TechSpot

"Critical System Error" & "Virus Alert"

By jdpink62
Nov 15, 2006
Topic Status:
Not open for further replies.
  1. I have an issue similar to Pradeka's on his thread: http://www.techspot.com/vb/topic62639.html and like Dhaka's thread: http://www.techspot.com/vb/topic61225.html\

    It appears in the form of a Windows style system error message in my system try toolbar which reads: "critical system error - System detected virus activities. They may cause critical system failure. Please use antimalware software to clean and protect your system from parasite programs. Click this balloon to get all available software". Once clicked it opens an IE window prompting you to buy "virusbuster" which apparently is a fake program showing fake virus infection messages to get you to pay for a fake product.

    2) Also another one sysem alert shows Malware threats (Your computer is infected with a back door Trojan that allows the remote attackers to perfom various malicious actions. Click this baloon to download malware removel sotware.

    I went ahead and did like howard_hopkinso asked the both of them and did the whole "Trojan Pakes and other nasties preliminary removal instructions" thing.

    Enclosed as an attachment is a copy of the logs I ran after I ran the 4 fix programs. I hope I got everything off my laptop but I can't say for sure. I have Trend Macro PC-cillin Internet Security 2009 Suite with anti-virus. I can't find the scan logs but it had a bunch of trojans on it.
    View attachment rapport.txt
    View attachment 10632
    View attachment 10633
    View attachment 10634
    View attachment hijackthis.txt

    Thanks in advance.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {6DF82FB5-4C01-E644-CD53-0A1E2D14E21F} - C:\WINDOWS\system32\qahwdqn.dll

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you neded to enter into killbox.

    C:\WINDOWS\system32\qahwdqn.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post fresh HJT and AVG Antispyware logs and let me know how your system is running

    Regards Howard :wave: :wave:

    This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. jdpink62

    jdpink62 TS Rookie Topic Starter

    I removed:

    O2 - BHO: (no name) - {6DF82FB5-4C01-E644-CD53-0A1E2D14E21F} - C:\WINDOWS\system32\qahwdqn.dll

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

    After turning off System Restore and showing ALL files like you asked.

    I could not find the C:\WINDOWS\system32\qahwdqn.dll file so when I rebooted the red icon was still there. Here is a new HJT and AVG log.
    View attachment NewHJT.txt
    View attachment 10641

    Thanks for your help
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    PopUp Defender 2004 Full

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PopUpDefender2004Full.exe

    Close task manager.


    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzan.dll,startup

    O4 - HKLM\..\Run: [ibvobhj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ibvobhj.dll,evkoqpe

    O4 - HKLM\..\Run: [PopUp Defender 2004] C:\Program Files\PopUp Defender 2004 Full\PopUpDefender2004Full.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\PopUp Defender 2004 Full<delete the entire folder.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\system32\ibvobhj.dll
    C:\WINDOWS\system32\drvzan.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. jdpink62

    jdpink62 TS Rookie Topic Starter

    That got it to stop! Thank you so much... here is a new copy of HJT

    I did notice a couple of programs running that I had some questions about. I don't know what these programs are or if I need them are they more adware/spyware:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\lsass.exe

    Why do I have so many copies of C:\WINDOWS\system32\svchost.exe running and what is it for?

    C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE was an old anti-virus software my mom was running a couple of years ago. We deleted it for Mcafee but it seems it didn't fully delete. There is no uninstall program for it. How do I remove the whole thing without screwing something up? There is also evidence of it in the HJT at the bottom:
    O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
    O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

    Thank you so much Howard you've got the heart of a teacher I would be up the creek without a paddle without you!

    View attachment 10642
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is now clean.

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\lsass.exe

    The above files are critical Windows system files and are perfectly legit.

    See HERE, for a description on svchost.exe. Again, this is a Windows system file and is perfectly legit.

    It`s perfectly normal to have multiple instances of svchost.exe running.

    If you would like to see what your multiple entries of svchost.exe are doing, download the Process Explorer from HERE.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.