties on there for sure. ComboFix did remove a a commercial spy/keylog program
These entries indicate that;

C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe

Here is an explanation of what this is;
Programs designed to monitor user activity. May be used with or without consent. Because it is sold commercially, many anti-virus vendors do not detect them. The most common form of a commercial monitoring tool comes in the form of a keystroke logger, which intercepts keystrokes from the keyboard and records them in a log. This can then be sent to whoever installed the software, or keylogger, onto the machine. Some Commercial Monitoring Software may take screenshots, or video and send the information to an outbound connection.

AceSpy monitors PCs by taking screenshots, keeping key logs, including chats, e-mails, web sites visited, searches performed, and more. AceSpy is completely hidden to the PC user, and the installer can have reports sent directly to their e-mail address. Keywords that specified by the installer trigger the program to send the installer instant alerts. Also the installer can set keywords to close a web browser if it encounters any of the listed words.

From their website:
"AceSpy is PC spy software for home or office use. Secretly see everything your spouse, child or employee does online. Instantly forward their emails and chats to your email address. Block web sites by keywords or site addresses. Get an hourly report email containing everything they do."

I am sorry to say but one would assume that somebody has pruposely installed this on your computer since it is a program which must be purchased in order to install it and use it.

Please run the ESET NOD32 Online Scanner again and attach the ScanLog with your post for assistance.
-- You will need to use Internet Explorer to to complete this scan.
-- You will need to temporarily Disable your current Anti-virus program.
-- Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\\Program Files\\EsetOnlineScanner\\log.txt. Please post that log for us.
Judy

[Nicolette]

Hi Judy,

Thanks--I am not sure about the AceSpy. I know I didn't download and buy it. The only people using this computer are me and my husband. My husband is more computer illiterate than I am and says he didn't do that either. Some random people that have visited our home have used our pc. If someone is paying to see what is done on this computer, their money is not well spent because we do pretty boring things on the computer like use it for work.
I did the eset online scanner again and attached the results. I attached 2 results because there were 2 logs in the folder and wasn't sure which one to choose.
Thanks,
Nicolette

[jholland1964]

Ok Nicolette, one thing you have to do concerning the AceSpy program is make sure it is gone so you need to search for it this way;

Double Click My Computer.
Then Double Click "C" Drive.
Then go to the Windows Folder, double click to open.
Then to the system32 folder, double click to open.
Then look for an Acer folder. If you find one, delete it all the way out.

Next go back to the ESET Online Scanner
and run it again, but this time Be sure the option to Remove found threats is checked. Because this time we want it to remove the Win32/Adware.Mirar that was found on the previous scan and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\\Program Files\\EsetOnlineScanner\\log.txt. Please post that log for us.
Also please run a new HJT scan and post that new log along with the ESET log in your next post.

[Nicolette]

Hi Judy,

I deleted the requested folder. It was called AceSpy and then I emptied my recycle bin.

I also did the ESET scan and attached files and another HJT scan and attached the file.

Thanks so much!
Nicolette

[jholland1964]

Nicolette, am questioning another program here before I give you more steps...it is called GoToMyPc...do you know what this is and did you install it yourself? It IS a legitimate program which allows remote access of your computer by another OR remote access of another computer by you. I am questioning this because it has been known to have security issues and because of the fact that the AceSpy program was found to be on your computer...and you say neither you nor your husband knows how it got there, this is why I am suspicious of this other program also.

[Nicolette]

Hi Judy,

I personally installed gotomypc probably 3 years ago? In addition to working for directv, I also do consultant work for a company located in another state. I used to work there myself, but then had to move and they kept me on their payroll and I can access their databases and so forth thru gotomypc.

I wasn't aware of the security issues. They used to use pc anywhere and then transitioned to the gotomypc because of known security issues.

Thanks,
Nicolette

[PhilliePhan]

Hi Nicollette,

I am going to post a script for you to run with ComboFix, but I won't be able to do it until this evening.

In the meantime, could you please post an Uninstall list. You can get this via HJT's misc tools section.

Cheers
PP