Constant Virus/Spy Ware/Trojan Pop-Ups

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rctg15

Thread Starter
Joined
Mar 25, 2008
Messages
1
My laptop constantly receives pop-ups that warn me of viruses, spy ware, trojans, etc. I have posted two examples of these many pop-ups below

System Integrity Scan Wizard:
Warning: Your computer may have critical errors in Windows registry and file system!

Security System Protection Control Panel:
Possible spyware infection detected.
You need to update PC-Antispyware protection to remove detected spyware from your computer.
Threat Name: TrojanDownloader.XS

The first thing I did was run a scan by Counter Spy and then by Ad-Aware 2007, however to not much improvement.


My desktop wallpaper was changed so that it featured a red screen with a warning: Your Privacy is in Danger. In addition, I had three programs: error cleaner, privacy protector and malware protection on my desktop. However, I removed both the wallpaper and these programs by running SmitfraudFix in SafeMode.

Here are the results from the SmitfraudFix:

SmitFraudFix v2.308

Scan done at 16:04:21.06, Tue 03/25/2008
Run from C:\Documents and Settings\rctg15\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\kdftlboeopx.dll deleted.
C:\WINDOWS\qvdntlmw.dll deleted.
C:\WINDOWS\dwnrpofk.dll deleted.
C:\WINDOWS\vbgtorfd.dll deleted.
C:\WINDOWS\Installer\{e15266cd-577a-4663-a27b-153c8366decd}\SetupAlrt.dll deleted
C:\WINDOWS\Installer\{c6d1b814-163b-4723-bf3a-4698b1757fd8}\zip.dll deleted


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\norlatmx.exe Deleted
C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\rctg15\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\rctg15\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\rctg15\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\rctg15\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\rctg15\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\rctg15\FAVORI~1\Spyware?Malware Protection.url Deleted
C:\Program Files\tmp???????.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS2\Services\Tcpip\..\{386913CF-3B88-4B70-B405-392FC8C555D0}: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



After this I ran a scan by SUPER AntiSpyware. Here are the results:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 05:15 PM

Application Version : 4.0.1154

Core Rules Database Version : 3424
Trace Rules Database Version: 1416

Scan type : Complete Scan
Total Scan Time : 00:58:54

Memory items scanned : 371
Memory threats detected : 0
Registry items scanned : 4147
Registry threats detected : 1
File items scanned : 36420
File threats detected : 34

Adware.Tracking Cookie
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][3].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected]_hernya[2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][3].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][2].txt
C:\Documents and Settings\rctg15\Cookies\[email protected][1].txt

Rogue.SpywareIsolator
HKU\S-1-5-21-1123561945-854245398-725345543-1003\Software\spinstall

Trojan.Unclassified/InstallerABR
C:\DOWNLOADS\INSTALLER_ABR.EXE
C:\WINDOWS\Prefetch\INSTALLER_ABR.EXE-1C2698B1.pf

Adware.SXGAdvisor-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058953.DLL

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058954.DLL

Trojan.Unclassified/Tmp-Gen
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058960.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058961.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058962.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{268FACAA-4065-47F4-9251-57666E8981B2}\RP205\A0058963.EXE

Lastly here are the results from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:31 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\upmruzah\edolelaf.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\khevutod.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: GNX Bingo - {2F97A8CB-0E8F-4AF0-B737-12C03F355794} - C:\WINDOWS\kdftlboeopx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [trlfvxof] C:\WINDOWS\system32\khevutod.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\Player\__CDS2.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top