Member Avatar for Near_Miss

I keep getting fake windows security messages and "your computer may be at risk" ballons (in the bottom right of windows - i guess that's what its called). I've searched the forums and tried the things others have.

I've run CWS newest version and hijack this. Also have run Norton 2005 with newest definitions etc. I still get these messages at seemingly random intervals.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:39 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\mIRC\mirc.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\hijackthis\HijackThis.exe

I've cleaned out most of what i didn't recognize or found in the sticky post that could be safely fixed.

Please let me know if there is any other relevant info needed.

Thanks.

  • 2 Contributors
  • 6 Replies
  • 116 Views
  • 17 Hours Discussion Span
  • Latest Post Latest Post by Near_Miss

Recommended Answers

All 6 Replies

Member Avatar for chrisbliss18

I'm going to guess that you recently upgraded to SP2. That's Window's new Security Center letting you know that it doesn't like how you do things. You can load up Security Center by double-clicking the shield in your system tray or by going to Control Panel\Security Center. You can get rid of the annoying alerts by clicking the link on the left side of the Security Center that says "Change the way Security Center alerts me".

Member Avatar for Near_Miss

no, updated a long time ago, clicking on the windows brings me to fake pages that are loaded with links to more spyware

Member Avatar for Near_Miss

Also, the change the way windows alerts me is in grey (can't click)

Hope this helps.

Member Avatar for chrisbliss18

Since you have some type of spyware infection, use the guide linked to in the bottom of my sig to run through a series of cleaners that can remove most types of malware off of your system. Let me know if this takes care of your problem.

Member Avatar for Near_Miss

Thanks chrissbliss18,

I had tried quite a few of those solutions. However, windows antispyware beta did the trick by identifying two dll files that the other programs skipped over. After deleting them in safe mode, the fake messages seem to have stopped. I doubt if my system is completely clean, but the malware or w/e isn't working now.

The specific files were sqlbnmi.dll and sqllgao.dll both in \\windows\system32

I did notice that this malware? uses hh.exe to display winprotect . net[removed] when you click on the "Your computer may be at risk" ballon or Windows Security Center. I don't know if its an original windows help program or part of the malware. Anyway I deleted hh.exe and ballon.wav from \\windows but they regenerated themselves everytime windows started and connected to the internet. Now that the two dll's have been removed this is no longer a problem. Maybe this is relevant to the moderator for his "fixes for specific infections" thread, I think this is a varaint of the Adware.ClickDloader or maybe not =)

Thanks again chris!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.