Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"your Computer Is Infected!" Bubble Keeps Popping Up


  • This topic is locked This topic is locked
16 replies to this topic

#1 naya622

naya622

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 07:38 AM

I keep getting a bubble popping up on the bottom right of my computer warning me that "Your computer is infected! I have searched online for a fix but was unable to find anything. I have run all the spyware programs I have such as clean up and Adaware. I am running XP. I found this forum and thought someone would be familar with it and be able to help me get this thing of my system.

Any assistance would be greatly appreciated.

I look forward to hearing from you.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 27 June 2008 - 10:28 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Instructions with screenshots if needed.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 10:33 AM

Hi thanks for your reply!!! I dont have the one with the red X at the bottom, mine has the yellow triangle with the Exlamation point. Is the fix the same for this one.

Thanks,

Janice

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 27 June 2008 - 10:44 AM

This is more of a general malware scanning/detection and removal tool so its ok to use on systems exhibiting different symptoms. There may be more work to do afterwards, depending on what is found and if removal is successful.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 10:55 AM

ok great, i will try this.

#6 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 11:13 AM

Here is my log report


Malwarebytes' Anti-Malware 1.18
Database version: 895

12:12:16 PM 6/27/2008
mbam-log-6-27-2008 (12-12-16).txt

Scan type: Quick Scan
Objects scanned: 41568
Time elapsed: 9 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Adapter 5.1.3214 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pphc5d6j0evcg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE_tobedeleted (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL_tobedeleted (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice\Application Data\dretv.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Janice\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

#7 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 01:08 PM

It worked!!!! the bubble is gone. I have a second problem, I will start another thread for the question, it is re the Antivirus XP 2008 Virus.

Thanks again.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 27 June 2008 - 03:47 PM

No need to start another thread. Just continue here.

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 06:51 PM

This is the log for the second time I ran it. I also just removed the Antivirus XP 2008 but I still have the blue wallpaper with the warning. How can I remove this?


Malwarebytes' Anti-Malware 1.18
Database version: 895

5:05:53 PM 6/27/2008
mbam-log-6-27-2008 (17-05-53).txt

Scan type: Quick Scan
Objects scanned: 39527
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by naya622, 27 June 2008 - 07:13 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 27 June 2008 - 08:06 PM

Please perform an online scan with Kaspersky WebScanner.

Click on Posted Image

You will be promted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste the scan results in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 June 2008 - 11:17 PM

Here are the scan results, how do I delete the infections it found?


KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 28, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 02:37:56
Records in database: 893619


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
F:\

Scan statistics
Files scanned 97530
Threat name 5
Infected objects 8
Suspicious objects 0
Duration of the scan 01:45:42

File name Threat name Threats count
C:\Documents and Settings\Janice\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-2c7b15d4 Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Janice\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-139bb40e.zip Infected: Exploit.Java.Gimsh.b 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP966\A0120311.exe Infected: Trojan-Downloader.Win32.FraudLoad.vacf 1

C:\WINDOWS\cpbrkpie.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h 1

C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N85M1306NetInstaller.exe Infected: Trojan-Downloader.Win32.Agent.alr 1

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts Infected: Trojan.Win32.Qhost.r 1

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak Infected: Trojan.Win32.Qhost.r 1

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn Infected: Trojan.Win32.Qhost.r 1

The selected area was scanned.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 28 June 2008 - 07:18 AM

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    - The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    - The Temporary Files Settings dialog box appears.
  • Click "Delete Files" at the bottom.
    - The Delete Temporary Files dialog box appears with options to delete:
    • Applications and Applets
    • Trace and Log Files
  • Click "OK".
  • Click "OK" on the Temporary Files Settings window.
  • Close the Java Control Panel.
Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\cpbrkpie.ocx
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N85M1306NetInstaller.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the yellow bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Please download HostsXpert - Hosts File Manager
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to start the program.
  • When the program opens, click the "Restore MS Hosts File" button in the left pane.
  • Click "Make Hosts Writable?" (if available).
  • Click "Restore Microsoft's Hosts file" when prompted and then click "Ok".
  • Exit Hoster when done.
-- If the Hosts file does not exist, you will be prompted to create a new one. Just press "Ok".
-- If you were using a custom Hosts file you will need to replace any of those entries yourself.


Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode".
Post the log in your next reply and let me know how your computer is running.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 28 June 2008 - 08:22 AM

Results from OTMoveIt2


C:\WINDOWS\cpbrkpie.ocx unregistered successfully.
C:\WINDOWS\cpbrkpie.ocx moved successfully.
C:\WINDOWS\Downloaded Program Files\UWAS6_0001_N85M1306NetInstaller.exe moved successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts moved successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak moved successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06282008_092119




This what Dr. Web found

gtdownls_125.ocx;c:\windows\system32;Adware.Gdown;Deleted.;

Edited by naya622, 28 June 2008 - 08:36 AM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:45 PM

Posted 28 June 2008 - 03:26 PM

How is your computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 naya622

naya622
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 28 June 2008 - 07:48 PM

Sorry I fogot to give you an update.

I still have the same wallpaper. Blue background behind my icons with the warning in the middle telling me "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer."

Also, randomly I will get a blue screen giving me error messages and telling me how to restart in safe mode. When I hit enter my window session comes back right where I left off. This is what initially happened when I first got the "Antivirus XP 2008" virus. That same blue screen is the first thing that I saw.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users