Broadband Tech > Security > Security > y windows show "Your Computer is infected"

y windows show "Your Computer is infected"

I think it cannot be wrong to follow these steps: »Security »I think my computer is infected or hijacked. What should I do?

reply to madblue
Read this.

»securityresponse.symantec.com/av···b.d.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.

i delete the registry - kernel32.dll
but the windows still showing "Your computer is infected" right bottom of the task bar
--
ŵ¦пđ

That's a sign of spyware parasite that is in the family called: Smitfraud

First, you need to go to Panda ActiveScan and do a full system scan to make sure none of your windows system files are infected which is common with this variant. Let Panda disinfect or delete any infected files found as recommended.
»www.pandasoftware.com/activescan···an_6.asp
Save the report at the end and copy the results back here

To repair the desktop:

Download this free tool called: smitRem from here:

(copy this line and paste into your browser address bar)
noahdfear.geekstogo.com/click%20counter/click.php?id=1

and save the file to your desktop.
Double click on the file smitrem.exe to extract it to it's own folder on the desktop.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with the Panda Scan log
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2006


Proud Member of ASAP (Alliance of Security Analysis Professionals)

reply to madblue
»Security »I think my computer is infected or hijacked. What should I do?

That information might help. Deleting the entry isn't enough, you have to restart the computer.
--
Microsoft Windows 2000/XP Security: Some Assembly Required.

reply to madblue
smitRem ?log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 11/09/2005 Wed
The current time is: 2:06:00.70

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Center.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!
--
ŵ¦пđ

You also need to do the Panda scan (full system scan) and copy the report as there may be more files it may find.

reply to madblue

See if this one will work:
»housecall.antivirus.com

Please make note of any infected files found and write down their name, location (full path) and what malware it was called (if any are found)

reply to madblue
i try the scan now

btw this is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:26:01 AM, on 11/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »acs.pandasoftware.com/activescan···inst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
ŵ¦пđ

Ok, we don't really need that right now. I do need to know the results of the Trend-Micro Housecall scan

Also if the popup is gone from your desktop?

reply to madblue
the trend-mirco scan working right now, shoul get the result in few minutes

the fake notification about "Your computer is infected!" still there
--
ŵ¦пđ

Ok, we'll try to resolve the desktop problem when the scan is finished. It's important we make sure your PC is clean first

reply to madblue

Ok, that's really a good report. All it found was some cookies. So no system files infected anyway

I think you need to go back to these instructions and run some of the other anitspyware scanners to see if they can find what's causing that popup. And do include Ewido in those scans
»Security »I think my computer is infected or hijacked. What should I do?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)

reply to madblue
For good measure, could you do a scan for rootkits/hidden processes?

RootKitRevealer

»www.sysinternals.com/Files/Rootk···aler.zip

F-Secure BlackLight

»www.f-secure.com/blacklight/try.shtml

And let us know if you find anything.

reply to madblue
The popup looks like it is using the Windows Update Globe - MSFT just released the latest iteration of its Malicious Software Removal Tool, updated on 2005.11.08:

»www.microsoft.com/security/malwa···ult.mspx

Could that message actually be coming from this legit tool? Do you have your WinXP auto updating?

[8F] The NyQuil Kid
--
[8F] The NyQuil Kid comes into town not looking for trouble...
n00bz gang up, but he ain't seein' double,...
pulls and draws, his deagles two...
n00bz litter the ground you know it's true.

reply to madblue
Madblue . . . Does clicking on the Windows update globe take you to a website?

spyaxe.com by chance?