Fake System Alert: Please HELP!

[cdang]

For the past month I have been shown a balloon on my task bar that flashes from an "X" to a question mark, After googling it I am pretty sure that it is a Trojan.FakeAlert I am currently running Zonealarm, and Mcafee(with only antivirus and anti hacker on Mcafee) Every 5-10 mins an alert pops up saying:

SYSTEM ALERT!
System has detected a number of active spyware applications that may impact the performance of your computer.Click icon to get rid of unwanted spyware by downloading an up-to date spyware solution.

I have Spybot Search and Destroy Ad-Aware 2007 after running both of them it still doesn't recognize that theres a problem. Mcafee doesn't detect it and Zonealarm isn't detecting it either. What can I do to get rid of this problem? Other then deleting everything on my hard drive?

 

[emde]

Run msconfig and check startup tab for any suspicious entries. If you find sth you should remove it in Safe Mode or kill that application before. If you kill it move cursor over icon in taskbar. It should disappear if you kill the right one.

 

[cdang]

What sort of things would be under the startup tab that would be considered suspicious? and what would be considered normal? There are a lot of programs that are like this:



HKLM\SOFTWARE\Microsoft\CurrentVer...

 

[almcneil]

You should also run AVG Anti-Spyware. It's best to use 3 anti-spyware utils to clean yoru system.

Also, try running the anti-spyware utils in Safe Mode. Some crafty spyware use Windows security features to hide from being detected and removed. In Safe Mode these features are removed or relaxed allowing the anti-spyware to detect and remove the offending spyware.

 

[emde]

What sort of things would be under the startup tab that would be considered suspicious? and what would be considered normal? There are a lot of programs that are like this:



HKLM\SOFTWARE\Microsoft\CurrentVer...

1st column is name, 2nd program, 3rd where it is added - in registry (HKLM\...) or in Startup folder.
Can you post first 2 columns?

 

[cdang]

RunDll32 cmicnfg RunDll32 cmicnfg.cpl,CMICtrlWnd
NvCpl RUNDLL32.EXE C:\WINDOWS\System22\NvCpl.dll,NcStartup
nwiz nwiz.exe/install
NeroCheck C:\WINDOWS\System22\NeroCheck.exe
mcmnhdlr "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe"/checktask
mcvsshld C:\Program Files\McAfee.com\VSO\mcvsshld.exe
mcagent c:\PROGRA~1\mcafee.com\agent\mcagent.exe
mcupdate c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
zlclient "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
oasclnt C:\Program Files\Mcafee.com\VSO\oasclnt.exe
jusched "C:\Program Files\Java\jre1.5.0_11\bin\jushed.exe"
qttask "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper "F:\Documents and Settings\itunes\iTunesHelper.exe
(2 Spaces here but there is still a location for it)

Adobe Reader.. C:\PROGRA~11\Adobe\ACROBA~1.0\Reader\Reader~1.exe
Microsoft Office F:\PROGRA~1\MICROS~1\Office10\OSA.EXE -b -|

 

[emde]

It looks ok. Can you follow instructions here and post HJT logs?

 

[CaptPajamaShark]

I had this exact problem, I believe it's a trojan zblog.something something

The way I fixed it was to run Trend Micro anti-virus and Webroot Spysweeper, both got it on their first try.

I believe both of those are availible at www.download.com for a 30 day trial (it should get rid of them after your first try)

 

[cdang]

Yea I'll go through the steps but I probably won't be able to get to it untill this weekend though, Ive been using my laptop lately but I'll run through the steps on Sat and post then, Thanks!

 

[Cinders]

The naughty program is probably not going to allow you to access those sites so you can download those programs. It would be easier to access the software with your laptop and save the files to a thumb drive and then save the programs to your infected computer

 

[cdang]

I followed the instructions that you has asked me to do Emde, when I got to the step that asked me to install the 3 different tools, after running the first tool the fake alert went away, so after that I just decided to let it be, since that it wasn't bothering me anymore. Thanks for your help, and if something else pops up I'll post it again.

 

[kitty500cat]

Hello and welcome to TechSpot.

I had this exact problem, I believe it's a trojan zblog.something something

Did you mean Zlob? That's been known to cause problems like this.

cdang, your system may still be infected, so I do recommend reading the link that
Emde gave, following the instructions, and posting HJT, ComboFix, and AVG Anti-Spyware logs here.

Regards