Warning spyware threat has been detected on your pc

Status
Not open for further replies.

shadowstalker

Posts: 36   +0
Hi, I am having problems with "warning spyware threat has been detected on your pc", it is annoying! I can't use ctrl+alt+del, there are a lot of pop-ups and a trojandownloader.XS threat. Last night I was looking at another board with someone who was having the same problem, I tried doing what they told him and it didn't work. I have AVG4 and spyware terminator. Last night I downloaded SDFix, Hijackthis and Deckards system scan. I just searched for the deckards scan and the only thing that showed up was the report. I think I'm just making things worse....
 
You are likely getting a marketing ploy, rather than a notice of an infestation.
Check your pop-up software that should be blocking it, or the firewall... If you are using Windows Firewall, change to Comodo, Kerio, Zone Alarm or one of the others that blocks both incoming and outgoing intrusions. Kerio does not work with VISTA, and they charge for WXP, but is very good. Comodo and Zone Alarm both have free versions.
 
If I am right, what you have is an irritant that will be removed by the Internet Explorer pop up blocker, the Firefox pop up blocker, or Zone Alarm Free Version, or Comodo Free version.
You should not have to remove anything. Internet Explorer 7.0 has a setting to block pop ups.
You will also remove the cause by AVG AntiSpyware free version,but should also knock it out with Adaware 2.0.0.7, SpyBot 1.2.5, and Windows Defender scans.
HiJackThis only reports infestations. SDFix and Spyware Terminator are not very familiar.
If you use SDFix or Spyware Terminator, immediately shut down after scan, and reboot in Safe Mode to immediately run them again.
If you use the ones I mentioned, you should be able to get rid of the lurking spyware that is causing the problem, but also rerun them in SafeMode if they find anything... sometimes the infestation escapes to memory so it can come back when you reboot.
 
I installed zone alert and AVG 7.5 and went into safe mode. It didn't fix it. I can't use ctrl+alt+del (administrator error), my wallpaper is frozen with a spyware add, and there are TONS of pop-ups. Could it be an infection? I am a beginner to this. I would like to fix it myself without having to pay a lot of $$$. Thanks!
 
You should not be having pop ups if you are using Firefox or the appropriate setup of Internet Explorer with PopUp removal...so if that is the case, go to step C below

Your AVG 7.5 was the Anti-Spyware version and didn't fix it? Unusual.
Have you tried Windows Defender? Download from Microsoft, then run the updates, then the scan.

Do you know, or can you figger out what software is posting the spyware message? That is a key clue to fixing this problem.

What about the pop up stoppers from Firefox or Internet Explorer?

Now may be the time to download the very latest version of HiJack This, and post the results on this forum. Follow the advice of experts on this forum. They are usually as good as you will get.

If nothing is found, It may be that you have the SmitFraud infestation... though what you report is not quite right. Lets take a closer look at the Smitfraud and the SmitfraudFix

Gurgle search for and download the SmitFraudFix

Please cold boot your computer in Safe Mode by pressing the <F8> key repeatedly once per second as soon as you press the <ON> button.

- Choose the first option, to run Windows in Safe Mode, then press <enter> and select your usual account.
- Once in Safe Mode, double-click on the SmitfraudFix you have downloaded. and choose option #2
- Clean by selecting <2> and press "Enter" to delete infected files.

SmitFraudFix will now check do discover if "wininet.dll" is infected. If you get a prompt to replace the infected file, if discovered,; select "Yes" and <enter>.

Then reboot, and run the free scans from Symantec, McAfee, Panda, and Computer Associates... They will not remove it, but will tell you if there is an infestation

Now download and run CCleaner. Clean out everything. Close and reboot.

Now run AVG Antispyware, Adaware 2007, Windows Defender, and SpyBot... not perfect but they are all free, and will give you some clues as to the problem

At this point you should know if it is worse or better.


Alternately, I would remove all spyware and antivirus software, then install AVG Antivirus, and the paid version of Sypware Doctor.
 
Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix
  • Download this file to your desktop from either of the two below listed places :

    HERE or HERE
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Attach that log in your next reply
WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:59 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wmsdkns.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\tazyvuvs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\giga pocket\ReserveModule.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\sony\giga pocket\gps.exe
C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\mdwtsbwf.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hivkhgja] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hivkhgja.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [fctrwmre] C:\WINDOWS\system32\tazyvuvs.exe
O4 - HKCU\..\Run: [XMLmedia 10.0] "C:\WINDOWS\System32\wmsdkns.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} (CPlayFirstDinerDashControl Object) - http://download.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12179 bytes
 
As for the combofix, It will not let me download. One of the links has an error, the other looks like it will install, then disappears.. Also I'm getting kinda nervous downloading everything, I've downloaded a lot of different things the past two days that my memory is down to 4.25 GB..
 
hmmm, both links work for me,

try this,

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Attach the main.txt and the extra.txt in your reply.
 
