Tech Problem Aggregator

Blinking "Warning, Dangerous spyware...Trojan horse, PassCapture etc"

Q: Blinking "Warning, Dangerous spyware...Trojan horse, PassCapture etc"

I have searched the forum and tried many things but still could not get rid of this blinking "Warning - Dangerous spyware - Following viruses were found on your computer: Trojan horse, PassCapture and etc....."
Please Help!

H/W & OS: Dell laptop D630 - XP Pro SP3

Symptom: Got many pop ups in IE and Firefox. Desktop screen gone black with a box with blinking "Warning" and text listed below:

"Warning - Dangerous spyware - Following viruses were found on your computer: Trojan horse, PassCapture and etc.
Your private information may be potentially transferred to third parties.
Please, check your computer using advanced software. Thanks"

Actions taken so far:

- Ran Spybots and Malwarebytes several times, deleted infected objects and rebooted laptop.
- Ran McAfee OnDemand scan few times and found no virus (???)
- Tried System Restore but does not work, even in Safe Mode Command Line, just can't click Next to restore any restore points.
- Ran Kaspersky's Online Scanner 7, found 7 objects infected
- Ran McAffe again and cleaned those infected object. Rebooted the laptop and the message still there....

Nothing works so far. Please help. Here are the logs:
=======================================

1) Malwarebytes' Anti-Malware Short scan found 7 infected objects. Removed & rebooted
Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 3

5/16/2009 4:46:00 PM
mbam-log-2009-05-16 (16-46-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147308
Time elapsed: 17 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2) Long scan indicated that " The scan has completed successfully. No malicous items were detected"

But the Black Screen and pop up "Warning, Dangerous Spy Ware...." still there.

3) HijackThis Log:
===========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:53 PM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\StacSV.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\LANDesk\LDClient\LDIScn32.EXE
C:\WINDOWS\system32\MsgSys.EXE
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\myhang\My Documents\download\Antivirus\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0080822
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0080822
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\niwebazi.dll,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13827 bytes


4) Here is a log from Kaspersky ONline Scan --> Found 7 objects infected. I'm going to run McAffe again to see if it finds it.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 16, 2009 23:37:33
Records in database: 2186558
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\myhang\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 42990
Threat name: 2
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 00:35:24
File name / Threat name / Threats count
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0CSLQK9H\lsp[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1
C:\WINDOWS\system32\dllcache\userinit.exe Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1
C:\WINDOWS\system32\ntdll64.exe Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1
C:\WINDOWS\system32\tuvikize.dll.tmp Infected: Packed.Win32.Krap.q 1
C:\WINDOWS\system32\userinit.exe Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1
C:\WINDOWS\Temp\mousehook.dll Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1
C:\WINDOWS\Temp\ntdll64.dll Infected: Trojan-Downloader.Win32.FraudLoad.ekj 1

The selected area was scanned.

A: Blinking "Warning, Dangerous spyware...Trojan horse, PassCapture etc"

It got worse. I ran virus scan and Malwarebytes' Anti-Malware, Spybots again and it found adn removed about 8 more infected objects / trojan horse. Rebooted the laptop and now I cannot logon. It logs me out immediately from both user account and Administrator account.
Any suggestions beside reinsatll XP is appreciated.

1 more replies
Answer Match 98.1%

Hello. I seem to have a virus/trojan on my computer.

I get a message down in the tray saying "warning! security report. your computer is infected!it is recommended to start spyware cleaner tool."

If I click on it, it directs me to real- av.org

I am running windows xp, recently upgraded to SP3.

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25:15, on 12/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acunetix\Web Vulnerability Scanner 5\WVSScheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Prog... Read more

More replies
Answer Match 98.1%

Hello. I seem to have a virus/trojan on my computer.

I get a message down in the tray saying "warning! security report. your computer is infected! It is recommended to start spyware cleaner tool."

If I click on it, it does nothing.

I am running windows xp.

When I try to run any type of antispy programs it comes up with further errors such as TFORMAAW or TLVGrouper and closes.

When I try to go to Task Manager it refuses. It states that the Administrator has not allowed. However I am the only adminstrator account.

Please help!!
 

More replies
Answer Match 94.8%

I think I picked up a virus. I get constant pop ups in firefox and internet exlporer. My desktop has gone completely black and it says:

"Warning: Dangerous Spyware. Following viruses were found on your computer: Trojan horse, Passcapture and etc. Your private information may be potentially transferred to third parties. Please, check computer using advanced software. Thanks."

And when I try to open task manager it says that access has been denied by the administrator.

Please help!
Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:56 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\HCWemMON.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common F... Read more

A:"Trojan Horse, PassCapture and etc." Black Desktop. Help!

16 more replies
Answer Match 92.1%

Hello!

Trying to help out a friend here ...

Her desktop has gone completely black and it says:

WARNING
Dangerous spyware
Following viruses were found on your computer: Trojan horse, PassCapture and etc.
Your private information may be potentially transferred to third parties.
Please, check computer using advanced software.
Thanks.

Task manager won't open, it says that access has been denied by the administrator.

Hijack This log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:35, on 2.06.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.... Read more

A:"Trojan horse, PassCapture and etc."

Hello again!

After scanning the computer with Malwarebytes' Anti-Malware the virus/trojan seemed to have disappeared.

I'm going to observe computers behavior for awhile before I close this topic.
F.
 

1 more replies
Answer Match 102.06%

I have run webroot antivirus with antispyware, several times. Every time I do, it finds the same virus (sometimes others with similar names). This is from the latest scan:

Mal/EncPk-CZ
Troj/FakeAle-FK

and some cookies. However often I quarantine them, they reappear on the next scan and I also can't get the desktop to go back to its normal appearance, it's gone white with a big warning (as above) and refers to:

win32/adware.virtumonde
win32/privacyremover.M64

having been detected on my computer.

I have gone through the 5 steps.

This is the active scan log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-21 18:37:14
PROTECTIONS: 1
MALWARE: 13
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Webroot AntiVirus with AntiSpyware 5.8.1.55 Yes Yes
;==============================================================================================... Read more

A:Can't get rid of "Troj/FakeAle-FK" and "Warning! Spyware detected on your Computer!"

Hi Henry


Disable SpySweeper's realtime protection. Open Spysweeper and click on Options
Choose Program Options and uncheck
load at windows
startup
.
On the left click
shields
and then uncheck everything.
Uncheck
home page shield
.
Uncheck
automatically restore default without notification
.
Exit the program.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any... Read more

19 more replies
Answer Match 97.44%

My computer is Windowns XP Service pack 3
I always use Firefox and never use Microsoft explorer.
My computer runs AVG 9.0.830 Free.

On 6/30/10 my computer detected Trojan horse Clicker.AJSF. This was followed immediately afterwords with the detection of Trojan horse Downloader.Agent2.YIZ. This was accompanied by the noise of clicking anywhere from every 10 seconds to 2 every minutes. This went away after a few runs of AVG. Occasionally the volume would balance would lower itself to zero. The Trojan horse Clicker.AJSF was located in the following places:
C:\Documents and Settings\corboybp\Local Settings\Temp\119889546
C:\Documents and Settings\corboybp\Application Data\Sun\Java\deployment\cache\6.0\4\3c0ae\784-3513414
the Trojan horse Downloader.Agent2.YIZ was located in the following places:
C:\Documents and Settings\corboybp\Local Settings\Temp\loader.exe
C:\Documents and Settings\corboybp\Local Settings\Temp\smss.exe

All was quiet until 7/7/10 when Trojan horse Downloader.Agent2.YIZ showed up again however no symptoms were notable. it was located in the following places:
C:\System Volume Information\Microsoft\smss.exe
C:\System Volume Information\Microsoft\services.exe

Today the scan discovered Trojan horse Downloader.Agent2.YIZ located in the following locations:
C:\System Volume Information\Microsoft\smss.exe (1064)
C:\System Volume Information\Microsoft\smss.exe Result: object is inaccessible
C:\System Volume Information\Microsoft\servic... Read more

A:Trojan horse Clicker.AJSF "congratulations you won!" Trojan horse Downloader.Agent2.Y

Hi,

Please do the following:

Download Bootkit remover to your desktop
This is a rar file if you do not have a program to open it then download and install PeazipExtract Remover.exe to your desktop
Double click Remover.exe to run it
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Now open a notepad and press Control+V
Post the resultant log here please



NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and... Read more

8 more replies
Answer Match 94.08%

HI,

I am getting a "warning spyware detected on your computer install an spyware.." on my desktop wallpaper since past two days.

I read about a similar problem on this forum. Thanks in advance for your help.

I ran SUPER Anti spyware, then ran combofix and then HJT. I'll post the
logs in that order. Right now the message has gone, but I guess its still not fixed.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2008 at 03:22 PM

Application Version : 4.15.1000

Core Rules Database Version : 3503
Trace Rules Database Version: 1494

Scan type : Complete Scan
Total Scan Time : 01:31:36

Memory items scanned : 603
Memory threats detected : 2
Registry items scanned : 5735
Registry threats detected : 1
File items scanned : 105474
File threats detected : 242

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHC5Q4J0EV87.EXE
C:\WINDOWS\SYSTEM32\LPHC5Q4J0EV87.EXE
[lphc5q4j0ev87] C:\WINDOWS\SYSTEM32\LPHC5Q4J0EV87.EXE

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHC5Q4J0EV87.SCR
C:\WINDOWS\SYSTEM32\BLPHC5Q4J0EV87.SCR
C:\WINDOWS\Prefetch\BLPHC5Q4J0EV87.SCR-206729A6.pf

Adware.Tracking Cookie
C:\Documents and Settings\Jazz\Cookies\[email protected][1].txt
C:\Documents and Settings\Jazz\Cookies\[email protected][1].txt
C:\Documents and Settings\Jazz\Cookies\[email protected][1].txt
C:\Documents and Settings\Jazz\Cookies\[email protected][1].txt
C:\Documents and Settings\Jazz\Cookies\[email protected][2].t... Read more

A:Getting a "warning spyware detected on your computer install an spyware.." on desktop

6 more replies
Answer Match 91.98%

I had the virus Trojan Horse, passcapture and used Malwarebytes Anti-Malware to fix it, however now my computer just starts up, logs on and immediately logs back out to the "sign in" screen. Is there a way to fix this, or did this destroy a driver?

