windows pop up baloon says 'Malicious software was removed' - is this a virus?


I'm remotely fixing someone PC' as they have a virus and I though it had gone. However, still getting some strange behaviour.
Therefore I recenlty completed a windows update of the sysmtem after spybot compleining a fix on reboot, however after leaving the PC for a few hours after rebooting I see this windows baloon has poped up with the message as shown in the screen shot.

I started running a spybot scan again and it still says one of the malware is still there.

While I acknolwege there are still some issues with the PC, I just want to know whether this baloon is a genuine windows baloon or not.

I ask because one of the updates I done before this was a Windows Malcious software remover for April 2010 and wonder whether it has found something.
Made all the harder as I'm accessing the PC remotely so any input apprecaited.

Note I had previous run many other anti spyware and virus including Malwarebytes which have all removed things, but I think there may be still something lurking there.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Run a scan with Hitmanpro + note detections
Can you post Mbam's logfile

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You mean the update for Microsoft Malicious removal tool?

I wouldn't trust that balloon popup, even if it's legit I wouldn't click on it.
Any good scanner removes nasties completely not halfway or just half-done.

I would scan the system again with other tools... and yeah as suggested also post the Malwarebytes log... maybe MBAM missed.
Run Malwarebytes and Hijackthis and post the logs.  It appears that you have only run Spybot..
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Yes.. I think that this balloon is maybe generated by a fake antivirus (the virus itself).

Run NOD32. (get a trial from 
It will clean your PC from dangerous viruses.
Than you can run the spybot snd.
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.
afflik1923Author Commented:
OK I 'm a bit stumped at present.

I ow have all the main virus checks reporting nothing, but I still get some browser rediretion going on and can't get onto windows update (Althgouh auomatic updates seems to chug along). There are remenat of soemthing but a deep scan of malware bytes yields no resutls as do spybot ad super anti spyware.
Using log me in I have now rebooted into sfae mode. There is some things in Hijack this that I cannot remove. I select to fix them but they come back and they are the o23 entries.
So currenlty I am loged in remotely in safemode with networking.

See Hijack this log below. Note I have since removed successfully the  o16 entires. Not being with the PC is a bit of a bummer but hopig I can fix it without visit. Overall the C eems OK, but I know there is something there a for example, if I google hijack this and then click on the link toanalysie the results, the browser takes me elsewhere. (I've not tested since deleteing 016 entires in hijack this)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:58:20, on 17/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.0.4.*;127.0.0.*
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"
O4 - HKLM\..\Run: [Indexer] "C:\Program Files\Sharp\Sharpdesk\Indexer.exe"
O4 - HKLM\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKLM\..\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"
O4 - HKLM\..\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PspUsbCf] pspusbcf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = example.local
O17 - HKLM\Software\..\Telephony: DomainName = example.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = example.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = example.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Application Management AppMgmtwinvnc (AppMgmtwinvnc) - Unknown owner - C:\WINDOWS\System32\a.exe (file missing)
O23 - Service: COM+ System Application COMSysApplanmanserver (COMSysApplanmanserver) - Unknown owner - C:\WINDOWS\system32\adsmsextg.exe (file missing)
O23 - Service: COM+ System Application COMSysApplanmanserver COMSysApplanmanserverWZCSVC (COMSysApplanmanserverWZCSVC) - Unknown owner - C:\WINDOWS\system32\acluiw.exe (file missing)
O23 - Service: COM+ System Application COMSysAppWinDefend (COMSysAppWinDefend) - Unknown owner - C:\WINDOWS\system32\1767DA3E-7E60-4cbf-8AB8-CFF4D42C6D04i.exe (file missing)
O23 - Service: DHCP Client DhcpPlugPlay (DhcpPlugPlay) - Unknown owner - C:\WINDOWS\system32\accessp.exe (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Health Key and Certificate Management Service hkmsvcNetDDE (hkmsvcNetDDE) - Unknown owner - C:\WINDOWS\system32\12520850w.exe (file missing)
O23 - Service: Health Key and Certificate Management Service hkmsvcNetDDE hkmsvcNetDDEseclogon (hkmsvcNetDDEseclogon) - Unknown owner - C:\WINDOWS\system32\advpackw.exe (file missing)
O23 - Service: LogMeIn Rescue (845350) (LMIRescueUA_845350) - LogMeIn, Inc. - C:\WINDOWS\LMIE8C1.tmp\unattended_srv.exe
O23 - Service: LogMeIn Rescue (cd54bf24-414e-4b2d-945e-2326c53c82ec) (LMIRescue_cd54bf24-414e-4b2d-945e-2326c53c82ec) - LogMeIn, Inc. - C:\WINDOWS\LMI1359.tmp\LMI_Rescue_srv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Removable Storage NtmsSvcRemoteRegistry (NtmsSvcRemoteRegistry) - Unknown owner - C:\WINDOWS\system32\3com_dmib.exe (file missing)
O23 - Service: Removable Storage NtmsSvcScheduleTlntSvr (NtmsSvcScheduleTlntSvr) - Unknown owner - C:\WINDOWS\system32\activedsg.exe (file missing)
O23 - Service: Routing and Remote Access RemoteAccessAudioSrv (RemoteAccessAudioSrv) - Unknown owner - C:\WINDOWS\system32\1042w.exe (file missing)
O23 - Service: Task Scheduler ScheduleTlntSvr (ScheduleTlntSvr) - Unknown owner - C:\WINDOWS\System32\a.exe (file missing)
O23 - Service: Shell Hardware Detection ShellHWDetectionlanmanserver (ShellHWDetectionlanmanserver) - Unknown owner - C:\WINDOWS\system32\'j.exe (file missing)
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

End of file - 9939 bytes

Open in new window

afflik1923Author Commented:
Just treid to go to again in safe mode and it redirects to some other website which I close immedietly.

