Hi it’s me again, only this time this is my parents’ computer instead of mine. But on with the show…
I wasn’t around when it happened, but the story is that my mother went on a site and all of a sudden, bugs were crawling across the screen and it told her that she had spyware (win32:malware.alarm) and whether or not she wanted to remove it. Note: this wasn’t avast or any adware program, it was just a popup. I had something like this before, so yeah.
I’m not even quite sure what it is, but it might be Win32:Agent-UKF [trj], which is the only thing avast picked up on. Hope someone can help me. It’ll be greatly appreciated :).
If it was just a pop-up, and you mother declined the offer of the lying scumbag sleazy scamware program on offer, then she should be OK.
Does she have an up to date browser with a pop-up blocker? (Firefox, Opera, IE7)
As a routine check, do a full AV scan. Boot time with avast! if she has that.
A spyware scan with the scanner/s of your choice.
A scan with Secunia Software Inspector to eliminate vulnerable software that may lead to drive-by downloads- installation of malware without user action.
I downloaded it and ran a scan, but it didn’t detect anything.
And I definitely forgot to add in the first post that this thing has also taken over the desktop with a screen that says: Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.
Very similar to what I had before, but it looks different and it’s a different popup than the one that I had.
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.
I tried the SmitfraudFix and it seemed to work. So far, the desktop hijack screen hasn’t come back yet.
However, avast continues to keep picking up something called Win32:Rootkit-gen [Rtk], and even after I delete it, it’s still there.
So I decided to run HiJackThis anyway to see if you guys could either help get rid of it and any remaining things that might still be on here. Here’s the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:32 AM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Your sun Java application is out of date. This will allow drive-by downloads- installation of malware just by visiting the wrong site.
Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.
EDIT: Ad-Aware 2008 is available now: it’s claimed to have better detection.
All done and everything seems to be doing okay so far. sysrest32.exe is completely gone and avast! hasn’t picked up any rootkit trojan. So I think we may be in the clear.
Thanks so much for helping out. Now my parent can rest assured. My mother had called verizon and wanted to take all of these other measures and stuff rolls eyes. But ANYWAYS…thanks again! I’ll be back if anything comes up :P.
Okay, we may not have gotten rid of it completely.
Something else that this thing caused to happen was there was this screensaver type thing that comes on and bugs crawl over the screen, eating it and such. It acts just like a screensaver–activating when there’s no activity–so I looked to see if the trojan just left the screensaver like how it left a blank screen when I encountered something like it. But, there’s no screensaver set.
If you are confident editing the registry, check the SCRNSAVE.EXE string value. If it pointing to something odd, change the ScreenSaveActive value to zero and delete the sreensaver file the key is pointing to (in System32 unless another folder is named).
Change the logon screen saver1. Click Start, click Run, type regedt32, and click OK.
2. Locate the following registry key:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
3. In the Details pane, double-click the SCRNSAVE.EXE string value item.
4. In the Value data box, type the path and name of the screen saver, and then click OK.
Important Make sure that you specify the path correctly to the screen saver. If the screen saver is located in %SystemRoot%\System32, the explicit path is not required.
It’s been a while now and it hasn’t come back. So, I’m thinking we’re in the clear for real now knocks on wood. Thank you so much for helping me out! It’s greatly appreciated :).