A:Had Trojan Horse passcapture, now computer wont start up

Can you boot into Safe Mode?How to start Windows in Safe Mode

4 more replies
Answer Match 90.72%

Hi,

My laptop has been infected, as a result I am seeing a blue background with a rectangular box in the middle. The top half of this box is yellow and says "Warning! Spyware detected on your computer." The bottom half is blue and says "Install an antivirus or spyware remover to clean your computer."

I have run Norton , Grisoft and Spy-Bot, none of which has removed it.

This is the Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:07 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Java\jre1.6.0_05\bin\j... Read more

A:[SOLVED] "Warning! Spyware detected on your computer..." message on desktop

Welcome to TSF.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/dow...in/actxcab.cab
O16 - DPF: {FE6A3E85-0F6C-49AD-8843-68FF44E7EEA9} - http://plugin.secureservicepack.com/...ervicepack.cab
O20 - Winlogon Notify: awvtr - C:\WINDOWS\system32\awvtr.dll (file missing)

1. Download combofix at http://www.techsupportforum.com/sect...s/ComboFix.exe or http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

7 more replies
Answer Match 90.72%

Hi!

Yesterday, I got a virus which changed the background of my Windows XP to a blue background with the message "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer."

Also, my screensaver has been changed to a fake BSOD and then the Windows startup screen which is highly irritating! On top of this, I am being bombarded with pop ups and redirections when using the internet.

Here is a copy of my HijackThis log:


Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BLUETOOTH\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\TalkTalk Online Security\backweb\81720\program\fsbwsys.exe
C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex... Read more

A:Virus- Background changed to "Warning! Spyware detected on your computer!"

Anyone?

5 more replies
Answer Match 90.72%

Earlier this evening I randomly got 3 or 4 pop-up windows that were followed by a blue screen.
In a panic or something I pressed enter and the blue screen went away. Everything closed immediately by itself and then showed my desktop.
Ever since, my background is blue with a yellow box that reads
"Warning! Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer."

I haven't noticed any difference in how my computer is running, other than the fact that I have no desktop control.
When I right-click my desktop I can't change my wallpaper or any desktop settings.

I keep getting blue screens that go away after I press enter, although, my computer did shut off after I got one of the screens.

I've read posts relating to this but tried following the steps and things were too different.

Any help is appreciated. Thank you!

Here is my Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:23 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ... Read more

A:Blue background that reads: "Warning! Spyware detected on your computer."

Hello, and welcome.

Scans are best run in normal mode unless otherwise instructed.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

1 more replies
Answer Match 90.72%

I downloaded a virus yesterday (8/10) trying to open a video of the opening ceremony of the Olympics (I do not remember the exact URL). The virus was disguised as a video codec for Windows Mediaplayer. After I downloaded the file, a blue screen with a warning in a yellow box replaced my desktop image. The warning says:

"Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."

I have tried to remove it with McAfee Antivirus and with a Virus Removal tool I got from my University, but neither of these was able to remove the program. Can you help me?

I attached the two log files below. If you need any additional information, please let me know.

Thanks!

****************Active Scan Log************************
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-11 16:20:06
PROTECTIONS: 1
MALWARE: 37
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===========================================================================================================================================================... Read more

A:Desktop Image Virus - "Warning! Spyware Detected On Your Computer"

Looking over your log, back ASAP.

13 more replies
Answer Match 90.72%

Help, I keep on getting a "Windows Security Alert" popup appearing that says:

"Warning ! Potential Spyware Operation!

Your computer is making unauthorised copies of your system and
Internet files. Run full scan now to prevent any unauthorised access
to your files! Click YES to download spyware remover ..."

This is currently appearing about every 5 minutes.

Also, I ran Spybot S&D, and it detected and removed Smitfraud.C

I just checked in my startup folder and found 2 programs that I think shouldn't be there "autorun.exe" and "system.exe"

What's going on here?
Logfile of HijackThis v1.99.1
Scan saved at 9:38:26 AM, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\SUPERVOC\PROGRAM\PICPMON.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\Z... Read more

A:Solved: Regular popups - "Warning! Potential Spyware Operation!"

12 more replies
Answer Match 90.72%

Need , help to fix, My CA spyware won't get rid of it,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:14 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Securit... Read more

More replies
Answer Match 90.72%

Please help.
I am running Windows XP Home Edition SP2 with McAfee.
This problem just occurred last night.
Cannot remove this new "picture" from my desktop background, as the Display Properties options have been limited to the tabs "theme", "appearance", and "settings". Also, McAfee wasn't in my taskbar as usual, is so I had to run it from Start. So far it has found nothing.

My new background image is like this:
In an orange box: "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer"
In a white box right below:
"Warning! Win32/Adware.Virtumonde Detected on your computer"
"Warning! Win32/PrivacyRemover.M64 Detected on your computer"
On the very bottom, the words in the image of a clickable button:
"Please activate your antivirus software to Clean your computer"

Here is my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:31 AM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Pr... Read more

More replies
Answer Match 90.72%

all of a sudden my screen went blue with a yellow box saying "warning spyware detected"
it has apparently happened to lots of people but there is no quick fix. can someone please talk me thru how to fix this

thanks in advance for any help

josh

A:Blue Screen with yellow box "Warning Spyware Detected" Please help

Get yourself a spyware removal tool - I think they have a forum here for that.

3 more replies
Answer Match 90.72%

I was recently the victim of a virus/spyware/trojan (probably all 3!) programme which did a number of obvious things:

1. Changed my background to a black screen with "warning: Spyware detected?" 'ahtn.html' is now my background.
2. Caused me to receive warning messages every few minutes, pretending to have run a scan on the computer (little red "X" next to the clock)
3. Took me to an internet page to download some virus fixing software (don't worry I didn't do anything [else] stupid like downloading it).
4. Disabled Task Manager
5. Keeps disabling resident scan on Avast
6. Probably much more...

Since the malicious software installed itself I have disabled my network card; rebooted the machine to 'safe mode without networking' and performed a quick and (now doing) thorough scan of all hard drives using Avast (should be up to date since it's always telling me it's done a database update). Although it claims to have found a series of Trojans I am not convinced it's on top of things and haven't ventured back into 'Normal Windows' or onto the www yet.

Also; I have a number of hard drives installed into this system... the avast scan is taking an age since it goes through them all... am I best going inside the box and disconnecting them before starting this? I suppose the query is if the malicious software moves between drives or just stays on my main C-drive.


Thank you in advance for your advice; I've read a number of posts from this board and... Read more

A:"warning: Spyware detected…" 'ahtn.html' is now my background

By the way; this is all being run from within 'Safe Mode without Networking'.
I have not read anywhere that this isn't ok so I hope it is.

Thanks for reading.

18 more replies
Answer Match 90.72%

Hi, my computer was infected yesterday after I downloaded what I thought was a software update . My computer desktop background was changed to a blue background displaying the message "Warning! Spyware detected on computer! Install an anti-virus or spy remover to clean you computer".

McAfee detected a trojan and deleted it immediately, I then physically disconnected from the internet straight away, looked at the task manager deleted the file B2E.exe that was running from the temp directory. The software tried to take me to a bogus website to download their software and this was blocked by firefox =).

I then ran spybot, followed by panda activescan and HijackThis, the logs are below, could any experts help me out here? I goggled and found websites that tells you how to remove this manually, but not sure if this would be applicable for every computer and the adware may have change since.

Thanks in advance

Panda activescan log

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-17 18:53:59
PROTECTIONS: 1
MALWARE: 5
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Up... Read more

A:Help - "Warning! Spyware detected on computer!" on desktop background

Hi js200605


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

13 more replies
Answer Match 90.72%

I was recently the victim of a virus/spyware/trojan (probably all 3!) programme which did a number of obvious things:

1. Changed my background to a black screen with "warning: Spyware detected?" 'ahtn.html' is now my background.
2. Caused me to receive warning messages every few minutes, pretending to have run a scan on the computer (little red "X" next to the clock)
3. Took me to an internet page to download some virus fixing software (don't worry I didn't do anything [else] stupid like downloading it).
4. Disabled Task Manager
5. Keeps disabling resident scan on Avast
6. Probably much more...

Since the malicious software installed itself I have disabled my network card; rebooted the machine to 'safe mode without networking' and performed a quick and (now doing) thorough scan of all hard drives using Avast (should be up to date since it's always telling me it's done a database update). Although it claims to have found a series of Trojans I am not convinced it's on top of things and haven't ventured back into 'Normal Windows' or onto the www yet.

