Good Day All (I think)
My dearest son has presented me with a problem that "popped" up, literally, 5 days ago. Gotta love teenagers.
Massive pop-ups, there is a splash screen that is covering the desktop (desktop is available by drilling down through My Computer>Documents & Settings>User name). Malwarebyte's is not available because the mbam.exe is being blocked, I cannot access the Task Manager by right clicking the bar at the bottom of the page. AVG has been over-ridden. I cannot use System restore to roll back to clean save, states corrupted. Safe Mode is also unavailable. Unable to access/utilize MS Update and at this time I am concerned about updating or changing anything on his computer for fear of infection/corruption.
His computer has IE 8 installed however we do not use IE, we are using Firefox, current version is 3.6 I believe. I went into the internet options for IE 8 and cleared all the settings.
I had an issue similar to this on another computer in my home over a year ago and I really don't want to spend the next 6 days fumbling around trying to figure it out, again. Any assistance is greatly appreciated.
~The splash screen covering the DT states:
YOUR SYSTEM IS INFECTED!! System has been stopped sue to services malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.
~Main Ballloon pop-up: Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
If you click the bubble and not the "X" it attempts to download Internet Security 10
~One on the main warnings I get:
Attention! System detected potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software. Click ok to download official intrusion detection software (IDS software).
~Computer - XP Prof SP 2 build 2002, HP rebuild
~TOO may pop-ups to mention
~Here is the current HJT log
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:39:27 AM, on 2/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [gijozifet] Rundll32.exe "c:\windows\system32\vosemuji.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1264996372609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1264997327828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\vosemuji.dll,tuvujuka.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: labapikef - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O22 - SharedTaskScheduler: tokatiluy - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
--
End of file - 4179 bytes
With matters such as these, when the computer is not in use it is disconnected from the net, via removing the wire, I do not trust Disabling the NIC. I will check back in a few hours to see if anyone has found the time to assist me. I know you folks are busy. I am posting this from my personal computer so we don't need to turn his on again. Notepad is a wonderous thing.
When there is a reply, I will go turn on/log in to his computer for your fixes and to answer questions from his computer.
Thank you for any assistance you may be able to provide. I have a feeling reformatting the computer won't help. I really do not want to reload it and deal with MS CSRs, their computer intelligence seems to be less than mine.
My dearest son has presented me with a problem that "popped" up, literally, 5 days ago. Gotta love teenagers.
Massive pop-ups, there is a splash screen that is covering the desktop (desktop is available by drilling down through My Computer>Documents & Settings>User name). Malwarebyte's is not available because the mbam.exe is being blocked, I cannot access the Task Manager by right clicking the bar at the bottom of the page. AVG has been over-ridden. I cannot use System restore to roll back to clean save, states corrupted. Safe Mode is also unavailable. Unable to access/utilize MS Update and at this time I am concerned about updating or changing anything on his computer for fear of infection/corruption.
His computer has IE 8 installed however we do not use IE, we are using Firefox, current version is 3.6 I believe. I went into the internet options for IE 8 and cleared all the settings.
I had an issue similar to this on another computer in my home over a year ago and I really don't want to spend the next 6 days fumbling around trying to figure it out, again. Any assistance is greatly appreciated.
~The splash screen covering the DT states:
YOUR SYSTEM IS INFECTED!! System has been stopped sue to services malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer until all spyware removed.
~Main Ballloon pop-up: Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you.
If you click the bubble and not the "X" it attempts to download Internet Security 10
~One on the main warnings I get:
Attention! System detected potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software. Click ok to download official intrusion detection software (IDS software).
~Computer - XP Prof SP 2 build 2002, HP rebuild
~TOO may pop-ups to mention
~Here is the current HJT log
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:39:27 AM, on 2/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [gijozifet] Rundll32.exe "c:\windows\system32\vosemuji.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "E:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1264996372609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1264997327828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\vosemuji.dll,tuvujuka.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: labapikef - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O22 - SharedTaskScheduler: tokatiluy - {0c9ed4ee-6d54-4434-9483-e54bb1307e13} - c:\windows\system32\vosemuji.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
--
End of file - 4179 bytes
With matters such as these, when the computer is not in use it is disconnected from the net, via removing the wire, I do not trust Disabling the NIC. I will check back in a few hours to see if anyone has found the time to assist me. I know you folks are busy. I am posting this from my personal computer so we don't need to turn his on again. Notepad is a wonderous thing.
When there is a reply, I will go turn on/log in to his computer for your fixes and to answer questions from his computer.
Thank you for any assistance you may be able to provide. I have a feeling reformatting the computer won't help. I really do not want to reload it and deal with MS CSRs, their computer intelligence seems to be less than mine.