I wish that you all could help me clean up my desktop. I have tried every antispyware software i came across and nothing works. I ran Avast and thought to have quarantined the infection. However, when i tried an online scan, i found that the problem did not go away. My comp. is infected with mucho spyware and a trojan (W32/Trojan-gen. {other}
I cannot use my keyboard because each time i touch a key, windows open up like crazy and/or the desktop shows. I am no wusing my laptop to communicate. In addition, the volume mutes and switches on at will.
I have finally run HijackThis and i now await some real solid advice on how to clean up this desktop so that i can do some work here. I am going to post its report here.
Someone, anyone, plz help!!! Thanks! Fank you!!!
HijackThis file.
Logfile of HijackThis v1.99.1
Scan saved at 6:52:31 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’
Fix
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
Suspect no hit on google search
O4 - HKLM..\Run: [zreinit] C:\WINDOWS\spinsavc.exe
O23 - Service: Malevi Service (MaleviSrv) - Unknown owner - C:\WINDOWS\System32\malevi.exe
O23 - Service: Sahydul Service (SahydulSrv) - Unknown owner - C:\WINDOWS\system32\sahydul.exe
Suspect hits for nterceptor.dll note this might be a part of spycatcher (if you have it) however since it is mentioned with the other two which have zero hits on google, I woulf think this is mor likely to be malicious. Some hits even believe it to be part of a rootkit.
What programs did you use exactly ? Boot-Time scanning is your best bet now, so use some of the programs that utilizes it, like Spybot S&D and Avast!.
Have you tried to get into safe mode ? When booting, right at the lil’ beep (after a few seconds) hit the keyboard’s F8 key, and use the arrow keys to get into Windows XP safe mode. Then try your scanners then, or if you can, check you Add/Remove Programs list and remove any “new” malware programs (my sister had something like that once, it was weird).
Anyway, good luck. Once you restore functionality, but some malware still roams, rescan your PC and a few good utilities are mentioned at www.techsupportalert.com. Your your hand at these programs :).
best program i have ever seen is ZONELABS. Zonelabs WILL run with avst side-by-side. I do alot of downloading and there has not been a virus in my computer for about 2 1/2 years. I used to have a lot of viruses. they cleaned them all without damaging windows.
Zone Alarm Firewall is good, but the Security Suite in combination with avast! would invite problems since it’s also a resident antivirus. I’m not sure which you meant
Anyway, it looks like Nature already has Sygate Firewall
Hey, DavidR, how do i delete/correct the items in the HijackThis report that you indicated? I tried but after running another HijackThis scan, the items are still there.
I have removed some spyware but an online Symantec scan shows i have a virus and about 4 spyware-infected files left. Also, my comp. still mutes and switches on its internal speakers at will.
I ran a bootscan with Avast as suggested. I am going nuts here!!
The following are the reports:
Symantec.
C:\WINDOWS\system32\maleviv.exe is infected with Spyware.SpyLantern
C:\WINDOWS\system32\sahydulv.exe is infected with Spyware.SpyLantern
C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
HijackThis[b]
Logfile of HijackThis v1.99.1
Scan saved at 8:02:21 AM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
In addition, whenever i start up the comp., Ad-aware says that my registry has been modified by a “04” listed above: “O4 - HKLM..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S”
HJT doesn’t do anything (like an AV) other present you with information (see tutorial links), you have to fix (by checking the box to the left of the entry) those items deemed harmful by analysis. Fix the ones I first listed, including the new O4 - HKLM..\Run: [My Web Search Bar] rundll32 and then run HJT again.
I can only assume from the increased size of this log that the first was run in safe mode.
I did try to fix the HJT items as u suggested (checking and clicking on “fix checked”). Then, i rescanned. Yet, the items reappear in the new HJT log file.
I will try the online analysis.
Big thanks!
[b]Okay! I did the analysis and tried 2 remove the items manually. They either reappear or i am blocked from removing them for some reason. E.g when i try to remove: C:\WINDOWS\spinsavc.exe, a message says: “Cannot delete spinsavc.exe. Access denied. Make sure the disk is not full or write …”
Did you reboot after fixing the items, because changes to the registry, etc. won’t be implimented until reboot ?
In use files are usually protected by windows even malware, that is why it is important to first stop them from running. This can be achieved either by Task Manager, End Process or as I said by fixing and rebooting.
Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Maybe there’s someone (a parent or spouse?) you need to talk to about this.
In addition, whenever i start up the comp., Ad-aware says that my registry has been modified by a "04" listed above: "O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S"
Unless the My Web Search Toolbar shows up when you open Internet Explorer this might be an orphaned registry entry from a previously cleaned infection. If My Web Search was still active there should be additional registry entries as outlined here
Wow! I believe the My Web Search thingy is a left over.
Thanks, man. You have given me a lot to work with. I am running out of comp. time (got to get to work) but i will apply the combination of fixes u’ve recommended.
I have not been able to clear them totally. I have isolated/quarantined “spinsavc.exe” but it still shows up in HJT. As for the others, i have not seen them anywhere else but in HJT.
However, the comp. has been working fine. Dunno what’s up here!
C:\WINDOWS\system32\maleviv.exe is infected with Spyware.SpyLantern
C:\WINDOWS\system32\sahydulv.exe is infected with Spyware.SpyLantern
C:\Documents and Settings\All Users\Application Data\WinKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
C:\Documents and Settings\All Users\Application Data\SystemKey\SystemKeyUninstaller.exe is infected with Spyware.StealthKeylog
In the first line you typed maleviv.exe. Should this be malevia.exe?
Was Symantec able to quarantine or delete these, or did it simply report the infection.
If Symantec did not take any action, did you possibly delete these with one of DavidR’s suggested programs (eg Move On Boot)?
Also, have you ever had Spy Catcher installed on this computer?