HELP: spacer virus thingy is ruining my life

Package

im having problems with a freinds computer. she seemed to have picked up some sort of virus or spyware or something. i think its called Spacer and its lodged in my c/windows/ and its creted a folder called privacy_danger.

i cant delete it, well i can but it keeps coming back. even when i rename the files, they rename themselves back to their original file names.#

ive ran spybot and adaware and avg on it and it doesnt seem to do any good.

it puts a fake desktop on the screen with a link to the website http://securepccleaner.com/privacy/index.php?045a420d46164a52096a5302073d51003a535e6d04524a0245080b410b54585856155156475c48433b00065e53570d56520216425c030800450e120e07


which is obviosly some sort of regestry cleaner ****. i cant figure it out. any ideas?

ActorSeeksJob

Do this

CLICK HERE to download the HijackThis Installer:

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

matt-dublin

you've got the looksky virus.

try this:

Download http://downloads.andymanchesta.com/R...ools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Package

thanks lads, ill get a chance to do them tomorrow night and ill post a reply. thanks

ActorSeeksJob

SDFix doesn't remove the looksy virus matt-dublin, it is part of the Smitfraud family so he needs to run SmitfraudFix. Also it's better to wait till you see a HJT log before you bring out the big guns like SDFix.

Package please don't run SDFix as it's not needed, instead just post a HijackThis log and we will continue from there.

matt-dublin

ASJ: FYI
http://www.lavasoftsupport.com/index.php?showtopic=10940&pid=48752&mode=threaded&start=

smitfraudfix doesn't work.

Lavasoft recommend SDFix

ActorSeeksJob

Matt FYI :
http://www.geekstogo.com/forum/How-to-remove-trojan-w32-looksky-removal-instructions-t165752.html

I am quite sure that if we upload the looksy file onto jotti/virustotal(you know what those are?) that they will pretty much all report it as part of the zlob family, aka the Smitfraud family.

smitfraudfix doesn't work.

SmitfraudFix does work, and I have already used it myself to remove the looksy virus(as well as everybody else in the anti-malware community).

Also this link that you posted
http://www.lavasoftsupport.com/index.php?showtopic=10940&pid=48787&mode=threaded&start=#entry48787
SDFix removed nothing. Have a look at it's log. The user had already removed everything with SmitfraudFix but was just complaining bout his desktop background.


The only bad entry in that users log was this
O21 - SSODL: msole - {10080C78-2D68-41C7-8C22-0ECC7709E159} - C:\WINDOWS\msole.dll (file missing)

Which is Smitfraud, and which was pretty much removed with SmitfraudFix.


Also you just cant have users run tools just cause you have googled search a similar result. That is dangerous and can do a lot of damage if your not careful.


I'm not trying to be rude or smug here, but you are wrong, and the fact that you are only posting one link from a google search that doesn't even back up what you say, is not enough to warrant the user running SDFix.

Oh and Lavasoft didn't recommend running SDFix to remove the looksy virus, this is misleading and looks like the company are saying to do that, when they aren't.

matt-dublin

I'm not gonna bother argueing here, because both will work, i suggested sdfix because i will also scan for other malware & trojans as well as if looksky is on it, so will other things, I've used it before and its fine. The reason why i posted the link was because the volunteer security team have to be accredited before they can become a member of the teams and their advice is generally spot on.

and yes, you are trying to be smug.

I'll just leave it at reminding you of a pm you sent me in late july.

ActorSeeksJob

because the volunteer security team have to be accredited before they can become a member of the teams and their advice is generally spot on.

I assume you are talking about Lavasoft here, I know miekiemos, she helps out on a lot of the same sites that I help out on, and I have done the necessary training to be offering help like she does. You haven't.

and yes, you are trying to be smug.

No I'm not, I just don't like it when people post advice when they have no idea what they are talking about, especially when it is the wrong advice.

I'll just leave it at reminding you of a pm you sent me in late july.

I PMed you about something totally different. I was asking you bout a career in Networks and Security, that doesn't mean you are better at dealing with virus and malware problems than me. I clearly know more about dealing with viruses than you from your posts.

because both will work

Have a look at these
http://www.geekstogo.com/forum/trojan-w32-looksky-t167662.html
http://www.geekstogo.com/forum/Trojan-W32-Looksky-HELP-has-totally-gone-t167685.html
http://www.commentcamarche.net/forum/affich-3381858-j-ai-ete-infecte-par-trojan-w32-looksky
If you want to remove looksy, you use SmitfraudFix.


You should be more careful posting advice to the users when you have absolutely no training when dealing with SDFix, HijackThis, SmitfraudFix, or any of the other tools you would need in helping out the OP. These tools can wreck PC's when in inexperienced hands like yourself.

matt-dublin

ActorSeeksJob wrote:

and I have done the necessary training to be offering help like she does. You haven't.

How do you qualify this remark?

I like the way you presume to know what i do, how i am trained and how i do things.

PS i like your googled links too.

especially considering your last : http://www.commentcamarche.net/forum/affich-3381858-j-ai-ete-infecte-par-trojan-w32-looksky is in french

ActorSeeksJob

You may be happy to have the OP's topic get side-tracked with a petty argument since chances are you won't be helping him. But chances are I will be the one to fix his PC up, like I have for the past 6-12 months for every spyware problem posted on boards, so it makes more sense to continue this via PM. I can't promise I won't ignore your PM, but it makes more sense to keep this discussion there.

