1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Constant Virus/Spy Ware/Trojan Pop-Ups

Discussion in 'Virus & Other Malware Removal' started by rctg15, Mar 25, 2008.

Thread Status:
Not open for further replies.
  1. rctg15

    rctg15 Thread Starter

    Joined:
    Mar 25, 2008
    Messages:
    1
    My laptop constantly receives pop-ups that warn me of viruses, spy ware, trojans, etc. I have posted two examples of these many pop-ups below

    System Integrity Scan Wizard:
    Warning: Your computer may have critical errors in Windows registry and file system!

    Security System Protection Control Panel:
    Possible spyware infection detected.
    You need to update PC-Antispyware protection to remove detected spyware from your computer.
    Threat Name: TrojanDownloader.XS

    The first thing I did was run a scan by Counter Spy and then by Ad-Aware 2007, however to not much improvement.


    My desktop wallpaper was changed so that it featured a red screen with a warning: Your Privacy is in Danger. In addition, I had three programs: error cleaner, privacy protector and malware protection on my desktop. However, I removed both the wallpaper and these programs by running SmitfraudFix in SafeMode.

    Here are the results from the SmitfraudFix:

    SmitFraudFix v2.308

    Scan done at 16:04:21.06, Tue 03/25/2008
    Run from C:\Documents and Settings\rctg15\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri
    C:\WINDOWS\kdftlboeopx.dll deleted.
    C:\WINDOWS\qvdntlmw.dll deleted.
    C:\WINDOWS\dwnrpofk.dll deleted.
    C:\WINDOWS\vbgtorfd.dll deleted.
    C:\WINDOWS\Installer\{e15266cd-577a-4663-a27b-153c8366decd}\SetupAlrt.dll deleted
    C:\WINDOWS\Installer\{c6d1b814-163b-4723-bf3a-4698b1757fd8}\zip.dll deleted


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\norlatmx.exe Deleted
    C:\WINDOWS\privacy_danger\ Deleted
    C:\DOCUME~1\rctg15\Desktop\Error Cleaner.url Deleted
    C:\DOCUME~1\rctg15\Desktop\Privacy Protector.url Deleted
    C:\DOCUME~1\rctg15\Desktop\Spyware?Malware Protection.url Deleted
    C:\DOCUME~1\rctg15\FAVORI~1\Error Cleaner.url Deleted
    C:\DOCUME~1\rctg15\FAVORI~1\Privacy Protector.url Deleted
    C:\DOCUME~1\rctg15\FAVORI~1\Spyware?Malware Protection.url Deleted
    C:\Program Files\tmp???????.exe Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End



    After this I ran a scan by SUPER AntiSpyware. Here are the results:


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 03/25/2008 at 05:15 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3424
    Trace Rules Database Version: 1416

    Scan type : Complete Scan
    Total Scan Time : 00:58:54

    Memory items scanned : 371
    Memory threats detected : 0
    Registry items scanned : 4147
    Registry threats detected : 1
    File items scanned : 36420
    File threats detected : 34

    Adware.Tracking Cookie
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][3].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected]_hernya[2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][3].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
    C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt

    Rogue.SpywareIsolator
    HKU\S-1-5-21-1123561945-854245398-725345543-1003\Software\spinstall

    Trojan.Unclassified/InstallerABR
    C:\DOWNLOADS\INSTALLER_ABR.EXE
    C:\WINDOWS\Prefetch\INSTALLER_ABR.EXE-1C2698B1.pf

    Adware.SXGAdvisor-A
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058953.DLL

    Trojan.Unclassified/GTS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058954.DLL

    Trojan.Unclassified/Tmp-Gen
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058960.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058961.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058962.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058963.EXE

    Lastly here are the results from HijackThis:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:28:31 PM, on 3/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\All Users\Application Data\upmruzah\edolelaf.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\TomTom HOME 2\HOMERunner.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\khevutod.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\wwSecure.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: GNX Bingo - {2F97A8CB-0E8F-4AF0-B737-12C03F355794} - C:\WINDOWS\kdftlboeopx.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [trlfvxof] C:\WINDOWS\system32\khevutod.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/697034

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice