I have a problem

Status
Not open for further replies.

Rimurrow

Posts: 7   +0
I believe I have some spyware on my computer.

I get a popup that says "your system is probably infected with the latest version of spyware-x log".

also I can't open firefox or opera, and when I open internet explorer it redirects me to a page wanting me to download spywar software.

I am in need of some help.

Here is hijack this log
 
It seems like that your PC is hardly infected by virus and spywares.

So for a better security download Ad-aware 2008 that will help you to remove all spyware.

Here the link for download: Ad-aware 2008

If the problem persist them you will need to install a good antivirus as example BitDefender Total Protection or McAfee

And if still no change I will recommend you to make a clean re-install of your windows...
 
Yes, you do have spyware. I don't do the entire malware cleaning, but I will help with the HijackThis log.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

C:\WINDOWS\system32\12520437l.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: banneradsgalore browser optimizer - {102375e1-3ef1-23ad-fc0b-53f2fcb2a5b4} - C:\WINDOWS\system32\{bb0722fe-e90c-a3f6-a1c3-edf90c912251}.dll
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437l.exe
O4 - HKLM\..\Run: [{445a13dc-b11d-d64b-bd26-f0021e98a2f0}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{bb0722fe-e90c-a3f6-a1c3-edf90c912251}.dll" DllStart
O4 - HKCUO4 - HKUS\S-1-5-18\..\Run: [IEUpdate] C:\WINDOWS\system32\12520437l.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\12520437l.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\12520437l.exe (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\kownw64k.exe\..\RunServices: [IEUpdate] C:\WINDOWS\system32\12520437l.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: rqRHwusS - rqRHwusS.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
C:\Program Files\Plate\X_Plate.exe
Please note any other programs that you don't recognize in that list in your next response.
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):
WINDOWS\system32\12520437l.exe
WINDOWS\system32\spywarewarning.mht
WINDOWS\system32\{bb0722fe-e90c-a3f6-a1c3-edf90c912251}.dll

After that, Reboot, and post a new HijackThis log here in a reply.
You should also run and include the logs from:
1) MBAM or SAS log
2)Combofix log
You will find instructions on: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

You are running some real time monitoring programs. They need to be stopped or removed and have been included in the Hijack 'fix'.
 
Thank you that helped the popups stop and the computer is running better now. I still can't get online with any browser, although now IE works in safe mode.

My browsers dont work and I can't download any other programs like MBAM.

Here is another hijack this log. I don't know what else to do.
 

Attachments

  • hijackthis.log
    14.7 KB · Views: 6
Hi :

That person should have never told you to install the currently low-quality
Ad-Aware program .

Since your HijackThis log indicates the presence of Spybot, I recommend you ask
THEIR experienced, highly trained, CERTIFIED, Volunteer "Malware-Fighters" for
Help on their Support Forums at http://forums.spybot.info , SPECIFICALLY their
"Malware Removal" sub-forum .
 
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\Richard\Local Settings\Application Data\CyberDefender\cdmyidd.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [BM8fbbc9a9] Rundll32.exe "C:\WINDOWS\system32\vklkegjr.dll",s
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\12520437l.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
04 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
C:\WINDOWS\system32\RAMASST.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
C:\Program Files\Bonjour\mDNSResponder.exe
Click on this link in Post #15 to TurnOffBonjour:
http://www.neowin.net/forum/index.php?showtopic=556162&st=0
(This can come Adobe CS3 applications. And it is a part of iTunes music sharing. just do a start> run> msconfig & disable it. Also, turn off the bonjour service (set to disabled).)

Disable the auto-update feature on the programs:
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Please note any other programs that you don't recognize in that list in your next response.

After that, Reboot, and post a new HijackThis log here in a reply

Check all of your internet settings in both browsers to make sure they are correct. If you are using s router, you need to determine if it is working. Set up your cable so that it bypasses the router and goes straight into the computer instead of the router. If you can establish connection that way, it means the router has gone bad or it's settings are not correct.

For those Services you fixed, you will need to go to the Control Panel> Administrative Tools> Services. Find each Service and right click> Properties. Change Start mode to either Manual or Disable. Stop the Service from running.
 
My browsers still wont work and now when I try to get on in safe mode or use the calculator as a browser it says "I need ResXX\Mcsheild.dll"

How do I download a program if My browsers don't work?

Here is a current hijackthis log,
 
The reason you're getting that message is because you have uninstalled the McAfee program but left processes loading and Services running:
Current log:
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Original log:
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe

Please have HijackThis fix the remaining McAfee files as shown in the 'current log'. Then try again to boot into Safe Mode and go to the Control Panel> Administrative Tools> Services> right click on each of the McAfee/Network Associates Services> Properties> set startup to Disabled> Stop the Service> Apply> OK

You should also run and include the logs from:
1) MBAM or SAS log
2)Combofix log
You will find instructions on: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Please do not install or uninstall any other programs for now. I've got to go through the various security programs you still have and look for conflicts.
 
I managed to stop the popup, I can't download any of those program for some reason. Maybe because I am in safe mode?

I can only get ie to work and only in safe mode. other browsers don't work (they don't open up and try to conect) IE says the server can't be found when I click on the links to download the other programs.
 
You're worse off now that when this began three weeks ago!

All of the following are new and will need to be removed:
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
CFSServ.exe: CFSServ.exe is a process belonging to Toshiba's configfree utility and searches for Wireless Devices. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.

O4 - HKLM\..\Run: [8c88fa35] rundll32.exe "C:\WINDOWS\system32\txclgrju.dll",b
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
Filename: mrofinu1188.exe> Description: Unidentified Trojan.
And I don't know why this is going on:
O4 - HKCU\..\RunOnce: [SpybotDeletingB6138] command /c del "C:\WINDOWS\okmdepgb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9849] cmd /c del "C:\WINDOWS\okmdepgb.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9404] command /c del "C:\WINDOWS\nqgpedlr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8568] cmd /c del "C:\WINDOWS\nqgpedlr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1855] command /c del "C:\WINDOWS\axrfgvek.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6978] cmd /c del "C:\WINDOWS\axrfgvek.dll_old"

We cannot do this with HijackThis alone. You will require a full malware cleaning. Please go over tot he Security Forum and follow this:
New malware cleaning instructions from TechSpot: https://www.techspot.com/vb/post645589-1.html

Please reference this thread: https://www.techspot.com/vb/showthread.php?p=654003#post654003

Someone will assist you in the cleaning after you run the programs and attach the logs.
 
I have tried to download those programs but IE won't let me go to those pages. I can't figure out why. I click on the link and I get the page that says it cant find the server. can I download the programs on another computer to a flash drive and then put it on my computer? what is the best way to do that?
 
Do you have an internet connection? If you do not, you can try loading the programs on the flash drive, then running them, but I'm not sure that's going to work. I would encourage you to switch over to the Security Forum as suggested. The good people who help out there have access to more programs than I do and may be able to help you get around the 'server' problem, if that's what it is.
 
papermate the support helpers here are specifically trying to repair this issue
You are just posting anything !
 
Status
Not open for further replies.
Back