Possible spyware problem

[Squid_uk]

Hey guys!

My wife seems to be having difficulties with ordering stuff on her laptop.

When she places an order for an item she is taken to the shown in the attached image.


The websites she has this happened on are www.warehouse.com www.pet-supermarket.co.uk and www.petersofkensington.com.au

I have tried using AVG to scan for viruses and also malwarebytes anti-malware but nothing came up. My wife sent an email to Visa and they were very negative and said they could not deal with it.

Any ideas what this could be as it getting annoying that she has to use my laptop to order stuff online.

[aedipuss]

install and use firefox, with the noscript and adblock plus add-ons.

check for rootkits with gmer or similar.

[edit] also use gmer's mbr.exe program.

[Denvers Dawgs]

Perhaps on her laptop she had selected those sites to remember her password and info, so all she has to do is plug in the credit card info.

[Squid_uk]

Thanks aedipuss will try that!

Denvers dawgs: maybe but asking for her ATM number?! Thats dodgy to me!

[Denvers Dawgs]

ahh yes... that one slipped by me. That does seem fishy

[ranchhand]

Download Malwarebytes & install, update the index and run the quick scan. I have a feeling it will come up with something.

[aedipuss]

Download Malwarebytes & install, update the index and run the quick scan. I have a feeling it will come up with something.

did you read the op's first post???

[usually_quiet]

SUPERAntiSpyware will sometimes find things that Malwarebytes misses, and vice versa.

[isogonic]

Possible spyware problem

Its past possible.


You shoudn't use the machine at all until its cleaned up. More importantly it shouldnt have any connectivity. You should visit a malware removal forum.

[classfour]

malwarebytes in SAFE MODE. Superantispyware in SAFE MODE.

Sometimes the little viri hide during normal operation.

[JohnnyBob]

install and use firefox, with the noscript and adblock plus add-ons.

check for rootkits with gmer or similar.

[edit] also use gmer's mbr.exe program.

That's dangerous advice. Based on your suggestion I tried running gmer's mbr.exe program and it restarted my computer immediately, causing me to lose a lot of data. If it did anything such as check for rootkits, there's no resulting log nor other feedback about it. The gmer website gives no operating instructions for mbr.exe that I can see. I've used gmer before and it seems safe enough and stable, but mbr.exe isn't...

[aedipuss]

mber.exe is fine, it should leave a log in the same place it is. like this mbr.log file -

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: SAMSUNG_HD103SJ rev.1AJ100E4 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
1 ntkrnlpa!IofCallDriver[0x82C7D428] -> \Device\Harddisk0\DR0[0x8630C460]
3 CLASSPNP[0x8B67159E] -> ntkrnlpa!IofCallDriver[0x82C7D428] -> [0x85CC6918]
5 ACPI[0x8AE953B2] -> ntkrnlpa!IofCallDriver[0x82C7D428] -> \Device\Ide\IdeDeviceP2T0L0-2[0x861BC908]
kernel: MBR read successfully
user != kernel MBR !!

normally you should put it in the root of the c: drive and execute it from start/run/cmd with this command.
c:\mbr.exe -t>"c:\mbr.log"

if you get an access denied error, you will have to go into windows/system32 and execute cmd.exe as administrator.

[JohnnyBob]

re MBR.exe
It gave an immediate black screen then my computer restarted. There's no log. It may work fine for you, but it's obviously unstable or buggy and doesn't work right on my computer. So I believe it's dangerous.

P.S. I've asked the gmer author about it...

[aedipuss]

if that were one of my computers i would have already re-formatted the boot drive and re-installed windows from scratch. it's got problems.

[Squid_uk]

I used Gmer to run a scan on the laptop and it managed to pick up a MBRoot/Sinowal@MBR code has been detected.

Only problem is i cannot seem to remove it.

But I have another problem! Since running mbr.exe and then Gmer and resetting the laptop, it is running so slow, it seem to struggle with play sounds etc on the start up and during running

[dylz]

That's a rogue site dont enter any personal info on there, you should buy a AV like Kaspersky IS since I don't put great hope in the free ones, u can try one of these tools there free: http://www.kaspersky.com/au/virus-removal-tools (Kaspersky Virus Removal Tool is a utility designed to remove all types of infections from your computer.)

or install the trial of kaspersky get it to do a full scan and change settings under flll scan to include rootkit scan,m you can also change the scanning level from light to deep scan just look and try to understand wehich settings you need it's highly customizable.

[JohnnyBob]

if that were one of my computers i would have already re-formatted the boot drive and re-installed windows from scratch. it's got problems.

That's pretty slim. There's nothing wrong with my computer. It's MBR.exe that has a problem.
The author has not responded to my query (yet)...

[lacywest]

If your Microsoft OS is legal ... you can install Microsoft Security Essentials ... I use it and works great.

B4 ... that ..... I would use a 90 Day Norton Internet Security 2010 ... works great ... seems to check everything under the hood.

I received computer that was infected ... Maleware Bytes ... found 1200 infections.

I've also had 2 PCs that came from this family ... both had similar infections ... the Gateway Tower would barely respond. I had to turn off the PC and connect the hard drive to my PC and use Maleware Bytes to scan the drive. It found and took off enuff stuff that I was able to put the drive back in their Tower and finally I was able to browse around inside.

I ended up ... backing up their documents and stuff and re-installed WIN VISTA on it.

[aedipuss]

I used Gmer to run a scan on the laptop and it managed to pick up a MBRoot/Sinowal@MBR code has been detected.

Only problem is i cannot seem to remove it.

But I have another problem! Since running mbr.exe and then Gmer and resetting the laptop, it is running so slow, it seem to struggle with play sounds etc on the start up and during running

i can't post the instructions to help removal as i have them as the link is not working. but find the "helper" program with a search and use these steps.