I have downloaded to a USB stick (on second PC, laptop) the following which I could run this evening when I return home from work...
dds.scr (from sticky link on this forum)
Malwarebytes Anti-Malware
Spybot Search & Destroy
Ad-Aware
and ComboFix (already read: http://www.techsupportforum.com/f100...ml#post1829551 so not going to run it (if at all) until instructed to)

I used the qualifie... Read more

A:"warning: Spyware detected…" 'ahtn.html' is now my background

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Answer Match 90.72%

Was surfing around yesterday and noticed this new background was loaded with out my approval. Also, it will not let me access backgound / screen saver settings.

Here is my HJT log,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:47 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program File... Read more

A:Same problem: Blue background "Warning! Spyware detected"

I forgot to mention that I have Norton Internet Security 2008 and have run the virus scan 2 times. Each time it finds and deletes problems, but never fixes the problem.
 

1 more replies
Answer Match 90.72%

My buddy opened up an email and downloaded some sort of virus/malware/adware that I cannot get rid of. My background is blue, and there's a yellow box that reads "Warning! Spyware detected on your computer! Install an anti-virus or spyware remover to clean your computer." Malwarebyte's and AVG both didn't detect anything, and I'm out of options. If anyone could help it would be GREATLY appreciated.
Here is my HijackThis log...
Logfile of HijackThis v1.99.1
Scan saved at 11:05:50 PM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vie... Read more

A:Blue background "Warning! Spyware detected on your computer"

Hi, Welcome to TSG!!
Run HJT again and put a check in the following:

O4 - HKLM\..\Run: [lphcrtwj0eva5] C:\WINDOWS\system32\lphcrtwj0eva5.exe

Close all applications and browser windows before you click "fix checked".

Please download the OTMoveIt2 by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
[b]C:\WINDOWS\system32\lphcrtwj0eva5.exe[/b]

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it w... Read more

1 more replies
Answer Match 90.72%

I have a similar problem to what I have read from other users in this forum, however my desktop has been turned into a white background and the popup has a red background header; below the red header in the popup, it claims, "Warning! Win32/Adware.Virtumonde Detected on your computer" and "Warning! Win32/PrivacyRemover.M64 Detected on your computer".

This began yesterday while I was working online.

I purchased a cd and installed Webroot Spysweeper, but it only found low risk cookies.

I tried an online trial version of XoftSpySE and it found two trojans (Downloader Agent BXW Trojan), but it won't clean them unless I purchase the full version. I would, but I'm afraid to disclose personal financial info online in order to purchase the full version.

I did the same thing for "Registry Fix" Version 7, but I can't remove the found problems without registering online - I don't want to do that either for fear my personal financial info will be exposed.

If I try to open any file folder on my desktop, I get a Windows popup that says Windows Explorer has encountered a problem and needs to close. I can open the two or three files on my desktop that are files - not folders - however, they are just doc files or similar.

If I try to access my Control Panel, nothing happens.

MOST IMPORTANT:
I have read your "Start Here" posts and cannot complete some of your instructions. If I try to go online to download a version of anti-spywa... Read more

A:Popup "Warning! Spyware detected on your computer!" New version

I was given a bootable Kaspersky "rescue" cd today. I ran the disc and, after it did whatever it does, a black screen with a window opened. It was an operational window, so I chose "Scan drive c" and it returned with a message that my computer was at high risk. I clicked the "Fix-it Now", but it said the "databases were out of date" and should be updated. OK... however, there was no button or other mechanism to do this. I removed the cd and rebooted the computer. I am right where I was before.

I cannot go online to any anti-spy or anti-virus sites. It appears as though this virus recognizes those sites and prohibits me from going there. I typically get a messsage that reads, "Unable to connect." with a "Try again" button. I can't even go to this website!! I have to use my wife's computer to login here.

By the way, this is a problem on Firefox or IE. I can go to other sites, though. Yahoo, google, online stores, etc are accessible, but the desktop background is still hijacked and I have the same desktop warning window.

Remember... I can't remove it via any help from an online anti-spy or anti-virus site. If I try to access an anti-spy or antivirus site, I get the response as noted above. Unfortunately, this means I am not able to get past Step Two in your "5 steps before posting a log" thread. I did not find any rogue or suspect programs listed in step one.

It has been 24 hours wit... Read more

1 more replies
Answer Match 90.72%

My father who is very new to internet surfing used my computer while I was away. When I came back there is this message shown as a desktop background "Warning! Spyware detected on your computer" and I could not make any change to the desktop background. I suspected it might be some kind of spyware, but I could be wrong since my computer always ran ZoneAlarm and AVG in the background.

I ran Panda ActiveScan and found that the computer is infected. The scan result is attached as a text file (activescan.txt). I then ran HiJackThis and below is the result. Please suggest what I should do next. Thanks in advance.

----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:21 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LV... Read more

A:"Warning! Spyware detected on your computer" message on desktop

please help...

11 more replies
Answer Match 90.72%

Hey folks,

It looks like I've got a medley of virii. Prior to finding this forum, I attempted to fix the problem using several anti virus/spyware applications. While they found and apparently fixed some problems, the System Window entitled "Critical System Warning!" was not fixed, nor were the balloons that popped up from the system tray.

Here's what the System Window had to say:

Critical System Warning!
Your system is probably infected with the lastest version of Spyware.Cyberlog-X.
Type: Spyware
Infected Length: 266,129 bytes
Risk: High
Affected Systems: Windows 95, 98, 2000, NT, 2000 Server, Windows XP
Behavior: Cyberlog-X is a spyware program that monitors user activity, logs keystrokes, and track Web sites visited.
Symptims: Low Internet connection speed
Low System Performance
Secyrity center alerts
Strange pop up windows
Protection: Click OK to download antispyware software

After reading several posts, I ran ComboFix and it appeared to fix the obvious problems. Would someone mind looking at my logs to see if there are any processes running in the background? Is there any script that I can drag and drop into ComboFix (or any other solution) that would remove these processes?


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:13, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.ex... Read more

More replies
Answer Match 90.72%

Hello, my name is Devon and im fairly new to computers, so I probably wont understand most "big computer words", if you know what I mean.


Warning! Spyware detected on your computer!
Install an antivirus or spyware remover to clean your computer.

That is my wallpaper and I can't change it. It's in a yellow box on a blue background, and in my Desktop Properties, theres no wallpaper tab, so I cannot change it.

Screenshot : http://i35.tinypic.com/2nveccg.jpg (Sorry if not allowed)
I'm sure you've seen it before

I have an emachines computer, service pack 2, Windows XP.

I have Avira AntiVir Personal free antivirus and I scanned the systems folder, found some viruses and deleted them, but still no luck.

ANY HELP IS VERY MUCH APPRECIATED!



Mod?s Message

Please note that this section of the forum is very busy, and re-familiarize yourself with the Bumping Rules found in Step 5 of our sticky topic Important - Please Read This Before Posting for Malware Removal Help, which you should have read before posting. We ask that no one bump a thread before 72 hrs have passed, and then, only once. Premature bump posts will be deleted.

Thanks for understanding.

A:blue "Warning! Spyware detected on your computer!" Wallpaper

wow no help?

3 more replies
Answer Match 90.72%

Every time I restart my computer the desktop is changed to a blue background with a yellow message reading "Warning! Spyware detected on your computer. Install Antivirus or Spyware Removal to clean your computer." My screen saver is changed to bugs. And it also changes the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies" so that there is no background or screen saver tab in the display options.

I have followed the instructions for this problem from other threads to no avail. I have rebooted in safe mood, ran smitRem, Hijack This!, Ad Aware, AVG, Kaspersky, Registry Mechanic, scan disk, and disk clean up.

All of this and still every time I reboot it comes back up. I will include my current Hijack This! file.

Logfile of HijackThis v1.99.1
Scan saved at 1:02:39 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WI... Read more

A:Desktop Hijacked "Warning! Spyware detected on your computer."

It sounds like you have been attacked with malware.

Don't Panic! The HJT Support Team are very proficient with these sorts of things.

With that said, we recommend that you read this article… "IMPORTANT - 5 Step Process: Read This Before Posting For Malware Removal Help"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

After your system has been verified as clean, if your are still experiencing those problems come back here and we will assist you further.

4 more replies
Answer Match 90.72%

I am infected with this crap and have used the following tools to try to get rid of it:
Windows Defender, Unible PowerSuite (SpeedUpMyPC, Registry Booster & Spyware Protector) and Norton's One Button Checkup and WinDoctor.

Not sure if it's related, but my DISPLAY is locked at 640 X 480.

Atempted the 5 Step Process before posting and Panda ActiveScan froze and crashed after scanning 59253 files, but not before identifying 28 spyware files.

Here's my extra.txt log from Deckard's:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 1277.95 MiB / 810.39 MiB
Pagefile Memory (total/avail): 1516.89 MiB / 1165.44 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.88 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.21 GiB total, 18.7 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST340014A - 37.25 GiB - 1 partition
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled... Read more

A:Netsky Worm-Popups-The Three Icons - "Error Cleaner" "Privacy Protector" "Spyware..."

Bump.

14 more replies
Answer Match 90.72%

Hi,

This morning my laptop suddenly began displaying a "Warning! Spyware detected on your computer" desktop message. I tried running AVG, but it did not resolve the problem. The issue seems to be related to Agent.AADP and Generic_c.VCZ trojans.

I've followed all five steps of the tutorial. My HijackThis log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:05 PM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOW... Read more

A:"Warning! Spyware detected on your computer" desktop - Agent.AADP / Generic_c.VCZ

Hello and welcome to TSF.

Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it?s taking us longer to catch up. If you haven?t received help elsewhere already and still require assistance please perform the following:Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\rsit\info.txt

Click Upload.

