Warning: Spyware has been detected on your PC

By chrisperado
Apr 4, 2008
Topic Status:
Not open for further replies.
  1. Warning: Spyware has been detected on your PC suddenly replaced my desktop background last night. I've tried running McAffee antivirus scan and Adaware, but neither one solved the problem. Popups are constantly appearing warning me of an internet threat or some other problem, and I'm at a loss for what to do. Help is greatly appreciated.
  2. kritius

    kritius TechSpot Guru Posts: 2,087

    The first thing that I need you to do for me is to download and install HijackThis for me,

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log to your reply using the paperclip icon.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

    Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

    If you have any problems or questions then please post back.
  3. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    HijackThis Log

    Thanks for your response. Here is the log. I have to break it into 2 parts because it is too long to post all at once.
  4. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Have to make 5 posts before I can put the log
  5. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Fourth post
  6. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Fifth post
  7. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:39:43 PM, on 4/4/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\sbwltbxa.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\system32\routing.exe
    C:\Program Files\SiteAdvisor\6253\SAService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,userinit.exe
    O1 - Hosts: 82.98.86.174 ZMDSENSOR.COM
    O1 - Hosts: 82.98.86.174 ASAP-CODING.COM
    O1 - Hosts: 82.98.86.174 xuexin.com
    O1 - Hosts: 82.98.86.174 SELENAROSS.COM
    O1 - Hosts: 12.170.116.90 solairplane.com
    O1 - Hosts: 12.170.116.90 mauieye.com
    O1 - Hosts: 12.170.116.90 dotauweb.com
    O1 - Hosts: 12.170.116.90 jollygrocer.com
    O1 - Hosts: 12.170.116.90 mauitourist.com
    O1 - Hosts: 82.98.86.174 tu286.com
    O1 - Hosts: 82.98.86.174 matop.net
    O1 - Hosts: 82.98.86.174 x-411.info
    O1 - Hosts: 82.98.86.174 hicase.net
    O1 - Hosts: 82.98.86.174 acacak.net
    O1 - Hosts: 82.98.86.174 sagere.com
    O1 - Hosts: 82.98.86.174 fesair.com
    O1 - Hosts: 82.98.86.174 a2f50.com
    O1 - Hosts: 82.98.86.174 bjtu-px.org
    O1 - Hosts: 82.98.86.174 bvbmag.org
    O1 - Hosts: 12.170.116.90 racingyachts.com
    O1 - Hosts: 82.98.86.174 offiah.com
    O1 - Hosts: 82.98.86.174 katite.com
    O1 - Hosts: 82.98.86.174 haeto.org
    O1 - Hosts: 82.98.86.174 divia.org
    O1 - Hosts: 82.98.86.174 gagdk.com
    O1 - Hosts: 82.98.86.174 1010sn.com
    O1 - Hosts: 82.98.86.174 ifcaf.org
    O1 - Hosts: 82.98.86.174 wbpro.biz
    O1 - Hosts: 82.98.86.174 aaula.cn
    O1 - Hosts: 75.126.173.162 LoansAnywhere.info
    O1 - Hosts: 72.52.4.90 cshej.cn
    O1 - Hosts: 72.52.4.90 qittaf.com
    O1 - Hosts: 82.98.86.174 tqgjo.com.cn
    O1 - Hosts: 82.98.86.174 khoban.info
    O1 - Hosts: 82.98.86.174 tejjvx.com
    O1 - Hosts: 82.98.86.174 otenda.info
    O1 - Hosts: 75.126.173.162 TelcomCabling.com
    O1 - Hosts: 82.98.86.174 yjelom.info
    O1 - Hosts: 82.98.86.174 delama.info
    O1 - Hosts: 82.98.86.174 computah.com
    O1 - Hosts: 82.98.86.174 kzok.info
    O1 - Hosts: 82.98.86.174 luce.ca
    O1 - Hosts: 82.98.86.174 kessta.com
  8. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Here is the second part.

    O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
    O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
    O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
    O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
    O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
    O2 - BHO: Suchspur - {5D945E9A-DC10-4670-83EB-99DAA616628A} - C:\WINDOWS\system32\Suchspur.dll (file missing)
    O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
    O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
    O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
    O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
    O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
    O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
    O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix\RegistryCleanFix.exe
    O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\MSEnv\upd_manager.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/27.44/uploader2.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134611130484
    O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe (file missing)
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe (file missing)
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe (file missing)
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe (file missing)

    --
    End of file - 13699 bytes
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Attach [​IMG] being the key word here!
    .
  10. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Attached

    Sorry about that. Hope this works better.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Just a quick response before kritius replies

    Open Hijackthis
    Click on Open the Misc Tools Section.
    Under System Tools, click on Open process Manager.
    Navigate to the processes below and click on Kill process.
    C:\WINDOWS\system32\routing.exe
    Close Hijackthis.