I like the way you presume to know what i do, how i am trained and how i do things.

Well do you help out analyzing HijackThis logs on the biggest PC anti-malware sites on the net? You may have a good degree and plenty of work experience, however you don't have the expertise in dealing with HijackThis logs and all the other tools that are needed when fixing PC's.

PS i like your googled links too.

At least mine back up my point. I point you to a "How to remove trojan looksy" guide and you still argue the point. Ridiculous. As for the french link, thats quite a known site in the community, and even with basic french you should be able to understand that they are dealing with the trojan.looksy and they use SmitfraudFix to remove it.


To the OP, sorry for side-tracking your topic like this. When you post a HijackThis log it will tell us a lot more.

matt-dublin

I have no interest in argueing, but considering you keep telling me i am unqualified to do the work i had better quit my job that i've been doing for the last 6 years, throw my cs degree out the window, along with my MSCE, CCNA and 8 ICS/other certs i have out the window.

Nice work,

and if you don't believe in sdfix, you shouldn't recommend it to anyone for anything:
http://www.boards.ie/vbulletin/showpost.php?p=53518274&postcount=11

Croc

In the event that Matts suggestion does not work do the following.

Go to http://www.ubcd4win.com

Download it, extract the file to your hard-drive.
It should create a shortcut to your desktop called PE or Pe Builder

Run the program. (Make sure you have Windows CD In Your Drive)
First Field Tell Computer location of Windows Disk.
Second Field leave default setting.
Media Out Put (Click Radio Button To Create ISO Image)
Click "Plug ins Button" you will see list of programmes it has, update the Spyware & Anti Virus Ones to latest Definitions. When finished updating go back to main window and click "Build Button" If everything is ok it should build an ISO Image.
Burn the Image with Nero or some such burning programe.
Reboot you computer making sure to turn off System Restore in Control Panel.
Set you computer to boot from CD Drive (In Bios) it should boot from this CD you have created (Takes a while to boot be patient)
You will eventually boot to a windows like envioroment from where you can run the Spyware & Anti Virus.

Beauty of this method is you are not booting from your hard drive so what ever is infecting the PC cannot startup hence allowing you to remove it.

Make sure you turn off System Restore because you may reinfect the PC again after you reboot, as most of these viruses etc can restore them selves from System Restore" Don't forget to turn on System Restore when you are done

Soundman

Yeah well my cat smells better than your cat. So neeener neener neeeeeener!

Lads. The OP is looking for help. He isn't looking to watch some atrocious drama programme.

matt-dublin

Soundman wrote:

Yeah well my cat smells better than your cat. So neeener neener neeeeeener!

Lads. The OP is looking for help. He isn't looking to watch some atrocious drama programme.

agreed, time to move on...

jmck87

oh i love geek fights.... please continue...

yee are sad lads, like 2 year olds...

pid()

To remove the errors relating to privacy_danger, remove its folder in c:\windows and also delete your temporary internet files to stop the error which will pop up once the privacy_danger folder is removed.

Nick_oliveri

"neeener neener neener" roflage! :P
Sounds like a nasty virus. I was nearly stupid enough to click that link in the OP! Is it evil?

matt-dublin

the link is fine, it just points to a webpage with a link to install anti spyware...

Package

i dont give a **** who argues with who, once between the two of you it ets fixed. firstly heres the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:30 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINDOWS\duocore.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wireless Presenter] C:\Program Files\Nokia\Nokia Wireless Presenter\Wireless Presenter.exe /NOSPLASH
O4 - HKCU\..\Run: [SecurePCCleaner] C:\Program Files\SecurePCCleaner\GDC.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\suzan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O21 - SSODL: wmpenv - {997FD978-8B25-4440-811C-9DD2A816493E} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {C168A5C5-AACA-4D1B-942C-D2CE735ED47A} - C:\WINDOWS\wmpconf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6593 bytes



so, if everyone is in agreement. whats next????

Package

ok. the fake background seems to have gone for good. but there is still an annoying pop up box which reads this

"windows has detected an internal attack attempt.somebodys trying to infect your pc with harmful spyware or harmful viruses. run full system scan now to protect your pc from internal attacks, hijacking attempts and spyware. click here to download spyware remover for total prtection"

ActorSeeksJob

Lol Package, do the following

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINDOWS\duocore.dll
O4 - HKCU\..\Run: [SecurePCCleaner] C:\Program Files\SecurePCCleaner\GDC.exe
O21 - SSODL: wmpenv - {997FD978-8B25-4440-811C-9DD2A816493E} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {C168A5C5-AACA-4D1B-942C-D2CE735ED47A} - C:\WINDOWS\wmpconf.dll


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

3. Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

SecurePCCleaner




Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\duocore.dll
  C:\Program Files\SecurePCCleaner
  C:\WINDOWS\wmpenv.dll
  C:\WINDOWS\wmpconf.dll
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


So in your next reply please post the following : the SmitfraudFix report, a new HijackThis log, the OTMoveIt results, and tell me how your PC is running now and if you had any problems.

Package

thanks for the speedy reply mate. ill do it tomorrow when my heads not about to explode. thanks again