Pop-up Only: "Your computer has been infected..."

L

lvgirle

Posts: 7   +0
Pop-up Only: "Your computer is infected..."

So, I recently got some kind of a virus on my computer.

Pop-up came up in my right hand corner toolbar saying, "Your computer is infected. Windows has detected a spyware infection. .. ." It also changed my desktop background saying my computer was infected. I read somewhere on this site how to delete it. I followed the instructions and it SEEMED like it was gone. No more "Your computer is infected" and I was able to change my desktop background. I never had problems with a spyware site popping up or it asking me to download something.

So I continued about my day, then later tonight I came to find out the pop up message with a red circle with a white X inside it, came back but the change in my desktop did not.

Other people have had similar problems and their homepage was effected and it directed you to another site asking you to download spyware and other things but my only problem is this Toolbar pop-up message. How can I get rid of it?
I've ran scans and downloaded all these various things people suggested, seached for Spyaxe on my computer, searched for the files other people had problems with but NOTHING. H E L P !
 
Well... I would suggest reading up on how to secure Winbloze a bit more, then reinstalling to start fresh and clean.

A few tips:
- create a limited user account from which you will do whatever you use your computer for, and administrator account for installng software and making system wide changes; trust me that it will make a significant impact on how much spyware you get (much less naturally)
- partition your drive so that you have one partition for the system and programs and another for your own importants and imponderabilia :) that has several advantages.
- once you have a clean install, maybe you can get a sys admin friend to create a disk image for you, then in case things go far south, you'll be able to roll the clean back up real fast; not to mention that you'll gain a useful skill; your sys admin friend might have access to Norton Ghost...
- do not use Internet Explorer and especially with administrative rights unless you really have to (windows update); try Firefox or Opera.

Other than those, I like to use Spyware and AdAware. This is a powerful antispyware combo.

Learn and prosper and Good Luck :)
 
Thanks for the info! Greatly appreciated.

So I did the http://www.aluriasoftware.com/ scan and these are my results..

Suspect Files: 10
Spyware Registry Entries: 84
Identified Spyware: 10
Spyware Registry Entries
-----------------------------------
BrowserAid
Ezula
WebOffer
HuntBar
MediaTickets
PurityScan
WebSearch.Wintools
WinTools
Wintools.Websearch
Huntbar.IBIS

I'm actually on my way out the door, so I'm unable to finish the "How to remove trojan's and it's ick" process. But are the files or programs listed below the dotted line, what I need to get rid of?
 
lvgirle said:
Thanks for the info! Greatly appreciated.

So I did the http://www.aluriasoftware.com/ scan and these are my results..

Suspect Files: 10
Spyware Registry Entries: 84
Identified Spyware: 10
Spyware Registry Entries
-----------------------------------
BrowserAid
Ezula
WebOffer
HuntBar
MediaTickets
PurityScan
WebSearch.Wintools
WinTools
Wintools.Websearch
Huntbar.IBIS

I'm actually on my way out the door, so I'm unable to finish the "How to remove trojan's and it's ick" process. But are the files or programs listed below the dotted line, what I need to get rid of?
Click to expand...

Yes they are the nasties.

However, there may be other things lurking on your computer. So, when you`ve finished following the instructions. Please post a HJT log.

Regards Howard :)
 
I THINK it worked.

here's a copy of my log from ewido anti-malware - Scan report. I'm not sure if that's the same as HJT log. My computer run's Norton AntiVirus every friday, it's currently running and found 4 detected "threats". Does that mean I'm not in the clear?

I no longer have the "Your computer is infected" popup and instead of IE I'm using Firefox.

It finished running and it deleted 1 threat and 3 other files with Adware in their name remain. I couldn't figure out how to delete all of them...
 

Attachments

  • Scan report_20060127.txt.txt
    18 KB · Views: 5
Here's my HJT log.

Today I ran Ewido Antimalware, and it found 74 infected objects. Does this mean that I did not get rid of my virus?

EDIT: Sorry, here it is.
 

Attachments

  • hijackthis.txt
    14 KB · Views: 5
Boot into safe mode. See how HERE

Turn off system restore.(XP/ME only) See how HERE

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

Go to add remove programmes in your contol panel, and uninstall anything to do with(if there)

C:\Program Files\AIM Toolbar
C:\Program Files\AWS\WeatherBug

Close control panel.

