TechSpot

Spyware popups "Security System..."

By six4au
Mar 28, 2008
  1. Well I guess I have downloaded some spyware and can't seem to get rid of it. I am getting the red popup with the title "Security System Warning" and listing of the infected file C:\windows\wml.exe. I am also getting the blue popup titled "Security System, Protection Control Panel" listing possible spyware threat "TrojanDownloader.XS". I'm looking for help in getting rid of these popups and any other possible spyware or malware I may have downloaded.

    Thanks in advance for any help anyone can give me,

    six4au
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. kritius

    kritius TS Guru Posts: 2,084

    Heres a quick guide for Malwarebytes

    : Malwarebytes' Anti-Malware :

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    PTARMANDO stop posting here.

    You need to make a NEW thread just for you here http://www.techspot.com/vb/menu28.html

    Also do NOT reply to yourself anymore, any member attached to this post (or any post) you multiple reply on, will get MULTIPLE emails. It is VERY annoying.
    So stop it, and go and make your own thread !
     
  5. frannip

    frannip TS Rookie Posts: 18

    me too

    I have the IDENTICAL problem. I have a current thread that is a little further along in a resolve than yours. I have tried many things and I've been instructed to do many things and nothing has worked in regards to this specific issue thus far.

    I have yet to try the most recent suggestion (AVG anti-spyware). You can follow along that thread too.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    frannip your thread is waiting for a reply from you, here http://www.techspot.com/vb/showthread.php?p=597630#post597630

    Your issues and PTARMANDO issues and the original posters issues six4au.
    are NOT the same. Although the fault may be, each user will have a totally different HJT log. Therefore they need individual instructions.

    If they were the exact same, a tutorial would be made, and we would say look here, and reply back later !
     
  7. frannip

    frannip TS Rookie Posts: 18

    reword my post

    I will reword my post .... I have the identical POP-UPS that I cannot get rid of possibly stemming from the same spyware/malware/viurs infection.

    Sorry for the confusion. Obviously every machine is unique but the infections can be the same and result in the same or similar problem. That is what I meant.

    I also made reference that "I have yet to try the most recent suggestion ...." which clearly shows that I have yet to reply to the latest suggestion.

    No need to get annyoed. We're all here to help each other if we can.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm calm now.
    I agree it was an outburst by me though. And see your point too.

    I'm going to try to get these posts removed (passively speaking!) as they don't have relevance to six4au exactly
     
  9. six4au

    six4au TS Rookie Topic Starter

    kimsland and kritius,thanks for the advice. I have run Malwarebytes Anti-Malware program and here is my log file. I am posting this before I restart as suggested by the program. I will check this forum after that.

    Again, thanks.
    six4au

    Malwarebytes' Anti-Malware 1.09
    Database version: 568

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 121430
    Time elapsed: 24 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 18
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{f9b56a55-30f2-489f-88d0-2b7e5d498a5f} (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> No action taken.
    HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> No action taken.
    HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{d322f612-158e-421d-b8ce-acde0d343553} (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vbgtorfd (Trojan.FakeAlert) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> No action taken.

    Files Infected:
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP766\A0094427.dll (Trojan.FakeAlert) -> No action taken.
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP766\A0094477.dll (Trojan.FakeAlert) -> No action taken.
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP766\A0094624.dll (Trojan.FakeAlert) -> No action taken.
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP766\A0094625.dll (Trojan.FakeAlert) -> No action taken.
    C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP766\A0094626.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> No action taken.
    C:\WINDOWS\rs.txt (Malware.Trace) -> No action taken.
    C:\Documents and Settings\Administrator\Start Menu\delrb.bat (Dialer) -> No action taken.
     
  10. kritius

    kritius TS Guru Posts: 2,084

    You need to run it again and make sure it removes selected.
     
  11. six4au

    six4au TS Rookie Topic Starter

    kritius,

    While I was running the program again, I received the same two popups as decribed before. Here is the log file of that execution

    Malwarebytes' Anti-Malware 1.09
    Database version: 568

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 122085
    Time elapsed: 26 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    After I finished that execution, I check for updates and disabled my network connection and re-ran Anti-Malware. Here is that log file.

    Malwarebytes' Anti-Malware 1.09
    Database version: 568

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 122090
    Time elapsed: 24 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    It looks like it might have removed it all.

    Do you recommend any other course of action?

    six4au
     
  12. six4au

    six4au TS Rookie Topic Starter

    Well, I just got the red popup about spyware after I had thought everything was cleaned. The popup takes me to some webpage to purchase spyware removal software. I'm not sure what to do next.

    six4au
     
  13. frannip

    frannip TS Rookie Posts: 18

    I have a fix but its not free

    I had the same security pop-ups and fake alerts as well. Red screen and all. After many many hours of scans and cleans and what not nothing was working. I decided to download SpyDoctor from PC tools and run it.

    It returned a bunch of trojans that the other scans didn't catch. Without fixing anything, I even tried running the other scans and they came back clean! Unfortunately, in order for SpyDoctor to clean anything you have to buy it. Its not alot and definitely worth it.

    I cleaned everything it found and have not had a problem !!! But this is just what worked for me. If you buy it, do so at your own discretion. There's no guarantee that it will solve your problem. I'm only sharing what worked for me.

    Good luck.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Thanks frannip

    Is there a log from SpyDoctor that you could post
    That way we can possibly see all the registry keys and files it found and removed

    ie There must be a free way for others to use.
     
  15. frannip

    frannip TS Rookie Posts: 18

    There are over 150 entries (1 for each infection found) then another 1 for the cleaning results. I can't save a log, I have to save each and every one individually :(. Oh, and they're in ITALIAN. I'm trying to find a way.

    There was about 25 that were quarantined that I believe one of them was the culprit. Maybe I can do those. I'll see what I can swing and will def post.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Doh !
    Ok Italian, lots of different logs.
    Maybe don't worry, that's sad :(
     
  17. CompProblem4

    CompProblem4 TS Rookie

    I am having the same pop-ups re: System Security Warning (which wants me to purchase their software & state that I have 38 dangers to my computer)

    I have downloaded SpyDoctor & it found nothing. And I then downloaded MalwareBytes and I am currently scanning but so far it has found No Objects Infected and it is almost done. How can I possibly remove this stupid thing.

    As I stated above - there were no threats found but I still have this stupid System Security on my computer popping up
    But here is the malware report
    Malwarebytes' Anti-Malware 1.31
    Database version: 1456
    Windows 6.0.6000

    12/22/2008 2:59:19 PM
    mbam-log-2008-12-22 (14-59-19).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 175357
    Time elapsed: 1 hour(s), 28 minute(s), 54 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Is there anything else I can try??????
     
  18. klepto12

    klepto12 TechSpot Paladin Posts: 1,115   +9

    Do a quick scan and make sure its up to date also try spybot search and destroy it great finds everything malwarebytes misses.
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...