[Squid_uk]

Ok I tried MS Security Essentials and Kaspersky, both picked up viruses and spyware and delt with them. Thing is she is still getting the pop up shown in my first post!

[isogonic]

Start with this:
Download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initialises click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malicious objects. A suspicious object will be skipped by default."

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is required, click on Report. A log file should appear. Save it and post its content. You can also find the log:
Root drive Local Disk (C) as TDSSKiller.2.5.15.0_04.08.2011_11.12.29_log.txt (name, version, date, time, log.txt)

[Squid_uk]

Seem like this problem is going from bad to worse!

I cant even get the laptop to boot now! No matter which option i choose, Safe mode, last known good config etc windows will not boot, it gets as far as beginning to load the profiles page and I get the BSD but it resets the laptop too quickly to see the error!

[aedipuss]

if that were one of my computers i would have already re-formatted the boot drive and re-installed windows from scratch. it's got problems.

That's pretty slim. There's nothing wrong with my computer. It's MBR.exe that has a problem.
The author has not responded to my query (yet)...

still think nothing's wrong with it? you get enough virii trojans and malware on a computer and it's not worth fixing, re-format and get it over with.

[DarrellS]

if that were one of my computers i would have already re-formatted the boot drive and re-installed windows from scratch. it's got problems.

That's pretty slim. There's nothing wrong with my computer. It's MBR.exe that has a problem.
The author has not responded to my query (yet)...

still think nothing's wrong with it? you get enough virii trojans and malware on a computer and it's not worth fixing, re-format and get it over with.

That's why a program like Acronis True Image is a must. As soon as I get my boot drive the way that I want it, I make a backup image. About once a month, I make a new backup (sometimes sooner if I make a lot of changes). I don't delete my older backups until I know that the newer backups are OK and I keep my first backup in case that I need to go back with a fresh install with just the essentials. I had to install a backup image a couple of days ago and Acronis said the image was corrupt so I had to install one from the middle of April. I have a small boot drive and keep all my important data on storage drives so if I lose something then it's not a big deal, I can just reinstall it but by making backup images, at least I don't have to reinstall everything.

[TreeTops]

If you make up a backup image with Acronis, aren't you just copying the virus/trojan/whatever to the backup, so that when you use that backup you infect your computer again?

[DarrellS]

If you make up a backup image with Acronis, aren't you just copying the virus/trojan/whatever to the backup, so that when you use that backup you infect your computer again?

You didn't understand what I wrote. You make the backup image when you have you're system working right so that when something goes wrong then you have a clean image to go back to and reinstall. Why would anyone backup an infected image?

The reason that you keep your old backups is to make sure that there is nothing wrong with the newer ones. Once you know the newer backup is fine then you can delete the old backups.

The first thing to do before installing a backup image is to run the programs listed above (Malwarebytes and Superantispyware) to make sure you are not infected. People who maintain their systems run these programs periodically to make sure that their system is running fine. They run them anytime something seems a little out of whack, not just when a catastrophe hits.

If you made a backup two weeks ago of your system when it was in perfect working order and you got infected with a nasty virus that you could not get rid of today (this has happened to me before), then you would have a good backup image to restore to. Since the OP did not do this then he is probably screwed and will have to do a clean install to fix his problem. Maybe not, maybe he can eventually get it fixed but if he would've used a backup program to make a backup image then he would not have to go through the trouble he is going through, he could just install the backup image.

[TreeTops]

The reason I mentioned it is because I had a friend that did daily acronis backups and he had a virus that was not apparent to him at the time he was doing the backup. So when the virus hit him hard he did the reconstruct from the acronis backup and it put the virus back on his machine. He had to format and start over with installing his OS and all of his programs.

[DarrellS]

That's why I like to keep my first image so If I have to, I can take it back to the way it was before I started upgrading it and adding new programs and uninstalling stuff that might've screwed it up.

I also use a program called getdataback which has saved me more than once. Just this week, it acted like I got hit by a virus while trying to watch a flash video on the internet (I hate flash). I got hit by a blue screen and my computer restarted. When it restarted, a program that I hadn't seen before popped up and started scanning. Said it was checking the integrity of my drives. Since I had been hit 5 or 6 times in the last two months by a similar trojan that started a fake MS Security program, I stopped the program and restarted in Safe Mode to get rid of the trojan. When I did, there was nothing listed in Programs. No problem I thought. I'll just reinstall my backup. When I tried, it said that my last backup was corrupt and I installed the one before. When I started Windows, I could see all of my drives and I could open the folders and play the videos etc... but everything looked like it was hidden so I knew there was something definately wrong with the drives. Used one of my HD tools to check the drives and it said 5 of the 6 drives were bad. I've spent the last three days recovering the files from the drives, reformatting them and reinstalling everything off the drives. These were all 1TB drives. I don't know if it was from the website I was watching the video or because I had just defragged all those drives the day before. I had read before that you didn't need to defrag large storage drives but I ignored that advice and did it anyway. I don't think I'll defrag them again. Just my boot drive.

[Squid_uk]

So im assuming the virus/spyware has totally buggered the laptop?!

Would i be able to load the drive another way and attempt to clean instead of formatting?

[dylz]

I would download kaspersky internet security trial if you don't want to pay at the end just uninstall, go to full scan select rootkit and deep scan which could take a while once it's removed i'd do malwarebytes (free) full scan, run a disk cleanup, uninstall firefox/internet explorer and reinstall mozilla.com=firefox microsoft.com=IExp.
If i says it can't disinfect just delete it as it's probably a virus or quarantine if your not shore as there's barely any false positives unlike the free AVG which thinks everyhting is a virus