Virus/spyware Problems

acuteg123

Hello,

Ive got a problem i would like to see if you guys can help me with. I purchased bitdefender internet security v10 recently and it seems to have allowed a virus and some spyware into my PC. First problem is i keep getting a windows security alert all the time saying: Warning! Potential spyware operation! Your computer is making copies of your system and internet files. Run full scan now to prevent any unathorised acess to your files. Click YES to download spyware remover... Second problem: I cant get into my add/remove programs file because i get a message saying This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrater. When i ran a scan with bitdefender it showed that i had these in my PC: Win32.worm.agent.pyd, generic.xpl.adodb.sbdf6d75, and Exploit.win32.ms05-002.gen (bit defender said it could not disenfect but later i noticed they were in the quaratine section n i just deleted them from the section a minute ago-BUT i still keep having these problems above...) Does any body know what the problem could be and how can i get my PC running back to normal. Thank you ,any help would be highly appreciated.

bluesprite

Hello,

From what you describe, you have an adware/spyware case. The warnings that you get are false and they just want to trick you into downloading and probably buying software that you don't need.

Disinfection of files is only possible when a legitimate file has been infected by the virus - in that case the virus body can be removed, leaving the legitimate file safe and intact. When the file that is detected is the virus body itself, it's not possible (nor necessary) to disinfect, just to quarantine/delete the virus (or spyware). However, it's often the case that after you get infected with spyware or other malware, it keeps re-downloading and reinstalling itself after you scan and delete them. There are different anti-spyware scanners with varying success against different kinds of spyware, but I suggest two particular tools. First download and install SpywareBlaster here: http://filehippo.com/download_spywareblaster/ , update and enable all protection. It's not a scanner but will prevent future infections. Then download Hijackthis here: http://filehippo.com/download_hijackthis/ . Install and click Do a system scan and save a logfile. Copy the contents of the logfile and post them here, but don't try to fix anything unless you know exactly what you're doing. The logfile will be analyzed and you'll be given the information which objects from the log to have fixed. This will disable the malware, will prevent it from loading when Windows starts and will stop them from downloading themselves again. Then you can run a scan with BitDefender to remove what's left.

acuteg123

Thank you bluesprite,

I ran a scan with hijack this and when the scan started i immediatly recieved the following message: For some reason your system denied write acess to hosts file. If any hijacked domains are in this field, hijack this may NOT be able to fix this. If it happens, you need to edit file yourself. To do this, click start, run n type- notepad c:\windows\sytem32\drivers\etc\hosts and press enter. Find line(s) hijack this reports n delete them. Save the file as 'hosts.' (with quotes) n reboot. When i started the scan i almost immediatly got a virus alert from bitdefender about virus- generic.qhost.60feao5a. Here is a copy of the scan: Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:10:37 PM, on 9/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\bmwebcfg.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\NDAS\System\ndassvc.exe

C:\Program Files\Broderbund System Guard\TS\MyPrivacy\mpsvc.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\SpamCatcher\spamcatcher.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\SpamCatcher\sc_daemon.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\printer.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\FileSystemGuard\MSFG.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\FileSystemGuard\WinFSG.exe

C:\Program Files\Softwin\BitDefender10\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\ICTray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\NDAS\System\ndasmgmt.exe

C:\Program Files\Allume Systems\Internet Cleanup 5.0\ICSpyware\Onistask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AT&T\Communication Manager\ATTCM.exe

C:\Program Files\AT&T\Communication Manager\bmctl.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe

c:\program files\anonymizer\anonymizer software\common\AnonProxy.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe

O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll

O3 - Toolbar: Quick Fill ToolBar - {7BE2E2E3-4B8A-4fe4-BE98-95FA313FDD19} - C:\Program Files\Allume Systems\Internet Cleanup 5.0\QuickFill\IEBHO.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MSFG.exe] C:\Program Files\Allume Systems\Internet Cleanup 5.0\FileSystemGuard\MSFG.exe

O4 - HKLM\..\Run: [1769769481] \AutoPlay\Broderbund System Guard\RD_10312005_GM.exe /r "D:\AutoPlay\Broderbund System Guard\RD_10312005_GM.rpd"

O4 - HKLM\..\Run: [TotalSecurityUpdate] "C:\Program Files\Broderbund System Guard\TS\TSAtUdt.exe"

O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [iCTray] C:\Program Files\Allume Systems\Internet Cleanup 5.0\ICTray.exe

O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe

O4 - Startup: IS Task Manager.lnk = C:\Program Files\Allume Systems\Internet Cleanup 5.0\ICSpyware\Onistask.exe

O4 - Startup: system.exe

O4 - Global Startup: autorun.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe

O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Broderbund System Guard\TS\PopupBlocker\PopupBlocker.dll

O9 - Extra 'Tools' menuitem: Popup Slasher - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\Broderbund System Guard\TS\PopupBlocker\PopupBlocker.dll

O9 - Extra button: Quick Fill - {55F0FC28-443B-4d2d-AF32-C6DD3563E446} - C:\Program Files\Allume Systems\Internet Cleanup 5.0\QuickFill\QFill.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe

O23 - Service: Omniquad MyPrivacy - Unknown owner - C:\Program Files\Broderbund System Guard\TS\MyPrivacy\mpsvc.exe

O23 - Service: SpamCatcherUniversal - Unknown owner - C:\Program Files\Allume Systems\Internet Cleanup 5.0\SpamCatcher\spamcatcher.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 7978 bytes

darrenmokool

Hi There,

I have BitDefender for about six months. I have had almost no problems to report until today. I found a similar worm on my computer along with a trojan and another virus. The trojan and the other virus were moved sucessfully to my recycling bin but the worm, Win32.Worm.Agent.PYD, could not be quarantined or moved and I am getting a similar windows alert to run a spyware program. Also when I try to open my control panel I am getting a message saying the operation was cancelled and that I should contact the system administrator. I have already sent a log file to tech support via my email address. Please help me to resolve this problem.

bluesprite

Hello again.

I reviewed your logfile and there are several things that shouldn't be there. Run Hijack this but this time click on 'Do a system scan only'. Find and tick the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe

O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll

O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe

O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe

O4 - Startup: system.exe

O4 - Global Startup: autorun.exe

Now click the 'Fix checked' button.

These entries refer to malware that currently infects your computer. Additionally, you have some leftovers from a previous Symantec security product which you should purge as well. For that purpose, download the official Norton Removal Tool here: ftp://ftp.symantec.com/public/english_us_...emoval_Tool.exe

Save the file to your desktop and run it after you fixed the listed entries and rebooted your computer. You may have to reboot again after that.

Your Hosts file may be locked by some of your other security programs like Internet Cleanup 5.0 or Broderbund System Guard. If that is the case, it's locked for the purpose of securing it against modifications by malware. By the way, you may want to upgrade your BitDefender product to the current version. Your old license key will work with the new version but I'm not sure if Internet Security 10 upgrades to Total Security 2008 or to Internet Security 2008, maybe some of the mods will be able to give information. Anyway, update your BitDefender's definitions and run a deep system scan, make sure it's set to scan for spyware too.

If additional assistance is required, post back, and good luck.