|
|
#1
7th Sep 2007, 17:19
|
|||
|
|||
|
Hi
I have a problem, im not even sure what exactly it is. Basically, i have this little bubble popping up every 10 minutes at the bottom right hand of the screen(its coming from a little icon where ur internet connection icon is and the little icon is in the shape of a shield, and is flashing an X with a red background then to a question mark to a blue background??) and it it says, "System Alert! There are active spyware applications on your computer. Click this button to fix the problem or download this up-to-date antispyware solution." When I click it, it just brings me to a page where i have to purchase this anti spyware program. So... I have AVG, and Ad Aware. I ran tests on both of them, and they say that there is nothing there..or if something does come up, i remove it, but the bubble still pops up saying that theres still active spyware on my computer. Also, when I go on the internet, it makes windows pop up, but they arent regular internet websites..it basically just looks like this: fkljdsjkalfdjl;sajfldjkslafjlkdsjfldsjaoi;fjewo What do i do??  Can someone give me a full walkthrough on how to remove the problem manually from my comp, or at least a 100% FREE anti spyware program? |
|
#2
7th Sep 2007, 17:32
|
|||
|
|||
|
Welcome to TCF.
That is a common but nasty piece of malware. The good thing is we know how to get rid of it. It will require a few steps but just bear with me. Go into add/remove programs and see if anything is there that shouldn't be and un-install it. Like toolbars etc. Download HijackThis Here Once you have it downloaded install/save it to it's own folder!!! This is important for it to work properly. For example save in C:\program files\hijackthis You can then create a shortcut on the desktop. Once installed open the program and select Do a system scan and save logfile. **Important DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Save the log to your desktop. In the next post click Go Advanced or Post Reply. Scroll down and click Manage Attachments and add the log as an attachment. After I see the log I will know where to go from there. 
__________________
 |
|
#3
7th Sep 2007, 17:48
|
|||
|
|||
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:58 PM, on 07/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\pctspk.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\Atievxx.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\ctfmon.exe c:\program files\internet explorer\iexplore.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\System32\msdtc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\System32\__c0065E93.dat (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: *.whataboutadog.com O15 - Trusted Zone: *.whataboutarabit.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA2D101-A9F9-4B04-9DD3-82FABE0E9953}: NameServer = 142.161.2.155 142.161.130.155 O20 - AppInit_DLLs: C:\WINDOWS\System32\__c002D1A2.dat O22 - SharedTaskScheduler: apdu - {903902a8-0691-460e-8351-24df3d425e9c} - C:\WINDOWS\System32\gkymhk.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbxcoms.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 6436 bytes Thats basically what it says, i hope you can read it..i wont let me send it any other way..it keeps saying "invalid file" when i try to attach it |
|
#4
7th Sep 2007, 17:51
|
|||
|
|||
|
Quote:
__________________
|
|
#5
7th Sep 2007, 18:22
|
|||
|
|||
|
OK, please follow these directions.
Open HijackThis and select "Do a system scan only" Place a check mark next to these entries. O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\System32\__c0065E93.dat (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Close all windows including this one and click "Fix checked" ========================================== Next: Download http://downloads.andymanchesta.com/R...ools/SDFix.exe and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : · Restart your computer · After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; · Instead of Windows loading as normal, the Advanced Options Menu should appear; · Select the first option, to run Windows in Safe Mode, then press Enter. · Choose your usual account. · Open the extracted SDFix folder and double click RunThis.bat to start the script. · Type Y to begin the cleanup process. · It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. · Press any Key and it will restart the PC. · When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. · Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). · Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
__________________
|
|
#6
7th Sep 2007, 19:45
|
|||
|
|||
|
it didn't work, this is what i did..
I was on My account..and i did it all and when i went to go into safe mode on my account, my account wasn't an option. So i started all over again but on my bfs account, and it went all fine until i restarted for the last time, it the fix tool didn't come up and scan and display finished, nothing happened, and that bubble is still popping up
|
|
#7
7th Sep 2007, 19:51
|
|||
|
|||
|
Yes that was a step we needed to try. Don't worry I have more Ammo to use.
 Please open HijackThis and select "Do a system scan and save log file" Copy/paste a new log. Also are you on an admin. or limited account. You will need to be on an admin. account.
__________________
|
|
#8
7th Sep 2007, 19:55
|
|||
|
|||
|
Well if i have windows Xp and i go to control panel, user accounts, and beside my boyfriends is "computer administrator" does that mean his is?
|
|
#9
7th Sep 2007, 19:58
|
|||
|
|||
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:16 PM, on 07/09/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\System32\pctspk.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\Atievxx.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe" O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\Dave\Desktop\SDFix\RunThis.bat /second O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: *.whataboutadog.com O15 - Trusted Zone: *.whataboutarabit.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5EA2D101-A9F9-4B04-9DD3-82FABE0E9953}: NameServer = 142.161.2.155 142.161.130.155 O20 - AppInit_DLLs: C:\WINDOWS\System32\__c002D1A2.dat O22 - SharedTaskScheduler: apdu - {903902a8-0691-460e-8351-24df3d425e9c} - C:\WINDOWS\System32\gkymhk.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbxcoms.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe -- End of file - 6140 bytes |
|
#10
7th Sep 2007, 19:59
|
|||
|
|||
|
Yes he is. Other accounts can also have Administrator privileges also, but if yours does not you will want to work from his account.
__________________
|