14 more replies
Answer Match 90.72%

My desktop has all turned blue with a background-like warning image. It has a message "SPYWARE INFECTION" Your system is infected with spyware.

I cannot change my wallpaper at all. I have lost the option. Please help get rid of the infection.

Here are the results of my Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:31 PM, on 20/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
D:\ANTIVI~1\AVG\avgcc.exe
C:\WINDOWS\system32\svchost.exe
E:\Downloads\SpyWareApps\Popups and Ads\Advertising Killer\akiller.exe
D:\AVGAntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
D:\ANTIVI~1\AVG\avgamsvr.exe
D:\ANTIVI~1\AVG\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=6... Read more

A:Solved: VIRUS; HELP!! My desktop is blue with a "spyware infection" warning-like back

16 more replies
Answer Match 90.72%

Hi,

I am trying to fix my friend's computer (the key word here is *trying*) and I ran across some things that I have no idea how to fix. First off, I used Spybot Search and Destroy in Normal mode and Safe mode to try and get rid of as much as possible. Even after doing this, I am still getting the world's most annoying messagebox with the title of "Windows Security Alert" The body of the messagebox reads as follows: "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unauthorised access to your files! Click YES to download spyware remover . . ." I have no idea how to get rid of this.

Also, when trying to go to Add/Remove Programs in Control Panel, I find that i can no longer access Control Panel (it says that the operation is cancelled due to restrictions on this computer, but there is only one account and it is admin). Now, Control Panel no longer shows up anywhere!

Posted below is my HijackThis file. I would appreciate any help with this matter. Thanks!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:20 AM, on 3/21/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Pro... Read more

A:"Warning! Potential Spyware Operation!" messagebox and unaccessible Control Panel

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning pr... Read more

3 more replies
Answer Match 90.3%

A box with the error: "Warning! Potential Spyware Operation" and a yes or no option to take me to an infected website, pops up every 5 min. It also has blocked my desktop background, my control panel and my task manager. Here goes my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05:48, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\Synaptics\SynTP\SynTPLpr.exe
C:\Arquivos de programas\Synaptics\SynTP\SynTPEnh.exe
C:\Arquivos de programas\Launch Manager\QtZgAcer.EXE
C:\Arquivos de programas\Java\j2re1.4.2_01\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\VPTray.exe
C:\WINDOWS\VM_STI.EXE
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de program... Read more

A:"Warning! Potential Spyware Operation" spyware

I runned the Smitfraudfix and also the Fdfix. Neither of them helped.
 

1 more replies
Answer Match 90.3%

I have several pop-ups that repeatedly show up, and my desktop background is plagued with "Warning: Spyware threat detected on your pc" with a hyperlink to fake live security center.

I have no idea what to do,

and thank you so much in advance for any help you may be able to provide.

Here is my main.txt, but extra.txt will not show up:

Deckard's System Scanner v20071014.68
Run by Mike on 2008-04-15 20:41:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).
System Drive C: has 5.96 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-15 20:41:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\WINDOWS\... Read more

A:Help Please!: AntiSpyStorm and "Warning: Spyware threat" background

Hello!

Welcome to forums!

I am sorry for the delayed response but forums been busy lately!

I have bad news for you ):

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

1 more replies
Answer Match 90.3%

This message is on the center of my desktop whenever the computer's started and stays there. The top of the box is yellow and says in black text "Warning! Spyware detected on your computer." The bottom is blue with white text and says "Install an antivirus or spyware remover to clean your computer."

I ran Spybot, it found nothing. I cannot run Ad-Watch, the program starts and then immediately closes as well so I assume that whatever's going on is attempting to block real "ad removal" programs.

Plus now my computer is unstable, it's about as bad as a two legged table in an earthquake, I was getting blue screens while doing the online Panda Activescan, the errors were something like Panic something (Haha sorry I was trying to get some sleep while it was scanning and my half-awake self forgot to write down what was said). Anyhow here's the goods from the two logs.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:36 AM, on 8/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C... Read more

A:"Warning! Spyware detected" message on desktop

72 hour bump.

2 more replies
Answer Match 90.3%

Hello... and thanks in advance for helping!

I am the "Computer Support Technician" for my 75 year old very active business and close friend ( I am actually an EE) For his birthday 2 days ago, he received a "greeting card" and the trouble began...

First he has (had) NIS 2008 with Live Update on and MS Automatic updates turned on. He scans his computer once a week.

We now have a very active HD with the Red and White warning box with "Warning! Spyware detected on your computer!" with the Warning! Win32/Adware.Virtumonde Detected on your computer along with Win32/PrivacyRemover.M64 listed ALL in the wallpaper background... of course in which you can't access

In the Services tab of MSConfig their are two RPC services show... one stopped and one running... which I can't stop.

In the task manager processes I see a fairly busy svchost.exe taking up 3 percent of the time (just under the System Idle process)

NIS 2008 in safe mode found no virus. Thus I took over and use a version of AVAST that runs under BART PE (on a CD)... this found two trojans and a bad VBS file which it deleted.

So now the HD is very busy, and the computer slow. I can't kill the svchost.exe process... it wants then to shutdown after 60 seconds.

I do get blue screens of death... but they are fake as I can hit ESC and they go away.

I also can't install or uninstall anything... I get a The Windows Installer Service could not be accessed. I did find some comm... Read more

More replies
Answer Match 90.3%

I'm sure you have seen your fair share of these threads by now so I won't describe the problem unless you need me to. None of my anti-virus/spyware prevention has done anything. Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 21:02, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Progra... Read more

More replies
Answer Match 90.3%

I keep getting a popup banner near the top of my screen and I cant get it to go away. It says...

"warning: possible spyware or adware infection!....."

I am knew to this Hijackthis stuff but here is what it tells me.....

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Shane Salley\Desktop\Downloads\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (... Read more

A:[SOLVED] "warning: possible spyware or adware infection!....."

Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you still require assistance for this issue, and since it has been a few days since you first posted, please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your syste... Read more

3 more replies
Answer Match 90.3%

Hi, I downloaded some kind of malware on 7/22 and found this site through Google. I saw that you were able to help some others with this same problem. My desktop was hijacked, and now only shows a blue screen with a yellow box in the middle that says "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your system." I also do not have a screensaver anymore. Instead when my computer would normally go into a screensaver, it shows a blue screen instead. The first couple of times, I thought it really was a blue screen of death, but learned that if I hit enter, the blue screen will disappear.

I've done the 5 steps already and even though several trojans have been identified, this particular problem has not been resolved. I would sincerely appreciate your help.

I have the log from the panda scan, and from an Ad Aware scan I did before the Panda scan, both of which, I can post if either can be of use.


I am attaching the extra.txt file from DSS. I forget which scan program identified this, but one program highlighted c:\windows\system32\phcedtj0ejbe.bmp as a suspicious file that it was unable to delete. Maybe that's a starting point??

Again, I thank you for any assistance you can give.

This is the main.txt from DSS:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-27 20:57:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Re... Read more

A:"Warning! Spyware detected..." hijacked desktop

Hello and welcome.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

For Windows XP Service Pack 3, you may use the Recovery Console package for Windows XP Professional Service Pack 2.

http://www.microsoft.com/downloads/d...displaylang=en

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions along the way, STOP and ask them before proceeding.

13 more replies
Answer Match 90.3%

Yeah, somehow I got this spyware/malware and it's nasty! I can't get past the blue splash warning screen, and even in safe mode my system was crashing after a few minutes, requiring a reboot.

Others seem to have this same problem, I see, and I did a Hijackthis scan, too - however, I didn't seem to find the same problem lines in my output that others had, so I didn't want to run a Combofix without finding something first. Perhaps someone can assist.

FYI, I can only operate this computer in Safe Mode.

Here is my Hijackthis output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19, on 2008-08-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CF8926.exe
C:\ComboFix2\nircmd.com
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4... Read more

More replies
Answer Match 90.3%

I'm a newbie, first time posting and I've been infected with a Virus. It masks itself with a Windows Security Alert (Windows Firewall has detected activity of harmful software, as the subheading) continual pop ups, less often now, don't know why, but perhaps it is more frequent when I'm surfing the internet. These pop-ups messages have included:

Trojan-Spy.Win32.KeyLogger.aa
Trojan-Spy.Win32.GreenScreen
Trojan-Spy.HTML.BankFraud.dq
Trojan-Clicke.Win32.Tiny.h
Trojan-Downloads.Win32.Agentbq

Oh, also if I do not push control, shift, escape to get into my Windows Task Manager to end the annoying pop-up process that not too long and I will get a "blue-screen of death" that pretty soon corrects to try and boot into windows, but then only shows the first inkling of the windows bar with nothing strobing by and then goes back into a blue screen of death again, and then it starts a continuous loop in that fashion. I have to restart my computer.

Oh, also I did try another remedy from a thread somewhere, that from vague memory bits here, cleared my cookies etc and I think I even had to go boot in safe mode before I did 2 items, but I was supposed to have cleared my cookies then and instead had done it before not in that safe mode; maybe that is why that solution didn't work.

I've gone through the 5 steps suggested on these log boards before to post my log below (see at the end of this message); also to include will be the log from Panda Acive scan below th... Read more

A:"Warning! Spyware Detected on your computer!" pop ups problem.

Hi


Disable Spybot's TeaTimer Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

1 more replies
Answer Match 90.3%

Hello,

I recently was infected with some sort of virus/spyware that changed my desktop indefinitely. I am unable to change the desktop back, and I'm assuming that the virus may be causing other issues as well. I use the Norton Utilities software, and it recently cleaned up my registry. Right after cleaning the registry, this problem arose..

