syskplim
asked on
said: 'Your computer is infected!'
Hi all,
There is a red icon stay in my system tray and always says that 'Your computer is infetced!' and a stupid anti spyware-(Worldantispy) always come out automatically.
http://syskplim.f2o.org/icon.jpg
I can't even found any alien in my startup // registry-LM-RUN // registry-CU-RUN and services.
Please help me to solve this. Thanks
There is a red icon stay in my system tray and always says that 'Your computer is infetced!' and a stupid anti spyware-(Worldantispy) always come out automatically.
http://syskplim.f2o.org/icon.jpg
I can't even found any alien in my startup // registry-LM-RUN // registry-CU-RUN and services.
Please help me to solve this. Thanks
Have you tried the online scans ?
Housecall Online Scan
http://housecall.antivirus.com
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
Housecall Online Scan
http://housecall.antivirus.com
Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
ASKER
Dear mgh_mgharish,
this is my saved HJT log.
http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html
i did restart my pc in save command mode and scaned it with Ad-Aware SE Personal Edition (with updated definition file) but nothing found.
when i clicked on that stupid red icon, it will link me to www.worldantispy.com and ask me to register that worldantispy. As i know, that was a version of trojen similar to this:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.c.html
this is my saved HJT log.
http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html
i did restart my pc in save command mode and scaned it with Ad-Aware SE Personal Edition (with updated definition file) but nothing found.
when i clicked on that stupid red icon, it will link me to www.worldantispy.com and ask me to register that worldantispy. As i know, that was a version of trojen similar to this:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.c.html
There are many "Possibly Nasty" entries. If you don't know what they are, delete them.
NOTE:
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAn tiSpy.exe
This is being shown as Unknown which means it is not a recognised software. That itself may be the virus. Uninstall that first
NOTE:
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAn
This is being shown as Unknown which means it is not a recognised software. That itself may be the virus. Uninstall that first
ASKER
This is my new HJT logs.
http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html
i have just finished running Symantec Security Check and got the report as below.
http://syskplim.f2o.org/onlinescan.jpg
http://hijackthis.de/logfiles/d6f4ba39d8a8bbd022b37027e3593511.html
i have just finished running Symantec Security Check and got the report as below.
http://syskplim.f2o.org/onlinescan.jpg
Well, now run SpyBot to remove those Dialer and Adware threats.
Also, delete the quarentined files in MS Antispyware
Also, delete the quarentined files in MS Antispyware
ASKER
After i restarted the pc, that stupid red icon still be the 1st to come out !! :(
even HJT logs seems ok now.
--> http://www.hijackthis.de/logfiles/d1ba0e9c8866a762a7076544b477df7e.html
and 1 more thing is: there is an item ->> LM/software/ISTbar in my registry that i can't delete it even i tried many software like regedit, Registry Mechanic, registry cleaner, spybot ...... it was an error said that can't delete this key.. no more IST file was load in memory..
even HJT logs seems ok now.
--> http://www.hijackthis.de/logfiles/d1ba0e9c8866a762a7076544b477df7e.html
and 1 more thing is: there is an item ->> LM/software/ISTbar in my registry that i can't delete it even i tried many software like regedit, Registry Mechanic, registry cleaner, spybot ...... it was an error said that can't delete this key.. no more IST file was load in memory..
What is PowerWord ? Is it a known software ?
Start --> Run --> "msconfig.msc" without quotes.
In the startup tab, remove suspected entries.
Start --> Run --> "msconfig.msc" without quotes.
In the startup tab, remove suspected entries.
Press Ctrl+Alt+Delete Click the processes tab
Now, if that icon can be closed, (By rightclicking and selecting exit etc), do that and find the process which stops when you close that.
Now, if that icon can be closed, (By rightclicking and selecting exit etc), do that and find the process which stops when you close that.
ASKER
PowerWord is a legal software. i am using Win2K, no msconfig. i checked my startup list with Spybot and found no suspected item.
This is my processes list --> http://syskplim.f2o.org/task.jpg
This is my processes list --> http://syskplim.f2o.org/task.jpg
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
syskplim, does that happen in Safe mode also ?
ASKER
Yes, mgh_mgharish. In safe mode, the red icon was there.
r-k: i am scanning the pc with ewido and it can clean the ISTbar that sticked in my registry as i mentioned above but doesnt help to remove that stupid red icon.
r-k: i am scanning the pc with ewido and it can clean the ISTbar that sticked in my registry as i mentioned above but doesnt help to remove that stupid red icon.
