Firstly I'm not really a techie so I might be confused with whatyou tell me to do so please be patient with me. My husband downloaded a free spyware detector and now we have a trojan (Win32.Lineage518) on our system; this can't be deleted, moved to chest, repaired or anything. In fact every time we do a scan it duplicates the infected file, first time it said we had 1 and today there are 4 logged in the scan report. Added to this we are running a resident scanner so that should of course pick it up and stop it before it gets on the system, but it hasn't. If it helps I can tell you that it's position keeps changing, at first it said it was within downloaded installations, now it states it's within SystemVolumeInformation; the entire file reads thus: C:\System Volume Information\...\sunthreatfilename.sdb1 This same information has now been picked up 4 separate times in the most recent scan. My husband has informed me that he attempted to delete the files and folders within the downloaded installations folder, where we originally had the virus found so we're wondering whether this is a back up. Any help you could offer would be greatly appreciated!!! Many thanks HelpmePlease I'm going to kill my husband for downloading the programm that caused this mess, dum dee dum dee dum

I'd first disable System Restore, then boot into Safe Mode. Then, run the scan. Life is more painless for those who are brainless.

Please run the following three scans and post the results. Post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!! Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the log it produces.

here's my logfile generated by hijackthis Logfile of HijackThis v1.99.1 Scan saved at 11:51:56 AM, on 4/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trend Micro\tmasea\tmasca.exe C:\WINDOWS\system32\aspi67184.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Paul Bunyan\pbserver.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\tmasea\tmasea.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\svehost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fdicin/fdicin2/ O1 - Hosts: 199.186.98.190 files.pscufs.com O1 - Hosts: 199.186.97.190 files.pscufs.com O2 - BHO: (no name) - {01be0765-032f-4c37-a95f-7c655502f942} - C:\WINDOWS\system32\dpwack.dll O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp3B.tmp.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Symantec AntiVirus] C:\WINDOWS\TEMP\15C.tmp O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\system32\clcl3.exe O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\efdabb.dll",setvm O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\netfilter.dll O14 - IERESET.INF: START_PAGE_URL=http://fdicin/fdicin2/ O15 - Trusted Zone: http://*.3284xpweb1 (HKLM) O15 - Trusted Zone: http://*.dc01 (HKLM) O15 - Trusted Zone: http://*.fdicin (HKLM) O15 - Trusted Zone: http://*.fdicin2 (HKLM) O15 - Trusted Zone: http://*.imageserv (HKLM) O15 - Trusted Zone: http://*.xpweb (HKLM) O15 - Trusted IP range: http://192.168.0.202 (HKLM) O15 - Trusted IP range: http://192.168.0.203 (HKLM) O16 - DPF: {7EC816D4-6FC3-4C58-A7DA-A770EE461602} (PowerTerm Downloader Class) - http://appserv01/webconnect5.5/wind... O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lynxgate.webex.com/client/v_mywebex-wbs-mciprodcn/training/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fdicfcu.org O17 - HKLM\Software\..\Telephony: DomainName = fdicfcu.org O17 - HKLM\System\CCS\Services\Tcpip\..\{CC3E43FB-4EEC-42D4-BC45-A7A60E5E08B1}: NameServer = 192.168.0.43,4.2.2.2 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fdicfcu.org O20 - AppInit_DLLs: O23 - Service: Antispyware Client Agent - Trend Micro, Inc. - C:\Program Files\Trend Micro\tmasea\tmasca.exe O23 - Service: Antispyware Engine Agent - Trend Micro, Inc. - C:\Program Files\Trend Micro\tmasea\tmasea.exe O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi67184.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Paul Bunyan - Levon's Wake - C:\Program Files\Paul Bunyan\pbserver.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) please tell me how to rid my pc of these viri. i have tried everything and currently my job uses symantec anti-virus and i feel like we are wasting our money because it isnt picking up everything nor is it able to clean everything. Dominic Adair-Jones IT Specialist FDIC Federal Credit Union www.fdicfcu.org

Still need the results (logs) from the Smitfraudfix scan and the combofix scan reguested i response #2.

Download LSPfix from the following link to your desktop and unzip it LSPfix.exe Run LSPfix and place a check against the "I know what I am doing" checkbox. Highlight every instance of the following names and move them from the "Keep" to the "Remove" panel. Be sure to move nothing other than the files listed below! netfilter.dll When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen! Next, Please download SDFix by AndyManchesta and save it to your desktop. Please then reboot your computer in Safe Mode by doing the following: Restart your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually. Instead of Windows loading as normal, a menu with options should appear. Select the first option, to run Windows in "Safe Mode", then press "Enter". Choose your usual account. Once in Safe Mode, please do the following: In Safe Mode, right-click the SDFix.zip folder and choose Extract All. Open the extracted folder and double-click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt and a new Hijack This log.

After doing some searches after using Process Explorer by Microsoft sysinternals (yes they bought them just like everything else) The two below files were causing the massive spyware pop-ups for me. They tried to be tricky and name it svehost.exe so it looks like the real process svchost.exe C:\WINDOWS\system32\svehost.exe C:\WINDOWS\system32\clcl3.exe Also unfortuntley no spyware removal software I have used finds these, infact there were only 93 google hits for clcl3.exe so it may be somewhat randomized. You may need something like I had to use to remove them otherwise you will always receive a error message GiPo@moveonboot, which waits till the next restart to delete the files.