"Critical System Error" & "Virus Alert"

[jdpink62]

I have an issue similar to Pradeka's on his thread: https://www.techspot.com/vb/topic62639.html and like Dhaka's thread: https://www.techspot.com/vb/topic61225.html\

It appears in the form of a Windows style system error message in my system try toolbar which reads: "critical system error - System detected virus activities. They may cause critical system failure. Please use antimalware software to clean and protect your system from parasite programs. Click this balloon to get all available software". Once clicked it opens an IE window prompting you to buy "virusbuster" which apparently is a fake program showing fake virus infection messages to get you to pay for a fake product.

2) Also another one sysem alert shows Malware threats (Your computer is infected with a back door Trojan that allows the remote attackers to perfom various malicious actions. Click this baloon to download malware removel sotware.

I went ahead and did like howard_hopkinso asked the both of them and did the whole "Trojan Pakes and other nasties preliminary removal instructions" thing.

Enclosed as an attachment is a copy of the logs I ran after I ran the 4 fix programs. I hope I got everything off my laptop but I can't say for sure. I have Trend Macro PC-cillin Internet Security 2009 Suite with anti-virus. I can't find the scan logs but it had a bunch of trojans on it.
View attachment rapport.txt
View attachment 10632
View attachment 10633
View attachment 10634
View attachment hijackthis.txt

Thanks in advance.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {6DF82FB5-4C01-E644-CD53-0A1E2D14E21F} - C:\WINDOWS\system32\qahwdqn.dll

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you neded to enter into killbox.

C:\WINDOWS\system32\qahwdqn.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post fresh HJT and AVG Antispyware logs and let me know how your system is running

Regards Howard :wave: :wave:

This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jdpink62]

I removed:

O2 - BHO: (no name) - {6DF82FB5-4C01-E644-CD53-0A1E2D14E21F} - C:\WINDOWS\system32\qahwdqn.dll

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

After turning off System Restore and showing ALL files like you asked.

I could not find the C:\WINDOWS\system32\qahwdqn.dll file so when I rebooted the red icon was still there. Here is a new HJT and AVG log.
View attachment NewHJT.txt
View attachment 10641

Thanks for your help

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

PopUp Defender 2004 Full

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

PopUpDefender2004Full.exe

Close task manager.


Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzan.dll,startup

O4 - HKLM\..\Run: [ibvobhj.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ibvobhj.dll,evkoqpe

O4 - HKLM\..\Run: [PopUp Defender 2004] C:\Program Files\PopUp Defender 2004 Full\PopUpDefender2004Full.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\PopUp Defender 2004 Full<delete the entire folder.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\ibvobhj.dll
C:\WINDOWS\system32\drvzan.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jdpink62]

That got it to stop! Thank you so much... here is a new copy of HJT

I did notice a couple of programs running that I had some questions about. I don't know what these programs are or if I need them are they more adware/spyware:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\lsass.exe

Why do I have so many copies of C:\WINDOWS\system32\svchost.exe running and what is it for?

C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE was an old anti-virus software my mom was running a couple of years ago. We deleted it for Mcafee but it seems it didn't fully delete. There is no uninstall program for it. How do I remove the whole thing without screwing something up? There is also evidence of it in the HJT at the bottom:
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

Thank you so much Howard you've got the heart of a teacher I would be up the creek without a paddle without you!

View attachment 10642

 

[howard_hopkinso]

Your HJT log is now clean.

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\lsass.exe

The above files are critical Windows system files and are perfectly legit.

See HERE, for a description on svchost.exe. Again, this is a Windows system file and is perfectly legit.

It`s perfectly normal to have multiple instances of svchost.exe running.

If you would like to see what your multiple entries of svchost.exe are doing, download the Process Explorer from HERE.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of jdpink62 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.