Open your task manager by pressing the ctrl/alt/delete keys together.

Click on the processes tab, and end process for(if there).

WToolsA.exe
WSup.exe
WToolsS.exe
Weather.exe

Close task manager.

Run HJT with no other programmes open, and let HJT fix the following, by putting a tick in the little box next to(if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {06607083-B922-44B3-AA28-E1383BB88C78} - C:\WINDOWS\system32\kestxkrk.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ddccb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_2/controls/ybrequest.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_5_2/controls/YBUICtrl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer2005ScannerInstall.cab

O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\SYSTEM32\jkhfc.dll

O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)

O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Click on the fix checked button.

Close HJT.

Click start/run, and type services.msc into the run box, and press the enter key.

When the window appears, maximise it. Locate the above 023 services, and double click on them. If they are running, select stop. Set the startup type to disabled. When done, click apply/ok.

Delete the following bold files(if there)

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\kestxkrk.dll
C:\WINDOWS\system32\ddccb.dll
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\SYSTEM32\jkhfc.dll
C:\Program Files\Common Files\WinTools\WToolsS.exe

Reboot into normal mode, and turn system restore back on.

Regards Howard :)
 
howard_hopkinso said:
Delete the following bold files(if there)

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\kestxkrk.dll
C:\WINDOWS\system32\ddccb.dll
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ddccb.dll
C:\WINDOWS\SYSTEM32\jkhfc.dll
C:\Program Files\Common Files\WinTools\WToolsS.exe

Reboot into normal mode, and turn system restore back on.

Regards Howard :)
Click to expand...

I think I'm doing okay, until I come to this part. I find these files in seach mode, then attempt to delete and the 1st file says that "It cannot delete because it is being used by another program". Or something along those lines. How should I go about deleting these?
 
Did you stop the 023 service?

Click start/run, and type services.msc into the run box, and press the enter key.

When the window appears, maximise it. Locate the above 023 services, and double click on them. If they are running, select stop. Set the startup type to disabled. When done, click apply/ok.
Click to expand...

If the services are still running, then you wont be able to delete them.

P.S. If you still cant delete the bold files. Download the Pocket killbox programme from HERE

Regards Howard :)
 
For WToolsA.exe I went into the services.msc into the run box and put it on disabled, when it previously said automatic. Then went into the control alt delete and tried to delete WToolsA.exe it just comes back moments after ending the processes. I went back to services.msc and it is on automatic again.


What should I do now? DL the Killbox?
 
Whoever suggested finding and deleting "winstall.exe" is great. It got rid of the nuisance screen and the little red cross on my status bar. Also my desktop now accepts photos as wallpaper which it stopped doing when the pop-ups arrived.

Cheers
 
And if i may, use another antivirus program instead of Norton. Use something like NOD32 or Panda or even AVG. Norton is pretty weak and hogs system resources. In addition, it may be helpful to install Ad-Aware and Spyware Doctor(try getting Ad-Aware Pro if u can. The Ad-Watch feature is the best real-time anti-spyware/adware protection i've seen. U have to pay for it though, but otherwise, Ad-Aware personal is also good but u'll have to peridocally scan and remove any adware/spyware.)
 
I have this too...is there an easier way of removing this without buying the tool or manualy screwing around with registry keys?

An "***** proof" way in other words.
 
Possibly not I'm afraid, though I will admit that I haven't read the whole thread.

Deleting those two reg keys isn't hard, nor is it time consuming.

However, If you would like to follow the instructions in the sticky at the top of the forum we can deal with that later, as you may have secondary infections that need to be removed.

I must confess though, scanning the thread, I don't see any tool that needs to be bought.
 

Similar threads

Cal Jeffrey
Jeep's annoying pop-up nags you to buy an extended warranty at every stop sign
Replies
13
Views
263
Tinderbox
Tinderbox
H
Running macro to open a WordPerfect12 document causes WP to close
Replies
0
Views
87
Hikermann
H
Shawn Knight
A second Nintendo PlayStation prototype has been uncovered
Replies
4
Views
105
mrSister
mrSister

Latest posts

Back