Advertisement

04.24.2008 at 07:59AM PDT, ID: 23350481
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.7

"System Alert: Spyware Detected" along with "System Intrusion Detected" pop ups in tray

Asked by fozylet in HijackThis Software, MS Forefront-ISA, Anti-Virus

Tags: , ,

Hi -
I have the same symptoms and infection now in my Laptop.
1) System Alert with Yellow Exclamation Icon in the System Tray
2) The Red X icon with System Intrusion Detected in System Tray
3) A spyware alert which claims that my system is infected with Worm.Win32.NetBooster.
4) SystemDefender (which I don't remember having installed) claiming that there are dangerous spywares in my system and wants me to buy the Spware cleaner.
5) IE shows "AntiSpywareMaster" website with a list of VIRUSes and Spyware

Spybot scan shows - Smitfraud-C. entries and disableSystemRestore and disableTaskManager entries.
Here's my HiJackThis log. Can anyone help in removing this? The laptop is slow and very sluggish and am not able to do a System Restore nor kill any processes.

----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:46 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\PROT_SRV.EXE
C:\WINDOWS\system32\pagents.exe
C:\WINDOWS\system32\PSTARTSR.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\LJ36B.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vVX3000.exe
C:\Program Files\Pointsec\P95tray.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ixqjgtkd.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 172.21.6.209 e-scape
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DVA Storm - {52676F4A-D830-4513-BE81-3A0C28B32C2F} - C:\WINDOWS\lgmxvpatkmb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Explorer - {7348D74C-731B-DECE-9F8A-A37D8214708E} - C:\WINDOWS\system32\wlcstp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {F3AEF888-A3E2-44EB-BD85-F0C85BA7673F} - C:\WINDOWS\system32\vtUonklK.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: qtvglped - {C8F0EE32-3AF7-4730-9D8C-9EB9D0315290} - C:\WINDOWS\qtvglped.dll
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tvnazgzo] C:\WINDOWS\system32\ixqjgtkd.exe
O4 - HKLM\..\Policies\Explorer\Run: [MN3Corsnlw] C:\Documents and Settings\All Users\Application Data\kdurqvoh\ihkfalil.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.21.6.10/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.21.6.10/officescan/console/html/ClientInstall/setup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://172.21.6.10/officescan/console/html/root/AtxEnc.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/25.25/uploader2.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://172.21.6.10/officescan/console/ClientInstall/RemoveCtrl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtUonklK - C:\WINDOWS\SYSTEM32\vtUonklK.dll
O21 - SSODL: CheckAlrt - {46d5d815-ebda-4192-9d43-c80888aafd62} - C:\WINDOWS\Resources\CheckAlrt.dll
O21 - SSODL: pmsoarbf - {81E1779B-D7C8-4355-A1DA-129D246A4C41} - C:\WINDOWS\pmsoarbf.dll
O21 - SSODL: omlbpkaw - {968A2DDA-9B04-455A-9E29-1F6416C8C71F} - C:\WINDOWS\omlbpkaw.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\PSTARTSR.EXE
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
---------------------------------------End of Log -----------------------

Thanks.


ORIGINAL RELATED QUESTION
================================

A "System Alert: Spyware Detected" box of text pops up from a little yellow yield sign in the tray.  The yellow icon has an exclamation point on it.  The text reads:
“System Alert: Spyware Detected
System has detected 4 active spyware applications that may cause you computer to crash and restart, slow it to a crawl…”(its gone away currently so I can’t continue to type it out.  But you get the gist.)

Also a “System Intrusion Detected" box of text pops up from the tray.  The icon for it is a  red circle with a white x through it.  The icon alternates between the red circle to the Windows update logo.  The text reads:
“System Instrusion Detected! (notice typo on “Intrusion”)
The system will now download and install most efficient antimalware program to prevent data loss and you private information theft. Click here to protect you computer from the biggest malware threats.”

A browser popup reads:
“Security Configuration
Attention?  Win32.HS.m2 Spyware has just overcome default security software on Your PC.  Your personal information and pc safety is in critical danger. To clear Your PC and get rid of dangerous virus you need paid security system patch called ” AD-PROJECT". By clicking ”Continue” You will be taken to official developer’s page, where you may download the patch.”

SpywareStrike loads itself.
An HTML link to SpySherrif loads when the yellow yield sign is clicked.


Other popups include porn and casino ads.

Here is the HJT log:

<< HiJackLog from Orig post removed to avoid any confusion >>

Any help with this would be greatly appreciated.

Thanks,
DD

Start Free Trial
Related Solutions: "System Alert: Spyware Detected" along with "System Intrusion Detected" pop ups in t…
 
Keywords: "System Alert: Spyware Detected" …
Title
1 Spyware
2 Assistance with contents of Hijackthis …
3 Can not remove spyware
4 Analyze this HijackThis log
5 HijackThis Log - hyattedeals.exe?
6 HijackThis Log
 
Loading Advertisement...
 
[+][-]04.24.2008 at 08:05AM PDT, ID: 21431676

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: HijackThis Software, MS Forefront-ISA, Anti-Virus
Tags: system, alert, spyware
Sign Up Now!
Solution Provided By: robbhill
Participating Experts: 3
Solution Grade: B
 
 
[+][-]04.24.2008 at 08:14AM PDT, ID: 21431786

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 14-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]04.24.2008 at 10:17AM PDT, ID: 21433081

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 10:27AM PDT, ID: 21433165

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 14-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]04.24.2008 at 04:51PM PDT, ID: 21436148

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 14-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]04.24.2008 at 05:01PM PDT, ID: 21436194

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 14-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]04.28.2008 at 08:30AM PDT, ID: 21454912

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 14-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-43 / EE_QW_Related_20080208