« The Cry of the Gray Fox | Main | Summer Camp »
August 7, 2008
Warning Spyware Detected On Your Computer
Lord God, I got ahold of a nasty computer virus yesterday. My desktop was changed to say "Warning Spyware Detected On Your Computer" and some nonsense like that. I followed the directions here and got it removed after much handwringing. At the end of the day, I have installed an additional software program called Spywareblaster, which provides additional protection against spyware. Spywareblaster doesn't have to be running as a TSR to work apparently. You configure it to protect each brower (IE, FireFox) and restrict site access, and then shut it down. It's free if you update it manually, or you can set it to update automagically for a fee.
Update: In response to Alice's question, I was never 100% sure what the name of the virus/trojan was that infected my PC. I know how and when I became infected, but I was never able to pin down the exact name of the beast.
I've posted more details in the extended entry.
I installed and executed HijackThis. Here's my HijackThis log file.
I ran this the following commands as a bat file named look.bat which I created in notepad and executed from my desktop:
regedit /e peek1.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e peek2.txt "HKEY_CURRENT_USER\Control Panel\Desktop"
regedit /e peek3.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
del peek*.txt
start notepad look.txt
The results of this were saved as look.txt on my desktop:
After reviewing the results in the look.txt file, I saw that a bunch of garbage in there that is apparently a randomly generated program name.
"SCRNSAVE.EXE"="C:\\WINDOWS\\system32\\blphcrg3j0e14t.scr"
In my case, something called blphcrg3j0e14t.scr was set up as my screen saver. This prevented me from modifying my desktop, and loaded itself when I rebooted, etc.
I used HijackThis to kill some processes named blphcrg3j0e14t, and then I was on the right path to recovery.
After I got Spybot Search & Destroy and Lavasoft AdAware, and Avast to all say my PC was clean, then I went to Panda Security and ran an online scan(Note: You have to use Internet Explorer for this scan to work.
After running the Panda Security scan, if it finds any problems, you can view the results online or click on the little icon next to "Export to:" about halfway down on the right side and you can save the results to a text file. I then cleaned up any remaining problems by deleting any files Panda thought were infected or suspicious. :)
Posted by Rob Kiser on August 7, 2008 at 12:11 PM
Comments
So what was it your computer was infected with?
Posted by: Alice H on August 7, 2008 at 12:26 PM
I think that's one of the Smitfrauds. I'll keep my fingers crossed that you got your computer completely cleaned, that's a nasty one.
On a side note, if you're using HijackThis, it's a good idea to rename the executable. Some malware has been designed to hide from hijackthis.exe.
We've had very good luck with ESET's Nod32 AV, coupled with Spybot S&D and Malwarebytes Anti-Malware. (I'm paranoid, so I scan my computer quite a bit, but part of that is because one of the things I do for a living is medical software testing, the developer I work with doesn't really bother with AV software, and I'd be pretty upset at myself if I passed him something that got into a piece of medical software.) Nod32 has a very small memory footprint, and in all my years of poking around in places I shouldn't, only one nasty has gotten past it.
Posted by: Alice H on August 9, 2008 at 8:18 AM