1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PC-Antispyware warning pop-ups

Discussion in 'Virus & Other Malware Removal' started by [email protected], Apr 6, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. vnkb4u@yahoo.com

    [email protected] Thread Starter

    Joined:
    Apr 6, 2008
    Messages:
    2
    My computer got infected after I clicked on a pop up message asking me to install some codec in order to view a video. Now from time to time, like every 15-30 minutes or so, I'll have a pop-up screen or a notification at the system tray.
    So far I've been seeing 4 different symptoms. I'm still getting them even after I've cleaned my sysem with at least 5 to 6 antispyware/antivirus software including spybot, ad-aware, mcafee, panda, super-antispyware, etc. The symptoms are as below:

    1. Pop-up messeage (in blue frame) as below
    Security System Protection Control Panel
    Possible spyware infection detected. You need to update PC-Antispyware protection to remove detected spyware from your computer. Click here for details....
    THREAT NAMEL TrojanDownloader.XS
    To remove detected threat please click here

    2. Pop-up messeage (in red frame) as below
    File:
    C:\WINDOWS\wml.exe
    Threat
    Abebot
    Possible Spyware infection has been detected on your computer by "Security System"
    To remove detected threat you need to update your PC-Antispyware protection.
    Click here to visit PC-Antispyware web site
    Update PC-Antispyware protection and remove detected threats.

    3. Pop-up messeage (in blue frame) as below
    System Integrity Scan Wizard
    Warning: Your computer may have critical errors in Windows registry and file system!
    The registry and file system errors lead to computer freezes, system crashes and slowdowns, corruption of files and document.
    Immediate system integrity scan and repair is strongly recommended.
    To scan your computer for drrors please click the 'Next' button below

    4. A yellow triangle notification icon with an exclamation mark in the system tray.
    When I click on it it lead me to the bbelow site:
    //antispyware-reviews.biz/?wmid=4663&pwebmid=R3n1c2Bg8A



    HiJackThis Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:31:27 PM, on 4/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
    C:\Documents and Settings\All Users\Application Data\nqvmpmjw\xutufmrg.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
    C:\WINDOWS\system32\enanslif.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Documents and Settings\Naga\Application Data\mjusbsp\magicJack.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\TEMP\ST614D.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000018.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Naga\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
    O4 - HKCU\..\Run: [A00F16B119E2.exe] C:\DOCUME~1\Naga\LOCALS~1\Temp\_A00F16B119E2.exe
    O4 - HKCU\..\Run: [A00F16B16D9F.exe] C:\DOCUME~1\Naga\LOCALS~1\Temp\_A00F16B16D9F.exe
    O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
    O4 - HKCU\..\Run: [bbeloctt] C:\WINDOWS\system32\enanslif.exe
    O4 - HKLM\..\Policies\Explorer\Run: [s5PC5Spcjn] C:\Documents and Settings\All Users\Application Data\nqvmpmjw\xutufmrg.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://virtuallab1.okstate.edu/msrdp.cab
    O16 - DPF: {9F31B7A4-F438-48B8-AAF5-1C29A8A2B6C1} (bigflicks Class) - http://download.bigflicks.com/cabs/bigflicks_1_0_0_5.cab
    O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://download.bigflicks.com/cabs/Entriq_3_6_0_15_Silent.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_mywebex-pcnow/ra/ieatgpc.cab
    O20 - Winlogon Notify: __c003EC6F - C:\WINDOWS\system32\__c003EC6F.dat
    O20 - Winlogon Notify: __c004B493 - C:\WINDOWS\system32\__c004B493.dat (file missing)
    O20 - Winlogon Notify: __c00DA139 - C:\WINDOWS\system32\__c00DA139.dat
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
    O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

    --
    End of file - 8691 bytes
     
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    REBOOT

    Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
    • Close any open browsers.
    • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    • Leave all the setting to the default except as noted below
    • Under Additional Scans sections, check the following
      • Reg - BotCheck
      • File - Additional Folder Scan
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    If the log is too large to post, use the Post A REPLY button, scroll down to the attachments section and attach the notepad file here.

    Please post
    • MBAM log
    • OTScanIt log (attached)
    in your reply here
     
  3. vnkb4u@yahoo.com

    [email protected] Thread Starter

    Joined:
    Apr 6, 2008
    Messages:
    2
    Hi I have followed the steps that were suggested. Please find the files attached.

    thank you,
     

    Attached Files:

  4. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
     [Unregister Dlls]
    [Registry - Non-Microsoft Only]
    < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YN -> __c004B493 -> %SystemRoot%\system32\__c004B493.dat
    [Files/Folders - Created Within 30 days]
    NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    [Files Created - Additional Folder Scans - Non-Microsoft Only]
    NY -> nqvmpmjw -> %AllUsersProfile%\Application Data\nqvmpmjw
    [Files/Folders - Modified Within 30 days]
    NY -> 5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    [Files Modified - Additional Folder Scans - Non-Microsoft Only]
    NY -> nqvmpmjw -> %AllUsersProfile%\Application Data\nqvmpmjw
    [Empty Temp Folders]
    [Start Explorer]
      
    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

    If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles\04082008_163441.log or what ever yours is named(Date/Time you ran the fix)

    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Click on the Start Scanning button at bottom of page.
    • Accept the License Agreement and the ActiveX install.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
    2.
    Please run the F-Secure Online Scanner

    Note: This Scanner is for Internet Explorer Only!
    • Click on the Start Scanning button at bottom of page.
    • Accept the License Agreement and the ActiveX install.
    • Once the ActiveX installs,Click Full System Scan
    • Once the download completes,the scan will begin automatically.
    • The scan will take some time to finish,so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.

    Please post
    • OTscan it "results" log (described above)
    • F-Secure log
    • Fresh OtScanIt log made after F-secure
    in your next reply here
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/701095

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice