Solved

said: 'Your computer is infected!'

Posted on 2005-08-18
23
61,132 Views
Last Modified: 2011-10-24
Hi all,

There is a red icon stay in my system tray and always says that 'Your computer is infetced!' and a stupid anti spyware-(Worldantispy) always come out automatically.

http://syskplim.f2o.org/icon.jpg

I can't even found any alien in my startup // registry-LM-RUN // registry-CU-RUN  and services.

Please help me to solve this. Thanks
0
Comment
Question by:syskplim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
  • 3
  • +1
23 Comments
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704031
Download HijackThis from www.majorgeeks.com/download3155.html
Run the program, and submit the logfile to http://hijackthis.de
Save the analysis and post the link here (Do not post the logfile itself)

Also run BHO Daemon
www.bhodaemon.com/



Then Run one or more of these tools from SAFE MODE with SYSTEM RESTORE OFF:
__________________________________________________________________________________________
Spy Bot Search & Destroy:
http://www.safer-networking.org/en/mirrors/index.html
http://www.spychecker.com/program/spybot.html
__________________________________________________________________________________________
Spy Sweeper:
http://www.spychecker.com/program/spysweeper.html
__________________________________________________________________________________________
Ad-Aware SE Personal Edition:
http://www.spychecker.com/download/download_adaware.html
__________________________________________________________________________________________
SpywareBlaster
http://www.spychecker.com/program/spywareblaster.html
__________________________________________________________________________________________
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
__________________________________________________________________________________________
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704050
Have you tried the online scans ?

Housecall Online Scan
http://housecall.antivirus.com

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
0
 

Author Comment

by:syskplim
ID: 14704234
Dear mgh_mgharish,

this is my saved HJT log.

http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html


i did restart my pc in save command mode and scaned it with Ad-Aware SE Personal Edition (with updated definition file) but nothing found.

when i clicked on that stupid red icon, it will link me to www.worldantispy.com and ask me to register that worldantispy.  As i know, that was a version of trojen similar to this:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.c.html

0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704295
There are many "Possibly Nasty" entries. If you don't know what they are, delete them.

NOTE:
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe         

This is being shown as Unknown which means it is not a recognised software. That itself may be the virus. Uninstall that first
0
 

Author Comment

by:syskplim
ID: 14704534
This is my new HJT logs.

http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html

i have just finished running Symantec Security Check and got the report as below.

http://syskplim.f2o.org/onlinescan.jpg
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704554
Well, now run SpyBot to remove those Dialer and Adware threats.

Also, delete the quarentined files in MS Antispyware
0
 

Author Comment

by:syskplim
ID: 14704784
After i restarted the pc, that stupid red icon still be the 1st to come out !!   :(

even HJT logs seems ok now.
--> http://www.hijackthis.de/logfiles/d1ba0e9c8866a762a7076544b477df7e.html

and 1 more thing is: there is an item  ->> LM/software/ISTbar in my registry that i can't delete it even i tried many software like regedit, Registry Mechanic, registry cleaner, spybot ...... it was an error said that can't delete this key.. no more IST file was load in memory..

0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704819
What is PowerWord ? Is it a known software ?

Start --> Run --> "msconfig.msc"  without quotes.
In the startup tab, remove suspected entries.

0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14704850
Press Ctrl+Alt+Delete Click the processes tab

Now, if that icon can be closed, (By rightclicking and selecting exit etc), do that and find the process which stops when you close that.
0
 

Author Comment

by:syskplim
ID: 14705205
PowerWord is a legal software. i am using Win2K, no msconfig. i checked my startup list with Spybot and found no suspected item.

This is my processes list --> http://syskplim.f2o.org/task.jpg

0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 50 total points
ID: 14705216
Suggest you try ewido from:

 http://www.ewido.net/en/

there is a free download, and it works well in such cases.
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14705280
syskplim, does that happen in Safe mode also ?
0
 

Author Comment

by:syskplim
ID: 14705427
Yes, mgh_mgharish. In safe mode, the red icon was there.

r-k:  i am scanning the pc with ewido and it can clean the ISTbar that sticked in my registry as i mentioned above but doesnt help to remove that stupid red icon.




0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14705441
You really need to find the process which is creating all that..

Try this..

Go on closing each of the processes that are running. And notedown the process which, on closing, removes that icon.
0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14705442
First remove the known software processes, then remove the antivirus processes and then go for system processes
0
 
LVL 32

Expert Comment

by:r-k
ID: 14705493
If no luck so far with the above suggestions, then try the following:

Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

and run it. Use the "Hide Microsoft Entries" option to reduce the display.

If you can spot anything suspicious you can un-check it and reboot and see it helps. Otherwise use the "Save as.." option to save the Autoruns results to a text file, and cut-and-paste the results here.

PS: Sometimes you need to run ewido more than once to catch everything.

0
 

Author Comment

by:syskplim
ID: 14705508
i have just finished the ewido scanning.... and RED ICON STILL THERE ~~~  :_(

even that ISTbar, finally cannot be deleted..

http://syskplim.f2o.org/clean1.jpg

http://syskplim.f2o.org/clean2.jpg

http://syskplim.f2o.org/clean3.jpg

aaaAAAAaaaaHHHHHH  !!! Stupid ReD iCON~~~ and ISTbar~~  !!


mgh_mgharish: all of the running processes are known processes, and some of them can't be stoped...


0
 
LVL 37

Accepted Solution

by:
Harisha M G earned 50 total points
ID: 14705531
Goto DOS and run the command (Don't know whether exists in 2000)
SFC /SCANNOW

This should revert all the Windows files to their original versions.
0
 

Author Comment

by:syskplim
ID: 14705830
HI~~!!  the red icon suddenly gone after i restart my PC~!!

Is that the result of  EWIDO -or- SFC /SCANNOW ??  :*o

After i scanned the PC with ewido and fixed some of the error, the red icon still there... then i run sfc /scannow as mgh_mgharish suggested... some files were copied from my win2k pro CD into my hdd.. nothing changed after that.. and i decided to restart the pc and finally red icon gone..

The only thing now remain is ISTbar in my registry.. but seems that it doesnt harm even staying.

Anyway thanks to both mgh_mgharish and r-k.



0
 
LVL 32

Expert Comment

by:r-k
ID: 14706381
Glad the main problem is solved. If you want to get rid of the traces of ISTbar, try the removal tool linked from this page:

 http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

0
 

Author Comment

by:syskplim
ID: 14711182
r-k: this won't help. It can't get any ISTbar signal from my PC. that ISTbar is dead but i dont know why i cant delete those registry keys..

0
 
LVL 37

Expert Comment

by:Harisha M G
ID: 14712221
syskplim, glad we could be of some help :)
0
 

Expert Comment

by:mickn66
ID: 15029851
I know this problem has been solved already, but I recently had the same exact problem in that nothing could delete certain registry keys that had been installed by spyware.  It turned out to be simply that my permissions were not set up right.  Check this: http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21582519.html
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question