Below is the posted Hijack log.. Any help would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:57 PM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inf\rundll33.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\V... Read more

A:"Warning! Spyware detected on your computer" Desktop Bug

Hello and welcome to TSF.

HijackThis is no longer the preferred initial analysis tool in this forum

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Answer Match 90.3%

Hi all,

I recent got the "Warning" message on my desktop. I know nothing about computer...so could you guys help me?

After reading a recent post, I did learn about downloading/scaning HijackThis. This is what I have so far.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:19 PM, on 7/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Fasoo DRM\fpm.exe
C:\Program Files\Fasoo DRM\fph.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lphcgbsj0e763.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA... Read more

A:I recently got the "Warning! Spyware detected on your computer!"

Hello and welcome to TSF

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.
What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

=======
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<----Attached

1 more replies
Answer Match 90.3%

need help getting rid of it.....

i have windows xp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08:38, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TrayComm.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Win... Read more

A:Need help removing "Warning spyware detected on your computer"

Hello and Welcome. Apologies for any delay in replying, but we have been rather busy lately.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Since it has been a few days since you first posted, please do this:

---------------------------------------------------------------------------------------------
Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

1 more replies
Answer Match 90.3%

I recently downloaded something and opened a file named "run.exe" and then my computer kinda died, the backround changed to blue with a text in middle, and when I dont move anything it will come larvas from the sides and crawl all over the screen. Also, i get popups wanting me to buy stuff and internet explorer changed start site and leads me to wierd stuff. With my 2nd computer i looked this up in google but couldnt rly find any good solution, since I didnt find something exactly the same, but i tried some anti spyware/malware programs, deleted some stuff. But now im stuck, the things i delete keeps coming back. I have stopped getting popups but my screen is still blue (text is removed), and everything i try is "Disabled by Admin" which cant be true since im the only 1 on this computer. The start bar and icons are all gone and i cant right click anywhere either. Also where the clock should be it sais "VIRUS DETECTED!!"

I use XP and have Kaspersky 7.0.

Im gonna try to post a HJT file as soon as i get back to my PC.

Thx.
 

A:"Warning! Spyware Threat Detected On Your Computer!..."

Aight, I got the HJT

Logfile of HijackThis v1.99.1
Scan saved at 18:53: VIRUS ALERT!, on 2008-05-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program\Razer\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\NetLimiter 2 Pro\NLClient.exe
C:\Program\Razer\razertra.exe
C:\Program\Razer\razerofa.exe
C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\WinRAR\WinRAR.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\Micke\LOKALA~1\Temp\Rar$EX17.4359\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Star... Read more

1 more replies
Answer Match 90.3%

i need help! whenever i open ie a page that says "warning! spyware detected" appears which directs me to something like an "internet-options" website. there is also this annoying popup about "american green card". i already used spybot and adaware. here is my hijackthis log.thank you very much!

Logfile of HijackThis v1.98.2
Scan saved at 9:39:38 PM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\WINDOWS\yvdhmlvh.exe
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Sy... Read more

More replies
Answer Match 90.3%

..normal removal programs dont work...(adware,search destroy,spy subtract)

I have a desktop that is black with

"WARNING!
YOU'RE IN DANGER!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN."

Also

It has disabled the use of task manager (I get "task manager was disabled by your admin")

Many programs ask for IE to be fully closed and I cant get at the background image/ window to close.

Please, any help would be great

My log is

Logfile of HijackThis v1.99.0
Scan saved at 10:31:55 PM, on 17/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE... Read more

A:"WARNING!"..spyware has disabled task manager

Print this out and boot to safe mode

Fix these entries

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: (no name) - {F93C90C4-039E-4461-8139-E41BD3A7327F} - C:\WINDOWS\System32\hfobc.dll (file missing)

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe

View Hidden
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this file making SURE that it is the one with the S in it

C:\WINDOWS\System32\kernels32.exe

Boot and post a new log
 

3 more replies
Answer Match 90.3%

i need help! whenever i open ie a page that says "warning! spyware detected" appears which directs me to something like an "internet-options" website. there is also this annoying popup about "american green card". i already used spybot and adaware. here is my hijackthis log.thank you very much!

Logfile of HijackThis v1.98.2
Scan saved at 9:39:38 PM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\WINDOWS\yvdhmlvh.exe
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Sy... Read more

More replies
Answer Match 90.3%

I am running Windows XP with SP2 installed. Today, my desktop background suddenly changed to a bright blue with a dialog box stating "Windows Warning Message!" at the top and which had on a bright red field the words "Warning! Spyware Detected on your Computer!" At the bottom of the box it said "Please activate your antivirus software to Clean your computer" (sic)

I've gone through the "5 steps before posting a log" on this forum and the only step I could not complete was #2, the Panda Activescan. About 15% of the way through the scan I crashed to a blue screen indicating a "software failure". The machine then automatically rebooted. I completed the remaining steps.

My Hijack This log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:44 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\... Read more

A:"Warning! Spyware Detected on your Computer!" on the desktop

Bumped

8 more replies
Answer Match 89.46%

This spyware has taken over the whole computer, I cannot access the desktop at all and not in safe mode either.

Blue backround with a red and white box with big words.

I repeat I have no way of getting to the desktop, I need either a flash drive with a bootable os, or a way to clean the virus in cmd or something of that nature.

I need help.

More replies
Answer Match 89.46%

These words are embedded into my wallpaper along with a big blue screen behind them. My computer is running slow, and I have an unnamed button on the taskbar saying, "SYSTEM ALERT! System has dectected spyware..." and it links to this webpage: http://www.virprotect.com/?aff=1012. when I exit this webpage I get a Windows (apparently) message: "Are you sure you want to navigate away from this page? Your computer may still be infected with spyware." I have run norton to no avail, I have registered Spy Hunter, and removed many problems, but still have the problem with my wallpaper. I'm unsure of what else this thing might be doing to my computer. Any help would be appreciated.

My hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:41:54 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Progra... Read more

More replies
Answer Match 89.46%

It seems that someone has stolen from the developers of adaware and spybot. Check the link below for details.
http://www.lavasoftsupport.com/index.php?act=ST&f=1&t=3912
 

A:Warning! "bps Spyware Remover", You may have been deceived!

6 more replies
Answer Match 89.46%

Please help. I do not think of myself as a beginner when it comes to computers, but this thing has me to the edge. I would like to know how to remove the "Spyware Warning" from my desktop. Here is a copy of my HJT log file.
Logfile of HijackThis v1.99.1
Scan saved at 3:26:20 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program... Read more

A:"SPYWARE WARNING" has hijacked my desktop

6 more replies
Answer Match 89.46%

Please Help. I have a popup that has appeared on my desktop that claims the following:
"WARNING! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."

It also says,
"Warning! win32/Adware.Virtumonde detected on your computer"
"WArning! win 32/PrivacyRemover.M64 detected on your computer"

This appeared on my desktop yesterday and it will not allow me to change the desktop picture. I also get a blue screen if the computer is left dormant for a while.

I attempted the 5 Steps before posting and was only able to complete a few of them. Here is the Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:36 AM, on 8/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WI... Read more

A:"Warning! Spyware detected on your computer"

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if n... Read more

1 more replies
Answer Match 89.46%

I came back from work today and when i started my computer the back ground was changed to a blue screen with a yellow text box that said "warning spyware detected on your computer" followed by a blue box saying "install an antivirus or spyware remover to clean your computer"

I have seen several of this same problem in the forums. I don't really know what may have caused this, and i'm not that great with computer but i will try my best.

I have hijackthis and i ran it and here is the log.

I hope someone can help =( i don't really know what else to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:57 PM, on 7/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.c... Read more

A:"warning spyware detected on your computer..."

Hi there solitary

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save ... Read more

1 more replies
Answer Match 89.46%

The blue and yellow sign that shows up on my desktop says "warning Spyware..." I couldn't remove it. I downloaded spybot search & destroy. I removed some programs that it found but after re-boot the sign reappeared. I followed the 5 steps before posting a log.

Durring the steps The desktop was back to normal. No "warning sign". But I wan't to make sure this is taken care of.

Here is what I have:

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:43:57 PM, on 8/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
c:\program files\lenovo\system update\suservice.exe
c:\Program Files... Read more

More replies
Answer Match 87.78%

Windows XP user. Some kind of trojan malware I think. I've ran the panda scan and hijackthis and pasted the logs here. Thank you in advance for the help. Also, Crtl + Alt + Delete Task Manager shows no tabs, just processes, but I've had that problem for about 6 months. I'm not sure if it is related.

Panda Scan:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-08-20 12:15:55
PROTECTIONS: 1
MALWARE: 43
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.526 7.5.526 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================... Read more

A:Trojan horse, Spyware pop-warning

^bump

11 more replies
Answer Match 87.78%

hello,

This site helped me cure my Laptop in the past and now I am in the process of aiding a friend whose IE is being hijacked to a suspected Anti-malware site for a product known as "Ultimate Cleaner 2007". He also keeps getting repetative pop-ups for an alleged virus known as "Worm.Win32.NetSky" which redirects you again to an unknown site.

here is his HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:27:09 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Docume... Read more

A:HJT log for "Ultimate Cleaner 2007" browser hijacking and "Worm.Win32.NetSky" warning

Welcome to TSG

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

3 more replies
Answer Match 87.78%

I found this in a previous thread that pertains to the problem I'm seeing:

Yellow and blue box says: Warning Spyware Detected...
The box appears in the middle of the screen. I can run limited programs because the computer thinks it needs an administrator. The desk top has just turned red and there is a red circle with a white X in the middle of it located in the task bar. Please help.....
I did not see a reply to the thread that mentions how to help remove it. Is there a way to get rid of this? Is this a known, removable entity?