You really need to find the process which is creating all that..
Try this..
Go on closing each of the processes that are running. And notedown the process which, on closing, removes that icon.
Try this..
Go on closing each of the processes that are running. And notedown the process which, on closing, removes that icon.
First remove the known software processes, then remove the antivirus processes and then go for system processes
If no luck so far with the above suggestions, then try the following:
Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
and run it. Use the "Hide Microsoft Entries" option to reduce the display.
If you can spot anything suspicious you can un-check it and reboot and see it helps. Otherwise use the "Save as.." option to save the Autoruns results to a text file, and cut-and-paste the results here.
PS: Sometimes you need to run ewido more than once to catch everything.
Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
and run it. Use the "Hide Microsoft Entries" option to reduce the display.
If you can spot anything suspicious you can un-check it and reboot and see it helps. Otherwise use the "Save as.." option to save the Autoruns results to a text file, and cut-and-paste the results here.
PS: Sometimes you need to run ewido more than once to catch everything.
ASKER
i have just finished the ewido scanning.... and RED ICON STILL THERE ~~~ :_(
even that ISTbar, finally cannot be deleted..
http://syskplim.f2o.org/clean1.jpg
http://syskplim.f2o.org/clean2.jpg
http://syskplim.f2o.org/clean3.jpg
aaaAAAAaaaaHHHHHH !!! Stupid ReD iCON~~~ and ISTbar~~ !!
mgh_mgharish: all of the running processes are known processes, and some of them can't be stoped...
even that ISTbar, finally cannot be deleted..
http://syskplim.f2o.org/clean1.jpg
http://syskplim.f2o.org/clean2.jpg
http://syskplim.f2o.org/clean3.jpg
aaaAAAAaaaaHHHHHH !!! Stupid ReD iCON~~~ and ISTbar~~ !!
mgh_mgharish: all of the running processes are known processes, and some of them can't be stoped...
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
HI~~!! the red icon suddenly gone after i restart my PC~!!
Is that the result of EWIDO -or- SFC /SCANNOW ?? :*o
After i scanned the PC with ewido and fixed some of the error, the red icon still there... then i run sfc /scannow as mgh_mgharish suggested... some files were copied from my win2k pro CD into my hdd.. nothing changed after that.. and i decided to restart the pc and finally red icon gone..
The only thing now remain is ISTbar in my registry.. but seems that it doesnt harm even staying.
Anyway thanks to both mgh_mgharish and r-k.
Is that the result of EWIDO -or- SFC /SCANNOW ?? :*o
After i scanned the PC with ewido and fixed some of the error, the red icon still there... then i run sfc /scannow as mgh_mgharish suggested... some files were copied from my win2k pro CD into my hdd.. nothing changed after that.. and i decided to restart the pc and finally red icon gone..
The only thing now remain is ISTbar in my registry.. but seems that it doesnt harm even staying.
Anyway thanks to both mgh_mgharish and r-k.
Glad the main problem is solved. If you want to get rid of the traces of ISTbar, try the removal tool linked from this page:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html
ASKER
r-k: this won't help. It can't get any ISTbar signal from my PC. that ISTbar is dead but i dont know why i cant delete those registry keys..
syskplim, glad we could be of some help :)
I know this problem has been solved already, but I recently had the same exact problem in that nothing could delete certain registry keys that had been installed by spyware. It turned out to be simply that my permissions were not set up right. Check this: https://www.experts-exchange.com/questions/21582519/Is-it-possible-to-edit-registry-on-dual-boot-computer-from-other-boot.html
Run the program, and submit the logfile to http://hijackthis.de
Save the analysis and post the link here (Do not post the logfile itself)
Also run BHO Daemon
www.bhodaemon.com/
Then Run one or more of these tools from SAFE MODE with SYSTEM RESTORE OFF:
__________________________
Spy Bot Search & Destroy:
http://www.safer-networking.org/en/mirrors/index.html
http://www.spychecker.com/program/spybot.html
__________________________
Spy Sweeper:
http://www.spychecker.com/program/spysweeper.html
__________________________
Ad-Aware SE Personal Edition:
http://www.spychecker.com/download/download_adaware.html
__________________________
SpywareBlaster
http://www.spychecker.com/program/spywareblaster.html
__________________________
CoolWebShredder
http://www.spychecker.com/program/coolwebshredder.html
__________________________