Pop-up Only: "Your computer has been infected..."

By lvgirle
Jan 27, 2006
  1. Pop-up Only: "Your computer is infected..."

    So, I recently got some kind of a virus on my computer.

    Pop-up came up in my right hand corner toolbar saying, "Your computer is infected. Windows has detected a spyware infection. .. ." It also changed my desktop background saying my computer was infected. I read somewhere on this site how to delete it. I followed the instructions and it SEEMED like it was gone. No more "Your computer is infected" and I was able to change my desktop background. I never had problems with a spyware site popping up or it asking me to download something.

    So I continued about my day, then later tonight I came to find out the pop up message with a red circle with a white X inside it, came back but the change in my desktop did not.

    Other people have had similar problems and their homepage was effected and it directed you to another site asking you to download spyware and other things but my only problem is this Toolbar pop-up message. How can I get rid of it?
    I've ran scans and downloaded all these various things people suggested, seached for Spyaxe on my computer, searched for the files other people had problems with but NOTHING. H E L P !
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  3. kaymastah

    kaymastah TS Rookie Posts: 43

    Well... I would suggest reading up on how to secure Winbloze a bit more, then reinstalling to start fresh and clean.

    A few tips:
    - create a limited user account from which you will do whatever you use your computer for, and administrator account for installng software and making system wide changes; trust me that it will make a significant impact on how much spyware you get (much less naturally)
    - partition your drive so that you have one partition for the system and programs and another for your own importants and imponderabilia :) that has several advantages.
    - once you have a clean install, maybe you can get a sys admin friend to create a disk image for you, then in case things go far south, you'll be able to roll the clean back up real fast; not to mention that you'll gain a useful skill; your sys admin friend might have access to Norton Ghost...
    - do not use Internet Explorer and especially with administrative rights unless you really have to (windows update); try Firefox or Opera.

    Other than those, I like to use Spyware and AdAware. This is a powerful antispyware combo.

    Learn and prosper and Good Luck :)
  4. lvgirle

    lvgirle TS Rookie Topic Starter

    Thanks for the info! Greatly appreciated.

    So I did the scan and these are my results..

    Suspect Files: 10
    Spyware Registry Entries: 84
    Identified Spyware: 10
    Spyware Registry Entries

    I'm actually on my way out the door, so I'm unable to finish the "How to remove trojan's and it's ick" process. But are the files or programs listed below the dotted line, what I need to get rid of?
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes they are the nasties.

    However, there may be other things lurking on your computer. So, when you`ve finished following the instructions. Please post a HJT log.

    Regards Howard :)
  6. lvgirle

    lvgirle TS Rookie Topic Starter

    i THINK it worked.

    here's a copy of my log from ewido anti-malware - Scan report. I'm not sure if that's the same as HJT log. My computer run's Norton AntiVirus every friday, it's currently running and found 4 detected "threats". Does that mean I'm not in the clear?

    I no longer have the "Your computer is infected" popup and instead of IE I'm using Firefox.

    It finished running and it deleted 1 threat and 3 other files with Adware in their name remain. I couldn't figure out how to delete all of them...

    Attached Files:

  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s good that your popup has gone. However, I`d still like you to post a HJT log.

    Regards Howard :)
  8. lvgirle

    lvgirle TS Rookie Topic Starter

    Here's my HJT log.

    Today I ran Ewido Antimalware, and it found 74 infected objects. Does this mean that I did not get rid of my virus?

    EDIT: Sorry, here it is.

    Attached Files:

  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can`t see no HJT log!!

    Regards Howard :)
  10. lvgirle

    lvgirle TS Rookie Topic Starter

    I updated my post to include my HJT log, thanks!!
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is heavily infected with lots of crap.

    I will post instructions for you shortly.

    Regards Howard :)
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE

    Turn off system restore.(XP/ME only) See how HERE

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

    Go to add remove programmes in your contol panel, and uninstall anything to do with(if there)

    C:\Program Files\AIM Toolbar
    C:\Program Files\AWS\WeatherBug

    Close control panel.

    Open your task manager by pressing the ctrl/alt/delete keys together.

    Click on the processes tab, and end process for(if there).


    Close task manager.

    Run HJT with no other programmes open, and let HJT fix the following, by putting a tick in the little box next to(if there)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhfc.dll
    O2 - BHO: (no name) - {06607083-B922-44B3-AA28-E1383BB88C78} - C:\WINDOWS\system32\kestxkrk.dll
    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ddccb.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) -
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) -
    O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) -
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
    O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -

    O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
    O20 - Winlogon Notify: jkhfc - C:\WINDOWS\SYSTEM32\jkhfc.dll

    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)

    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)

    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)

    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)

    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

    Click on the fix checked button.

    Close HJT.

    Click start/run, and type services.msc into the run box, and press the enter key.

    When the window appears, maximise it. Locate the above 023 services, and double click on them. If they are running, select stop. Set the startup type to disabled. When done, click apply/ok.

    Delete the following bold files(if there)

    C:\Program Files\Common Files\WinTools\WToolsS.exe
    C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Common Files\WinTools\WToolsS.exe

    Reboot into normal mode, and turn system restore back on.

    Regards Howard :)
  13. lvgirle

    lvgirle TS Rookie Topic Starter

    I think I'm doing okay, until I come to this part. I find these files in seach mode, then attempt to delete and the 1st file says that "It cannot delete because it is being used by another program". Or something along those lines. How should I go about deleting these?
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you stop the 023 service?

    If the services are still running, then you wont be able to delete them.

    P.S. If you still cant delete the bold files. Download the Pocket killbox programme from HERE

    Regards Howard :)
  15. lvgirle

    lvgirle TS Rookie Topic Starter

    For WToolsA.exe I went into the services.msc into the run box and put it on disabled, when it previously said automatic. Then went into the control alt delete and tried to delete WToolsA.exe it just comes back moments after ending the processes. I went back to services.msc and it is on automatic again.

    What should I do now? DL the Killbox?
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes download the killbox programme, and try that.

    Regards Howard :)
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  18. Robert Shea

    Robert Shea TS Rookie

    Whoever suggested finding and deleting "winstall.exe" is great. It got rid of the nuisance screen and the little red cross on my status bar. Also my desktop now accepts photos as wallpaper which it stopped doing when the pop-ups arrived.

  19. Rage_3K_Moiz

    Rage_3K_Moiz Sith Lord Posts: 5,431   +28

    And if i may, use another antivirus program instead of Norton. Use something like NOD32 or Panda or even AVG. Norton is pretty weak and hogs system resources. In addition, it may be helpful to install Ad-Aware and Spyware Doctor(try getting Ad-Aware Pro if u can. The Ad-Watch feature is the best real-time anti-spyware/adware protection i've seen. U have to pay for it though, but otherwise, Ad-Aware personal is also good but u'll have to peridocally scan and remove any adware/spyware.)

    ROBOTRON TS Rookie

    I have this there an easier way of removing this without buying the tool or manualy screwing around with registry keys?

    An "***** proof" way in other words.
  21. Spike

    Spike TS Evangelist Posts: 2,168

    Possibly not I'm afraid, though I will admit that I haven't read the whole thread.

    Deleting those two reg keys isn't hard, nor is it time consuming.

    However, If you would like to follow the instructions in the sticky at the top of the forum we can deal with that later, as you may have secondary infections that need to be removed.

    I must confess though, scanning the thread, I don't see any tool that needs to be bought.

    ROBOTRON TS Rookie

    solved it, thanx.
  23. Spike

    Spike TS Evangelist Posts: 2,168

    Glad to hear it :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...