Also, this malware disables my ability to pull up task manager and shut it down that way.

Any help you can provide would be appreciated.

Thanks
 

More replies
Answer Match 87.36%

...1-When I start computer or anytime I click on my already installed MalwareBytes and Windows Defender it says that "either one" has stopped working; windows is looking for solution to problem. Also Google Installer (whatever that is) has stopped working as well (said the diaglog box that pops up randomly when I start the computer.

2-Windows says "Remove possible malware from your computer" and whenI click on that is says: "Your computer experienced a problem that was caused by UACD.sys. This product might be malware." Then it says I should uninstall through control panel, etc. but the file does not appear listed. I also attempted to uninstall Windows Defender and it's not listed. I tried to delete the Windows Defender folder from the program files and hijinks ensued (sorry, that is it wouldn't let me).

3-Random music, youtube narratives, commercials, and news reports play from the Phantom Zone in my pc regardless of browsers being open or not.

4-Lastly, I downloaded a-squared Free 4.5 (since I figured a new free trojan removal spyware would at least let me run it...I was right) has only found "low risk" cookies and no trojans...but it has to be there, right?

Please beautiful, kind people of this amazing site...tell me how I should proceed and I'll put in a good word for you with *insert your favorite celebrity, deity, or sports team of choice here*. Thank you very much.

P.S. You'll actually just get my undyi... Read more

A:Accidentally hit "allow" to a trojan warning from Windows Defender and now...

Hi and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, as far as they possibly can, before posting for assistance.

http://www.techsupportforum.com/f50/...lp-305963.html

If you have problems with any of the steps, simply move on to the next one and make a note of the problem in your reply.

Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply - it may take a few days.

This thread will now be closed.

1 more replies
Answer Match 87.36%

I was browsing the Internet, and I believe I was on Facebook when this warning from Norton Firewall appeared:


Code:
Details: Rule "Default Block DeepThroat Trojan horse" blocked (74.181.213.17,2140)
Inbound UDP packet
Local address,service is (LOUISE-AND-SETH(192.168.2.2),2140)
Remote address,service is (74.181.213.17,56207)
Process name is "N/A"
This is in my log viewer alerts. Also, it's on the firewall tab. Right above it is this:


Code:
Rule Default Block DeepThroat Trojan horse matched
Remote address (74.181.213.17,56207)
Also,


Code:
Details: Intrusion Detection detected and blocked the Default Block DeepThroat Trojan horse Trojan horse.
All comunication with 74.181.213.17 will be blocked for 30 minutes.
Now that worries me a bit. Not only does it say "Default Block DeepThroat Trojan horse Trojan horse", which doesn't make much sense, it also spells "communication" wrong. It's very strange that Norton would do something so stupid.

I did a scan with Norton, and it found nothing. I use Norton 2005, but I've used LiveUpdate to update.

Anyways, is this an issue? If it is, what can I do from here? I was thinking of using a system restore point, but I'm almost scared to shut down my computer.

------DDS:------

DDS (Ver_09-10-26.01) - NTFSx86
Run by Compaq_Owner at 11:59:11.64 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.121... Read more

More replies
Answer Match 87.36%

Few weeks ago my Gateway DX4300 displayed a dialogue box that stated, "Your Computer has detected a Trojan Horse Virus, Shutting down." It then shut down, as the message stated it would. No Biggy...figured the computer was doing what it was meant to do upon a security threat. Well, after a few minutes I tried restarting the computer, and nothing, no power, no lights, no noises, completely dead.

So...thus far, I have tested the PSU with the paper clip trick, and an actual PSU tester, and it works just fine, according to those 2 test. I have also replaced the motherboard, thinking for sure that had to be the problem, but of course not, still no power whatsoever. I then figured, maybe it is the power button itself, so I used a screwdriver to short the 2 power on switch pins, and nothing. I have also replaced the CMOS battery, tested multiple outlets, power cord is good, reseated all connections. Also tried jumping it by moving the jumper from pins 1 & 2 to 2 & 3. And still nothing...

I have no idea what to try next...any help would be greatly appreciated!

Was also wondering is there a Trojan Horse that can actually cause a complete power/system failure...tried googling it, couldn't find anything on it.

Computer Specs:
Gateway DX4300 | Vista Home Premium 64x | AMD Phenom 9750 Quad Core Processor | ATI Radeon 4650 GPU

A:PC won't restart after "Computer has Detected Trojan Horse Virus, Shutting Down"

I currently have this same thread in the "Memory and Power Supply" section. The individuals that have responded are all saying it is the PSU that is faulty. I will be acquiring a working PSU tomorrow evening to confirm that is the issue at hand. Once testing is complete, I will follow up with an update...

3 more replies
Answer Match 87.36%

Hi
My problem is my pc is periodically sending emails from my address book with Trojans in them, which isn't good.
My friend told me i'd sent him a email with a trojan in it. He says quote "My anti-virus software says this is a "Trojan Horse" type of virus and its specific name is "JS:Redirector-CB [Trj]"

I've also noticed that my PC is running slower. I've run all my anti virus/registry cleanups but i don't think that it's shifted it. I've also done a Windows search my files and folders for the name of the trojan but it detects nothing. I do have the hhpt addresses of what it's sending out if that's any help.
I did a hijackthislog and i didnt realise until after i found out that i wasnt meant to delete anything on the log, so i have deleted some of the log unfortunately.
Here is the log results (Note i haven't touched it again after I realised I wasnt meant to.)

My PC operating details:
IBM Intel(R)Pentium(R) CPU 3.00GHZ
Model 818743G
Name- IBM 7FFA209F07C
Windows XP Professional
Version 5.1.2000 Service Pack 3
2.992 GHZ - Speed
Unused Hard Disk Space 53.776GB

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:13:35, on 22/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system3... Read more

A:trojan horse "JS :Redirector-CB [ Trj ] " name sending infected emails to my address

Hello smokie33,

Welcome to TSG.

One thing, I would like to know is whether your e-mail is on your machine or whether you use an e-mail providor like Yahoo or Gmail. Tell me when you return.

Not much showing in that HJT log. Nowadays malware is often hidden deeper.

Now

You may have used Malwarebytes before. If you have, and still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,... Read more

1 more replies
Answer Match 87.36%

Hi


I have the trojan named above in the title, and am having difficulty removing it. AVG free and adaware seem to do nothing. Ccleaner also has not helped.

Items listed by AVG 8 as being infected include the aawservice.exe file provided by Lavasoft Ad-Aware (!) and svchost.exe.

Both items are in System Volume Information\_restore....

Attempting to remove it with AVG8 (whch is the program which detects it in the first place - adaware does not) simply results in the message "specified file not found".

Not very useful.

Any advice? HJT logfile is attached:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:11 PM, on 06/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\[email protected] Windows SMP Client V1.01\fah.exe
C:\Program Files\[email protected] Windows SMP Client V1.01\smpd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\mpiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.... Read more

More replies
Answer Match 87.36%

"BROWSER HIGH JACKED BY "SNAP DO" TROJAN HORSE-MALWARE
I have a major problem with a Browser High Jack of a Malware/Trojan Horse which has somehow got on my PC over the past 3 months. I say it is a Trojan Horse because it only raised its head within the last 5 days and as I have not downloaded any programs within the past 5 to 6 weeks I can onl,y assume that it has been laying dormant on my system until last week.

My Browser has always been Internet Explorer and my search Engine has always been Google.
Last week cannot remember the exact day but my search engine suddenly changed from Google to SNAP DO Coincidently I started to get all sorts of POP UPS and web pages appear for no reason.

Looking through IE tools / add ons/ toolbars there was no sign of any entry for SNAP DO ,SNAP DO Toolbar or indeed any programme with SNAP DO mentioned.

Searching the Internet I was dismayed to see all the complaints about this programme and how hard it appears to be to get rid of it once on your PC. The Support Site for SNAP DO said the sure way to remove this was to re-install the toolbar again and then remove it from the Add Remove Programes in the Control; Panel. This was tried out and yes the Programme was listed in the List of Programmes. However uninstalling it did not make any difference at all and the browser was still coming up with SNAP DO. and various pop ups appearing and web pages which I never even searched for..

The IE Tools/Internet Optio... Read more

A:Browser hijacked by "snap do" trojan horse/malware

16 more replies
Answer Match 87.36%

Hi folks, first time posting here, hope I do this right. :) I've gone through the five steps, so I think I'll be able to provide everything you need.

First, the background:

I have a machine with XP SP2, up to date on all patches. I use ZoneAlarm for my firewall, Norton Antivirus (I know, I know...) for antivirus, and have recently started using AVG as well. I use AdAware religiously. I use IE 7.0 on this machine. This is a shared machine, with accounts for myself, my wife, and my 11-year old son, who is the suspect in this case, as he's very much into IM and surfing the internet these days. :)

Recently, I seem to have gotten infected something nasty. NAV identified various infections, most of which were identified only as the generic "Trojan Horse." NAV has been unable to clean these files, so I followed the instructions on their site, which amounted to:

a. disable system restore
b. run nav
c. delete any files
d. remove references to those files from the registry, (notably in Run)

I did this, and after a number of runs and reboots, thought everything was clean. No such luck, after another reboot, it's back again. :( Some of the file names that have also been identified as virused by NAV include:

system32/sed.exe
system32/d.exe (Hacktool.Spammer)
c:\bootloader.exe (I can never actually find this file on my machine...)
three[1].exe (always found in temp internet files)
msg.exe.tmp
dc42.exe
dcstzre.exe (Hacktool.Spammer)
in.exe
acqllb.exe
... Read more

A:Persistent problems with "Trojan Horse," Hacktool.Spammer, sed.exe, etc.