OK, so I tried to get the extra.txt five times and nothing. It just let me have the main.txt that is attatched on the previous post.
 
It was because you were running DSS from a temp folder.

Remove Bad Programs

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

ZTgServerSwitch


Optional Fix

You have ZoneAlarm Spy Blocker toolbar installed on your computer. It comes bundled with Zonealarm. Here is some information about why it is not regarded as very usefull toolbar: LINK. More information here: LINK. Decision is yours.

If you want uninstall ZoneAlarm Spy Blocker, this is how you can do it:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    • ZoneAlarm Spy Blocker

Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\wmsdkns.exe
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\mdwtsbwf.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [hivkhgja] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hivkhgja.dll"
O4 - HKCU\..\Run: [fctrwmre] C:\WINDOWS\system32\tazyvuvs.exe
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} (CPlayFirstDinerDashControl Object) - http://download.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0. 0.17.cab

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Delete Files and Folders
  • Right Click on the start button and chose explore
  • Show all hidden files and folders, see how HERE
  • Navigate to the following files and folders and delete them(if still present)
C:\WINDOWS\System32\wmsdkns.exe<---------This File
C:\WINDOWS\mdwtsbwf.dll<---------This File
C:\Documents and Settings\All Users\Application Data\hivkhgja.dll<---------This File
C:\WINDOWS\system32\tazyvuvs.exe<---------This File
c:\program files\support.com<---------This Folder

  • Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\WINDOWS\stcloader.exe
    C:\Program Files\stc
    C:\WINDOWS\voiceip.dll
    C:\WINDOWS\swin32.dll
    C:\WINDOWS\mssvr.exe
    C:\WINDOWS\cdsm32.dll
    C:\WINDOWS\bokja.exe
    C:\WINDOWS\mspphe.dll
    C:\WINDOWS\2020search2.dll
    C:\WINDOWS\2020search.dll
    C:\WINDOWS\system32\WER8274.DLL
    C:\WINDOWS\system32\MSIXU.DLL
    C:\Program Files\zango
    C:\Program Files\seekmo
    C:\Program Files\180search assistant
    C:\WINDOWS\updatetc.exe
    C:\WINDOWS\salm.exe
    C:\WINDOWS\180ax.exe
    C:\Program Files\180solutions
    C:\Program Files\180searchassistant
    C:\WINDOWS\saiemod.dll
    C:\WINDOWS\FLEOK
    C:\WINDOWS\system32\SIPSPI32.dll
    C:\WINDOWS\msapasrc.dll
    C:\WINDOWS\msa64chk.dll
    C:\WINDOWS\system32\shdocpe.dll
    C:\WINDOWS\system32\ntnut32.exe
    C:\WINDOWS\shdocpl.dll
    C:\WINDOWS\ntnut.exe
    C:\WINDOWS\winsb.dll
    C:\WINDOWS\shdocpe.dll
    C:\WINDOWS\browserad.dll
    C:\WINDOWS\aviwrap32.dll
    C:\WINDOWS\avisynthex32.dll
    C:\Program Files\Sysmnt
    C:\WINDOWS\avifile32.dll
    C:\WINDOWS\autodisc32.dll
    C:\WINDOWS\audiosrv32.dll
    C:\WINDOWS\ati2dvag32.dll
    C:\WINDOWS\ati2dvaa32.dll
    C:\WINDOWS\athprxy32.dll
    C:\WINDOWS\asycfilt32.dll
    C:\WINDOWS\changeurl_30.dll
    C:\WINDOWS\asferror32.dll
    C:\WINDOWS\apphelp32.dll
    C:\WINDOWS\peernet
    C:\WINDOWS\provisioning
    C:\Documents and Settings\All Users\Application Data\hivkhgja.dll
    C:\Documents and Settings\All Users\Application Data\gbirslar
    C:\WINDOWS\uprjiefj
    C:\WINDOWS\mdwtsbwf.dll
    C:\WINDOWS\rifcnixy.dll
    C:\WINDOWS\mdwtsbwf.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hivkhgja
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fctrwmre
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Run HijackThis again and post a fresh HijackThis log back with the results of OTMoveIt2
 
[*] Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



What are the "file paths below"?
 
Apologies, the program recently updated and they took one of the features out, all you need to do is paste it into the left hand window and hit moveit!
 
OK.. Here's the deal.. I had a problem with spyware back in April, Kritius helped me out, and my computer was running great until about two weeks ago, it started running slow, and now it is freezing up and there are TONS of popups even though my blocker is on.
Attatched is a malwarebytes' report, and a hijackthis report.
Also should I start a new thread, if so what should I name the thread??
Thanks!!
 
Status
Not open for further replies.
Back