Spyware scans dont pick this up...

Well I've had a problem with spyware... I ran all the scans listed on the SpyWare Removal thread. Nothing seems to get rid of these 2 popups... One is a yellow shield that pops up in the right side of the start bar saying, "Your spyware protection is bad.." I also get a popup called "Microsoft Security Center" which says something along the lines of Malicious Activity detected etc... I don't think these are legit warnings and I want to know why the spyware programs arent picking them up. I ran hijackthis to see if I could spot anything that shouldn't be there and well it seems clean to me, however, I am no expert on this so I could have missed something. I've ran virus scans as well and nothing has come up for that either. Any leads would be greatly appreciated. I can post a log if needbe.

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

here's the log and thank you

 

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report. And tell me if you are still having any problems.

 

Here's the report... and I'm surprised at how much this program picked up that the others didn't. 40 files... I had no idea.

I had to run it in normal mode, my keyboard for some reason doesn't allow me to go into safe mode, I have to use my old keyboard which my sister uses and well it was 4am when I scanned this so I didn't want to wake her.

 

The popup in the the corner has returned. Should I rescan in safe mode?

 

Attach a fresh HJT log from normal mode.

 

here's my new hjt log.

 

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\System32\reset5.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and let me know what problems remain.

 

It never came up in blue so it doesn't exist... Im not sure what to do now.

 

Just because it doesnt show in blue doesnt mean that its not there. Many of the new infections hide very good.

Procede with it anyway to make sure then come back and let me know if it still happens.

 

I've finished it, I have to wait now to see if those popups come up now. So I'll give it a little time. I'll post back asap.

 

Okay! If they come back let me know exactly what they say, what they do, where they are and any other information.

 

The yellow shield popped up again in the corner a baloon says:

"Your computer might be at risk

-Your virus protection is bad
-Spyware Activity Detected

Click this balloon to fix this problem."

it came up while I was playing World of Warcraft

 

now the Microsoft security one has popped up.
"WARNING: Windows Firewall detected suspiscious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data passwords.

Do you want to learn how to protect your computer?"
And a yes or no option.


It also popped up while playing World of Warcraft. These are the 2 popups I've been having problems with. They seem fake to me so I do not want to hit yes and have it infect my computer.

 

Reboot into Safe Mode, make sure you have the viewing of hidden files and folders enabled.

Navigate to the System32 directory, alphabatize the files. Manually look for any files starting with "reset" and ending with .exe or .dll

Delete any that are found and make a note.

 

I found a reset.exe and deleted it. Anything else I should do?

 

Download the Generic Detection Tool - NT/2000/XP

Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

here's the log you requested. Deleting the reset.exe was that one the bad files?

 

Does the shield look like this one?

http://www.theeldergeek.com/security_center.htm

 

no its Yellow. My attachment is a print screen of it. Also, when I get the other popup Ill post that picture as well.

 

and this is the other one.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\System32\param32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log.

 

I did what you asked and here's the new log.

 

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

After you complete the above, reboot and let me know what problems remain.

 

Still got the popups. Well it seems like after what I did stopped them for a little while but as soon as I open explorer and browse the internet a bit they come back.

 

You must follow all of the steps in this thread on How to Protect yourself from malware!

After you get a updated antivirus and firewall, reboot and attach a fresh HJT log.

 

well after a week or 2 of seeking out candidates I've found 3 culprites. Hclean32.exe is causing all these popups. a2 detected it and its diagnosis is Trojan.Win32.Qhost.qr. a2 also detects ntfsnlpa.exe and rdsndin.exe. Any way of removing this properly?

 

Yea I got them back... because as soon as I opened Internet Explorer... a2 detected them trying to run. Ill post a new ewido log in just a few min.

 

Yea I've done everything it says. Even with Mozilla as browser, I still get the warnings from A2 and avast!. Same 3 .exes, I cant find them in safe-mode and this is with hidden files and folders turned off. i'm at a complete loss. I've almost considered reformatting.

I'm going to run through all the steps in Spyware removal sticky thread one more time and see if it can figure this out.

 

here's my new Hijackthis log. Ill post print screens of what avast and a2 are finding on next reboot.

 

Here is the WinPFind log