Bump! :)

19 more replies
Answer Match 87.36%

I see this entry in my NIS log viewer after some idiot tries to hack my system using this Trojan. What does it mean that the rule was "matched?" Thanks!
 

A:"Rule Default Block Backdoor/Subseven Trojan horse matched"

It means that you got a request on the port number (probably 27374) which NIS associates with being used by Sub Seven (not that it is definately subseven)
 

2 more replies
Answer Match 86.94%

Hi,

I've recently noticed that my laptop has been running slower than normal, so I ran a scan with my AVG Anti-Virus program. AVG reveals that my laptop has been infected with a virus called "JS/Downloader.Agent," as well as a trojan called "Trojan horse Downloader.Generic.c_ADH." I read a post from this forum about an individual that was infected with the JS/Downloader.Agent virus and I cleared my temporary files in Java as well as my Internet Explorer. Below is my Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:43 PM, on 9/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx... Read more

A:Need help removing "JS/Downloader.Agent" and Trojan horse

7 more replies
Answer Match 86.94%

WIN XP SP3
a program with the title: "system restore", has taken over my computer. I mistakenly opened a link in an email to open a spanish website called "salusa sirius", I clicked on a tab named: games to play, then the system restore window appeared and took over. It put two icons on the task bar: a caution triangle and a windows logo in a square box.
details on open window:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
buttons: system restore, control panel, scan PC, repair PC, settings
there is a report window containing a lot of computer errors like:
damaged hard drive clusters detected. private data is at risk. re...
hard drive rotational speed decreased by 20%
hard drive rotational speed exceeds system limits and may cause...
hard drive space less than technical limits
RAM memory speed decreased significantly and may cause a sys...
Hard drive does not correspond to system requests
boot sector of the hard drive is damaged

bottom buttons: buy now, continue with limitations

Some of the many error messages say:
failed to save all of the components for the file \\System32\\00000032. the file is corrupted or unreadable. this error may be caused by a PC hardware problem. cancel retry continue.

files indexation process failed.

critical error: hard drive OS could not....

hard drive clusters are damaged...

RAM memory reliability is extremely low...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i can't get the computer to do anything. Even the run window... Read more

More replies
Answer Match 86.94%

I have followed all the instruction and I still cant get rid of it any Ideaas????
 

A:Hosts File is infected With "Trojan Horse"

Closing duplicate thread, Continue here:
http://forums.techguy.org/showthread.php?t=252379
 

1 more replies
Answer Match 86.94%

A couple of days ago, AVG8 alerted with the following threat:
Process Name: C:\Windows\System 32\svchost.exe
File Name: C:\Windows\Imgtask.exe
Threat Name: Trojan Horse Agent.AXSO

This same threat pops up every time AVG does it's daily scan. I believe that I am the third user who has posted on this same threat in the last couple of days. I am new to this website and not an expert. I haven't seen any replies to the other two posts. Hope someone can help. I am using a Dell Latitude (D620) with Vista 32-bit. Browser is Mozilla Firefox. I also run Max Registry Cleaner on a regular basis. Windows Defender did not show any threats in a recent scan. I use automatic update for Microsoft but don't believe there were any updates that took place immediately before this threat showed up. Thanks - Joe

The log from Highjack This follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:36 AM, on 2/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\SigmaTel\C-Major Audio... Read more

A:AVG Finds "Trojan Horse Agent.AXSO"

bump
 

1 more replies
Answer Match 86.94%

I am trying to remove a trojan horse called Seocnd Thought from my PC. It resides in Program files\STC\slmnss.exe. I get a message saying to remove it, run AVG for Windows. I have done this several times. It does find it and it says it's removed but it remains. I can locate it in explorer and remove the individual
files but it still comes back. I've downloaded several
Trojan Horse removal tools but none really get rid of it.
I use AVG anti-virus and Kerio Firewall. I'm getting so
many hits on the firewall I've been forced to disable it. I posted this info on a Microsoft message forum and was advised to install Hijackthis as a first step. I'm going to post my scan results. Can someone advise on what to remove. I know O4 - HKLM\..\Run: [SQInstaller] C:\Program files\STC\SQ_3394_3222.exeSQInstaller.exe should be fixed but what else? Thanks in advance! Connie
Logfile of HijackThis v1.97.5
Scan saved at 10:30:06 AM, on 3/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio... Read more

A:[Solved] Trojan Horse"Second Thought" Removal

16 more replies
Answer Match 86.94%

Hello ..
I try to get delete, but without success.. I try to scan with SuperAntispyware. however the system restarted again and again, so here is my HJT.
Thanks and Advance..

Logfile of HijackThis v1.99.1
Scan saved at 10:47:58 AM, on 6/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gsmls.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program F... Read more

A:Solved: need help with "Trojan horse downloader.agent" Please !!

7 more replies
Answer Match 86.1%

Okay, I've run Spybot, I've run Ad Aware, I've run the free version of spy sweeper, I've run AVG, I've run Macaffe and it just keeps coming back again and again and again. I suspect (but I'm not sure) that it's related to the free-scratch-cards bug that's going around, since I have all the same symptoms. I get pop up ads constantly, and it keeps trying to change my homepage to something in a "res:" directory. Here's my Hilack This log file. Seriously, this thing is making my hair fall out and I'm already bald. I will really appreciate any help you guys can offer...

Logfile of HijackThis v1.97.7
Scan saved at 10:18:04 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\ntxg.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\sys... Read more

A:"dldr.WinSh.AC.05" Trojan Horse... Please help.

Uninstall one anti-virus, preferrably Mcafee, then restart your computer. Do the online scan by clicking the correct colored link below. Ad-aware, spoybot/sweeper do not detect or remove trojans whatsoever.

Ypur HJT log show you're running no firewall, unless you're computing behind a network firewall-embedded Router. Activate ICF immediately if not sooner to keep hackers from installing Trojan Server Robots on your computer:

To turn on the WinXP Internet Connection Firewall (ICF):

- On the taskbar at the bottom of your screen, click Start, and then click Control Panel.

- Click the Network and Internet Connections category. (If the Network and Internet Connections is not visible, click Switch to Category View under Control Panel on the left side of the Control Panel window.)

- Click Network Connections.

- Right-click the Dial-up, LAN, or High-Speed Internet connection that you use to connect to the Internet, and then click Properties from the shortcut menu.

- On the Advanced tab, under Internet Connection Firewall, select Protect my computer and network, and then click OK. The Windows XP firewall is now enabled.
 

1 more replies
Answer Match 86.1%

Hello, I recently ran an AVG Anti-Virus test on my computer since my computer has been running slow as of late. Additionally, I run Registry Mechanic and Disckeeper Defragmentation on a daily basis and it still acts up. I am wondering if this "Trojan Horse Generic10.ALHO" virus is the big problem...hmm...yes my anti-virus program detected this...and it's listed twice.

Additionally I had found over 250 warnings that I submitted to my virus vault. If it helps, I have added two attachments: the first is a fresh scan/log of hijack (September 18, 2008) and the later are my system specs, which I print-screened and cropped from the "dxdiag" run function. If it helps, I believe the virus is related to my lavasoft ad-aware program, but maybe I'm wrong...

-P.S. Have a great day, and I hope you can help!
Sincerely,
RedGrant
 

More replies
Answer Match 86.1%

My Mozilla/Firefox has been hijacked, as far as I can tell, by Babylon.com. My system is Windows XP, Pack 2. When I searched for a free program to decompress zip files, somehow I GOT ENTANGLED with Babylon. They're a language translation service but I have always used Google for that service. This program has effectively taken over my home page and inserted it's tool bars, etc, replacing Firefox, though not on the Desktop Page. I've tried to delete it using Microsoft's "Add or Remove" program but when I do, that screen freezes. There is no way to remove it so I must exit the page to cut myself free. When I looked them up on Wikipedia I was not surprised to find out that they were once considered "malware". Their aggressiveness sort of indicates they haven't changed all that much despite legal warnings. So, can anyone advise me how to get rid of Babylon.com for good?
 

More replies
Answer Match 86.1%

HELP! Is there a removal tool for Trojan Horse Dropper. Agent. Joc? I appreciate any and all help you all can give me! Thank you in advance for your help.
 

More replies
Answer Match 86.1%

Hi,

AVG 8.5 found "Trojan Horse Agent2.MIB"
located C:\WINDOWS\msa2.exe States it cannot heal, tried to move it to the virus vault and it says it's reached it's limit of files which is doo doo...I did raise the amount of files and the size of the vault and it still wont move it to vault.

What do I do with this file?

I am running Windows XP SP3 on Intel Celeron, 1.70Ghz 512 Ram.
Here is my Hijack log... See the 2 Internet explorer programs in processes?...just started doing that 2 days ago. If I have more than one browser or tab open it lists each one in "Application Tab " of Task Manager Not on the "Processes" tab.