Tough one.
Have you had a chance to run the current version of Malwarebytes?  When you do, usually you will end up with about 12 files that are highlighted, and fixable.   If you can get into safe mode run it there as admin.  Some of these nasties will not let you update MBAM with the current definitions.  if this is the  case download the manual update here:    Run the executable and then open Malwarebytes, a quick scan will usually do the trick.  Please let us know the outcome... Z....
Did you try Hitmanpro?
Also try Tdsskiller

Run all of  them in normal mode as do the same with Combofix and post their logfiles along with Malwarebytes logfile which found things.

Although those entries say "file missing" there ok.

Run above scanners and then re run Hijackthis as well
ComboFix stops connection while it's scanning but resumes connection once done.

Also try gmer in case it's the new TDSS variant, shows up in Gmer just make sure Sections box is checked.

Download GMER Rootkit Scanner
Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full on NO, then use the following settings for a more complete scan.
In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)

Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the Save.. button, and in the File name area, type in "ark.txt"  
Save the log where you can easily find it, such as your desktop.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
Post the log.
afflik1923Author Commented:
Right I'm back on this now and have to get completed by today ( as well as many other things - boo hoo).

OK currenlty I'm remotely in, using Safe mode. I notice that when I run malware bytes (note that latest definitions install fine) it crashes during the run, so there is something still werid going on. In non safe mode it completes and does not find anything.
I've not tried hit man pro yet. Always like to get fammilar with a new bit of software before running it, but you say this is good right?
afflik1923Author Commented:
Actually running a full scan again now in non safe mode and so far found 8 infected objects! Scan not complete yet and hopefully it will not crash before it completes.
afflik1923Author Commented:
OK Malware bytes did comeplte the scan and below is the log.

Running it again on quick scan after reboot as requested. Could this have finally nailed it?

Malwarebytes' Anti-Malware 1.45

Database version: 4003

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/04/2010 15:37:18
mbam-log-2010-04-18 (15-37-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 375638
Time elapsed: 3 hour(s), 18 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP759\A0049723.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP759\A0049724.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0050698.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0051698.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP762\A0051703.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP763\A0051739.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP764\A0051789.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E4ECD0F-3EF2-446D-9329-2A24EB5506A6}\RP764\A0051864.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\topdevice.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\224308626.exe (Backdoor.IRCNite) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3595818381.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Open in new window

Still run the others.
You can run Hitmanpro and choose at the end if you want to remove detections.
If you dont want it after, uninstall it but its good.

Run in normal mode as it will be more efficent.

>It would be safer to also run Gmer and post its logfile :)
afflik1923Author Commented:
OK thanks. One thing I'm noticing is the scanners crash a lot. E.g. I just went back to the PC to find that spybot had crashed and I had to press "end Now". Very annoying.

I will try this hitman software next.
afflik1923Author Commented:
Hey, what do you know, in about 5 mins Hit man pro found about 13 infections. It's rebooted and rescanned and found nothing. I've tried the browser site teh previoulsy redirected and it seemed to be fine!

OK lots more tests to run, but certainly looks good (and so fast!)
Thats good :)

Can you open Hitmanpro, hit settings and history tab
Post a screen shot of what was found.
afflik1923Author Commented:
OK still get malware bytes crashing (And then it logs out user when I prss cancel or end program) when I tried to run it then afrewards but I've not tried a reinsatll.

anyway pics attachd. I'hve hidden users name for privacy reasons.
Does malwarebytes give you an error message
More than likely there is something still hidden on machine
Run Tdsskiller and post its logfile thats produced>link is above

Also run Gmer as Rpggamergirl suggested
Run Gmer on that system and we'll see what the log shows.
Make sure the "Sections" box is checked.

And Ensure the following are UNCHECKED:
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)

Those bogus 023 entries that you're trying to remove but come back could be because of a registry monitoring programs running.... the user has Tea-Timer running and that can interfer with Hijackthis fixing entries.

Temporarily disable TeaTimer by doing the following:
Run Spybot-S&D.
Go to the Mode menu, and make sure "Advanced Mode" is selected.
On the left hand side, choose "Tools" -> "Resident".
Uncheck "Resident TeaTimer" and "OK" any prompts.
afflik1923Author Commented:
Much good input here. But it was the hitmanpro application that was the real gem. I was lazy to try it on first suggestion but would have saved a lot of time if it I did.

Thanks again for all input.
Not to worry :)
Machine ok now>no redirects?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.