0

I keep getting fake windows security messages and "your computer may be at risk" ballons (in the bottom right of windows - i guess that's what its called). I've searched the forums and tried the things others have.

I've run CWS newest version and hijack this. Also have run Norton 2005 with newest definitions etc. I still get these messages at seemingly random intervals.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:39 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\mIRC\mirc.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\hijackthis\HijackThis.exe

I've cleaned out most of what i didn't recognize or found in the sticky post that could be safely fixed.

Please let me know if there is any other relevant info needed.

Thanks.

2
Contributors
6
Replies
7
Views
12 Years
Discussion Span
Last Post by Near_Miss
0

I'm going to guess that you recently upgraded to SP2. That's Window's new Security Center letting you know that it doesn't like how you do things. You can load up Security Center by double-clicking the shield in your system tray or by going to Control Panel\Security Center. You can get rid of the annoying alerts by clicking the link on the left side of the Security Center that says "Change the way Security Center alerts me".

0

no, updated a long time ago, clicking on the windows brings me to fake pages that are loaded with links to more spyware

0

Also, the change the way windows alerts me is in grey (can't click)

Hope this helps.

0

Since you have some type of spyware infection, use the guide linked to in the bottom of my sig to run through a series of cleaners that can remove most types of malware off of your system. Let me know if this takes care of your problem.

0

Thanks chrissbliss18,

I had tried quite a few of those solutions. However, windows antispyware beta did the trick by identifying two dll files that the other programs skipped over. After deleting them in safe mode, the fake messages seem to have stopped. I doubt if my system is completely clean, but the malware or w/e isn't working now.

The specific files were sqlbnmi.dll and sqllgao.dll both in \\windows\system32

I did notice that this malware? uses hh.exe to display winprotect . net[removed] when you click on the "Your computer may be at risk" ballon or Windows Security Center. I don't know if its an original windows help program or part of the malware. Anyway I deleted hh.exe and ballon.wav from \\windows but they regenerated themselves everytime windows started and connected to the internet. Now that the two dll's have been removed this is no longer a problem. Maybe this is relevant to the moderator for his "fixes for specific infections" thread, I think this is a varaint of the Adware.ClickDloader or maybe not =)

Thanks again chris!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.