    Click on Start --> Run
    Type the following command then Enter Key.
    sc stop "Routing"
    sc delete "Routing"

    Edit:

    You can also place a tick in all the "no file" entries and clean them up in HiJackThis
    Including this one: O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
    .
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    McAfee, avast an trend micro (although looks deleted), my goodness.

    Ditch party poker,

    Hosts File Corrupted

    Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program.
    • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
    • Click on Make ReadOnly to secure it against further infection.
    • Exit the program.
    Visit the Website for more information.

    Will reply with proper imstructions later, Unless you want to have a go Kimsland? Ill keep an eye on the thread?
  13. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    I tried killing that process but it did not work. A dialog box appeared which said that the process may have already closed or it may be protected by Windows. Thank you for the suggestion.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Confirm C:\WINDOWS\system32\routing.exe is actually removed, by doing a search for all files and folders for routing.exe
    Before beginning the search, make sure to click on "More Advanced Options" (you may need to maximize search to see this) Then select "Search Hidden Files and Folders"

    As per kritius suggestion run HostsXpert v4.1 (link and instructions provided by kritius) And remove PartyPoker from Add/Remove programs

    Restart

    By the way, did you remove all "no file" entries in HiJackThis ?

    My point being can you attach another HJT log (This will help kritius mainly, as my instructions have now altered this considerably)

    Once the new HJT log is attached I feel it is best for kritius to continue without interuption from myself. (no supporting response required on that)
  15. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    kritius,

    I'm following your instructions. Party Poker hasn't been on my computer for a while - at least not so that I can detect it now. I downloaded the HostsXpert program and did as you said. I'm currently reading over the website to understand all of this. Thanks for helping me out. Can you direct me someplace so that I can read about proper antivirus protection - I thought I was doing myself a favor with McAfee.
  16. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please follow the above post.
    The best AntiVirus protection information can be provided once your system is clean.
  17. wharfrat11

    wharfrat11 Newcomer, in training Posts: 29

    hello everyone,

    i just started receiving the same errors as chris this morning. Ran adware and avg but nothing helped. In addition to the errors he's spoken of (popup warnings, spyware warning background on the desktop) the following has been occuring too:

    1. I cannot d/l any new programs (hijackthis, etc..) per kritius' second post. When I try I receive the error message: IE cannot download ____.exe from ______.com IE was not able to open Internet site. The request is either unavailable or cannot be found. Try again later. This happens with everything i've tried d/ling at the moment.

    2. When trying to access task manager I receive the following error: Task Manager has been disabled by you admin.

    3. I could not access hotmail from my cpu to register here. Had to do this from another cpu to be able to post.

    4. Even notepad will not open and i receive a message saying windows has blocked due to protection.

    Not sure where to go from here. Please advise and thanks for the help in advance.
    Mike
  18. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hi wharfrat11,

    My first advice to you, is to create a new thread, just for you.

    This is because, even though your issue may have similarities with the original post here, it is, in actual fact, totally different.
    Also when a support member replies, which member will he be replying to?

    Please create a new thread. With all info clearly stated again.
    Do NOT reply here, what so ever, just create a new thread (I've said this enough :) )
  19. kritius

    kritius TechSpot Guru Posts: 2,087

    chrisperado, post a fresh log and ill look it over,

    also

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  20. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    New HijackThis Log

    kritius,

    Here is a current log. I have not run the antimalware software yet, but I'll do that now and attach another log in case you need that one too. thanks again.
  21. kritius

    kritius TechSpot Guru Posts: 2,087

    Ok,

    along with the other two logs,

    Create an uninstall list
    • Launch Hijackthis
    • Click the Open the Misc Tools section button
    • Click the Open Uninstall Manager button.
    • Click the Save list button.
    • Copy and paste this log into your next reply

    then we'll start the cleaning process.

    sound good?
  22. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    Excellent. They will be up as soon as I have them.
  23. chrisperado

    chrisperado Newcomer, in training Topic Starter Posts: 20

    kritius,

    It took a long time, but here are the 3 new logs.
  24. kritius

    kritius TechSpot Guru Posts: 2,087

    Looking over now.
  25. kritius

    kritius TechSpot Guru Posts: 2,087

    Go to add/remove programs

    unistall anything to do with, or spelt like it,
    RegistryCleanFixMFC

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O8 - Extra context menu item: &Suchen - res://C:\WINDOWS\system32\Suchspur.dll/Suchspur.HTM
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Rename HijackThis.exe to chrisperado.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to chrisperado.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.

    ComboFix installed in wrong location
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"

    Download and Run ComboFix
    • Download this file to your desktop, it must be here, from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.