Thank You in Advance if anyone can help
bratt
Frustrated in Central California

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:54 PM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PRO... Read more

More replies
Answer Match 86.1%

Hello
I have just reinstalled xp and scanned everything with several antivirus, adware spy-ware. my AVG every 15 min. or so pops up saying i have a Trojan horse lop AS in my temporary folder.
if i heal it or quarantine it it says it worked. how can i get rid of this annoyance that keeps interfering with everything just by popping up and is it even a real threat?
thank you
rob
 

A:Solved: "Trojan horse Lop AS" keeps on appearing

16 more replies
Answer Match 86.1%

I dont know what has happened to my computer. But my AVG keeps informing me that I have a Trogen Horse call 'Lop.AS' This is driving me crazy as I am a consultant and it keeps interferring with my work process. I have read all the rules and know that member 'robbb' is having the same problem and that 'Cookiegal' is helping him.

This does not classify as a repeated problem as 1. 'Cookiegal' told 'sabian1982' to start his own thread with the same problem and 2. 'Cookiegal' also states that the direction given to 'robbb' is for him only and others followng the same advice might harm their own computer.

If anyone can help me with my own 'Trogen Horse Virus- Lop.AS' I would very much appreciate it.
Thank you in advance.
 

A:"Trojan horse Lop AS" keeps on appearing (Part 2) Help Please

16 more replies
Answer Match 86.1%

I've run SuperAntiSpyware, Ad-Aware, SpyBot and Norton which removed some trojan files and registry items but I'm still getting pop-ups ("Security System Warning" and "System Integrity Scan Wizard"). Below is my HiJackThis log. Thanks in advance!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:21 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WIND... Read more

A:"Sys Integrity Scan Wizard" & "Security System Warning" Pop-ups

Hi Welcome to TSG!!
Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 

1 more replies
Answer Match 85.68%

I scanned with symantec antivirus corp, and I got this:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: E:\WINDOWS\system32\sockspy.dll.avxpnd
Location: Quarantine
Computer: SHRUTHI
User: SYSTEM
Action taken: Clean failed : Quarantine succeeded : Access denied

Should I be worried that the "Clean failed"?

My Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:57:04 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Stardock\SDMCP.exe
E:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
E:\Program Files\Microsoft IntelliType Pro\type32.exe
E:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\WINDOWS\system32\taskswitch.exe
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\PROGRA~1\VISION~1\ONETOU~2.EXE
E:\Program File... Read more

A:Solved: HELP! Trojan called "Trojan Horse"

10 more replies
Answer Match 84.84%

Hello guys

This is my very first thread in this forum.
I'm having mayor problems with a virus :( It has completely taken over computer. I get pop-ups that claim that my computer is infected with all sorts of trojans. A program called "System Security 2009" starts then searching for viruses in my hard disks finding (of course) lots of malware. Then they offer me to buy the program for deleting all the trojans. It seems of course like a fake program that is trying to earn some easy money.

The computer can load internet explorer but no other applications, not even the task manager; and it's really slow. And my wallpaper has turned black containing a message that won't go away. Description as follows:

"WARNING! YOU'RE IN DANGER!

ALL YOU DO WITH COMPUTER IS STORED FOREVER IN YOUR HARD DISK. WHEN YOU VISIT SITES, SEND EMAILS... ALL YOUR ACTIONS ARE LOGGED. AND IT IS IMPOSSIBLE TO REMOVE THEM WITH STANDARD TOOLS. YOUR DATA IS STILL AVAILABLE FOR FORENSICS. AND IN SOME CASES FOR YOUR BOSS, YOUR FRIENDS, YOUR WIFE, YOUR CHILDREN.

Every site you or somebody or even something, like spyware, opened in your browser, with all the images, and all are downloaded and maybe later removed movies or mp3 songs - ARE STILL THERE and could broke your life!

SECURE YOURSELF NOW!"

Please help me get rid of this annoying trojan.
Thanks
Renato (natito)


This is my DDS.txt file:


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by HP_?garen at 16:53:37,4... Read more

A:"WARNING! YOU'RE IN DANGER" trojan, help me please!

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.
* Double-click ResetTeaTimer.zip
* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

A Tutorial for Tea Timer can b... Read more

7 more replies
Answer Match 84.84%

i got a warning box today telling me "your computer has been infected by trojan" it then says for you to click ok to download a spyware remover. it looks to be a bug in itself. if u get it,DO NOT click ok!!! just X out of it and run ur spyware or just download the newest update for ur computer make and model. mine happened to be HP. as soon as i downloaded the HP update i didnt get the lil "trojan" box again. also, i ONLY got it when i had to sign into msn to check my mail and IE popped up and then the problems began. all fixed now. just passing on the info in case anyone else has this problem
 

More replies
Answer Match 84.84%

My friend's laptop has experienced "Trojan horse - dlm.exe, dl.exe" problem. I helped him to fix this by using Hijackthis, AdAware, and Spybot. After cleaning the computer, I installed "Zone alarm" to prevent further problem. At the moment, it seems to work well except one website. If I tried to connect the site using "Internet explorer", IE generates error messages.

The following is the log file generated by "Hijackthis". It has a lot of "O4 - Startup: xxx_{xxx}.tmp" lines. I deleted most of them and inserted dots since the file size of log file is too big (258kb). Thanks.

>---------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:13:35 PM, on 2004-04-13
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SMCTRLW.EXE
C:\WINDOWS\SYSTEM\CTRLVOL.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH... Read more

A:Help: Trojan horse "dlm.exe", "dl.exe"

8 more replies
Answer Match 84.42%

I recently formatted my computer, everything seemed to be going according to plan.. UNTIL, I was stung with a Trojan Horse of some sort, now I seem to be having trouble removing it.

I recently deleted my Symantec and got NOD32, now I am not sure if this has helped or not, but it seems to be running abit smoother.

I'd just like to know if I still have it .. or if HOPEFULLY.. it is gone.

Can someone please decipher my Log.. thanks in advance!

Here it is :

Logfile of HijackThis v1.99.1
Scan saved at 8:51:25 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Internet Expl... Read more

A:Trojan Horse! ("HJT" Log Included) HELP!

.. anyone? help.. thanks
 

2 more replies
Answer Match 84.42%

Hi!

I have a problem with something callad a trojan horse, which my Norton Internet Security detects every ten minutes. Norton detects and adjusts it, but I can't get rid of it, it shows up again. In detail the file is called "osmim.dll". How do I get rid of it? I havn't noticed anything wrong with my computer yet, it's just that it bothers me that Norton can't fix it and that it pops up all the time.

Jenny, Sweden

A:Trojan horse - "osmim.dll"

Usually Norton will detect spayware as a trojan horse and can't remove it.
Install a couple free spyware removers and scan.

I got mine from www.download.com

2 more replies
Answer Match 84.42%

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:31 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.narmir.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\... Read more

A:"Trojan Horse Generic"

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

13 more replies
Answer Match 84.42%

Hi all,

Unfortunately, my computer (OS: Windows 2000) got infected with "Second Thought". I have already deleted all infected files and archives my antivirus tool could find, but somehow the trojan horse always manages to come back, probably via active processes.

I have scanned the system with Hijack This, and here is the log file I got:

Logfile of HijackThis v1.98.2
Scan saved at 11:32:36 AM, on 10/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Downloads\hijackthis.ex... Read more

A:Trojan horse "Second Thought"

6 more replies
Answer Match 84.42%

hello
avg 8 has found "trojan horse backdoor.vb.cik," I have searched everywhere about this and I cannot find any ref to it,
it is supposed to be located in my E drive, "I do not have an e drive"
when I go to delete the infections (there are two of the same name) it says it is bigger than the archive size limit, if I then click "go to file" it cannot find it at said location.
obviously the virus scanner can find it AND give it a name,
avg web site virus database has no record of it, where do I go next please,

More replies
Answer Match 83.16%

Hey guys, I've been on a battle for days now trying to get rid of the nasty stubborn viruses. I've followed every direction given in this thread, and I'd say 95% of the problems are gone. For that I am very appreciative. Description of my problem:The virus was pretty typical, it tried to get me to buy spyware programs, pop ups, hi jacked my screen saying something like "Warning Dangerous Spyware found, for the sake of your wife, children...you need to protect yourself" blah blah blah. What I've Done:I now have Super Antispyware, ATF-Cleaner, Malwarebytes, Windows Defender, Spybot Search and Destroy, and AVG on my computer. All just to fight this bastard. I ran every program and pretty much all of them are having trouble removing a few stubborn files. Their is a file named "chcdbudn.dll" that is a pesky little punk. After running every other program(AVG, Malwarebytes, Spybot Search and Destroy. I didn't find this forum yet) Windows Defender said it couldn't remove that one I mentioned. So I find the file in the system32 folder, then try and rename it, and everything came back. Screen hijacked, fake spyware programs running, fake alerts..Here's when I tried the methods in this thread. I followed everything exactly as told, downloaded Super Antispyware and ATF-Cleaner, and was pleased to see the "chcdbudn.dll" file quarantined in Super Antispyware in Safe Mode(after over 4 hours of the scan. Weird thing happened, right in... Read more

A:Warning Dangerous Spyware

Great quote out of 2 Timothy by the way boopme. It seems like that day is here.

9 more replies
Answer Match 83.16%

I have a black background that saysWARNING DANEROUS SPYWARE says" many viruses were found on your computer such as : trojan horse, passcapture, etc. your personal information can fallinto the third hands.

When I run spy bot it finds 2 things and it fixes one but it tells me to reboot to fix the other and half way though the checking the system I get eneric host process for win 32 services and then it will reboot.

A:Warning Dangerous Spyware

Hello please temporarily turn off SpyBot while you install and run this MBam scan.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and ... Read more

14 more replies