TechSpot

System Alert?

By Xtr3m3
Mar 2, 2007
  1. I have a pop up on my desktop that comes up every five minutes. The pop ups either go to ad-aware sites to purchase or porn sites. I cant find it in search but i could find it in add and remove programs but i am unable to delete it. I read on how to delete spy ware and others. I ran my Norton, ad-aware, SSD, Vundo, AVG Anti-Spyware, CCleaner, Smitfraud, Virtumundo, Look2me, and hi jack. I followed every step that you put on the website but the web cleaner. The sites that is posted i could not go to or would not work so i skipped the step like advised to. I really want this stuff off my computer because it is becoming a pain. I have a hijack log. Please look at it and see if i can do anything. Thank you so much for your time!

    PS. I took a screen shot of the desktop when the bubble comes up and the add and remove program. I did not attach it because you said i should not. If you would like to see it i can post it. Just let me know. Thanks again
     

    Attached Files:

    • log.txt
      File size:
      10.1 KB
      Views:
      12
  2. tomrca

    tomrca TS Rookie Posts: 1,000

    the only one i can see that can be fixed is:
    fix wth hjt
    O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

    even though this programme show as a legitimate one, i still feel unsure of it:
    O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
    howard will probably know better!

    try this http://www.trendmicro.com/hc_intro/default.asp and see if it comes up with anything
    what is its name?
    what does it tell you when you try to remove it?
    you could try removing it in safe mode!
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    The only thing in your HJT log that needs fixing is the 02 entry pointed out by tomrca. Other than that it`s clean.

    However, something`s definitely not right.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Messenger<This is nothing to do with any instant messenger programmes.

    Close the services window.

    If that doesn`t stop your popups, do the following.

    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
    * Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC. Reconnect to the net.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above. Let us know the results of the AVG Antirootkit and the Blacklight scans.

    Regards Howard :wave: :wave:

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    i believe that alien guise is supposed to be on the computer. Im running an alienware which had that on it from the begging . I did the 11 steps on removing malware and all that already before i put up the first post. Its like a standard ballon that pops up next to my clock that says system alert. Nothing so far has touched the thing. i have the screen shot if you want to see it. But i will try this stuff to see if it does it. This mite be a dumb question but do i just find the 02 program and delete it or how do you do it? Thanks again
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll is perfectly safe and should be left alone.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

    Click on the fix checked button.

    Close HJT.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    Well i deleted it like you told me to. Nothing happened. I went into run programs to messenger and it was already turned off. I downloaded blacklight and ran it. It found nothing. I downloaded AVG antirootkit and ran it, it found nothing. Here are both the logs of hjt and AVG. Its still there, would you like me to post the pic of what im talking about? Thanks again.....
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, posting a pic may help us to identify the problem.

    Your HJT log is clean.

    You do have several infections in your system restore points.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    alright i did what you said and it is till there here are 2 pictures of what is happening. When i click on the bubble it sends me to different sites. I have not clicked on it since the first time.

    [​IMG]

    [​IMG]
     
  9. tomrca

    tomrca TS Rookie Posts: 1,000

    if it will not let you uninstall it, do you get the message, it may be in use with another programme or something. using msconfig, stop it from loading on startup. then remove it
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and run Smitfraudfix, follow all the instructions exactly.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. tomrca

    tomrca TS Rookie Posts: 1,000

    can i ask you
    the day that you first seen this, what had you downloaded that day, or the day before?


    good night lads, got square eyes tonight
     
  12. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    alright i unplugged my internet and ran my computer i safe mode to run everything that you have told me for the second time. I ran the smitfraud fix and it came up with nothing. This started happening yesterday, i was trying to watch a vid. clip and it said that i needed that thing that i highlighted in the pick. I said ok ( which i know better but i just F$%#@# up ). My norton caught and said that it was a trojon. But its still on my computer. Nothing is being detected my Norton and anything else. When i try to delete it there is nothing that pops up. The "add-Remove " screen almost flickers and stays the same. almost like that program is over righting that system. Thank you for helping me so far i really do appreciate it! But its still there :(

    I am moving back home from college right now. Ill be back online in about an hour or so. Sorry for the inconvenience.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Download and run the ATF cleaner programme from HERE and save it to your desktop..

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Double-click ATF-Cleaner.exe to run the program.

    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    * NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    Search your system for the system alert popup programme and delete it if you can. It may be in C:\program files\

    If you find it, but can`t delete it, let me know it`s full filepath.

    Reboot into normal mode and rehide your protected OS files.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    Ok i have done what you told me. The program worked but didn't take the problem off. I tried to search for it but it did not come up with anything. I tried multiple search terms but still nothing. The funny thing is that its on add and remove programs but i can't find it anywhere else. I took another screen shot of what im talking about.. This is becoming a bigger pain than i anticipated. Thank you for your patience.

    [​IMG]
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Ccleaner programme from HERE.

    Close all browsers. Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs and click the run cleaner button. Do this several times.

    With the Ccleaner programme still open, click on Tools. In the list of installed programmes, highlight the system alert popup and click the delete entry button and click ok when prompted. Close Ccleaner and reboot your system.

    Let me know if the entry is still in add remove programmes and if you`re still getting the popup in your system tray.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    Well that took care of it in add and remove programs. But its still coming up on the tool bar.....
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)
     
  18. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    well here it is... hope you see something that stands out........
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It seems you have forgotten to hide the Microsoft entries.

    Please make sure you select Hide Microsoft Entries in the options menu, then click the file menu and select refresh, then click the file menu again and save the file to wherever you want.

    Please attach the Autoruns log file here.

    Regards Howard :)
     
  20. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    sorry i swear i did that hopefully it is right now.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The only entry I can find that looks a little suspicious is this: c:\windows\system32\tvomnc.dll

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file c:\windows\system32\tvomnc.dll

    * Click Open
    * Please let me know the results.

    Regards Howard :)
     
  22. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    Allright i took a screen shot so i would not miss a thing! there are 3 things on there that they found. here it is... how do i get it off?

    [​IMG]
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)
     
  24. Xtr3m3

    Xtr3m3 TS Rookie Topic Starter Posts: 16

    Thank you so much..... You are the best!!!!!!!!! Can i ask you what that was? And why was it such a pain in the ***** to take off? You are truely a master! Should i get Norton off and use the fire wall that you all suggest and use the anti virus that you also suggest? Thanks again here are the logs.....
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s excellent news. I`m just sorry it took so long to get rid of.

    Your HJT log is clean.

    I don`t know exactly what it was or where it came from. It was the only entry in your Autoruns log that looked suspicious, when I couldn`t find any info on the file, that`s why I suggested you had it checked over at Jotti`s. I`ve never come across the system alert popup programme before or if I have I don`t remember lol.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Xtr3m3 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...