0

I had a nasty case of smit fraud and spyware. Specifically Win.Worm.32 netnooster and the VIRUS ALERT! in the taskbar. I downloaded SUPERanti-spyware and Spyware Terminator. I ran a full scan with both programs and they pretty much got rid of all the nasty stuff and my pc runs fine and no more pop-ups and my system is pretty much clean now. The problem i have is the VIRUS ALERT! thing is still in the taskbar and I can't access my C-drive or programs and "run" in the start menu. Also when I ctrl-alt-dlt is says "administrator has disabled" even though my account has administrator privileges. Any help??

3
Contributors
8
Replies
9
Views
8 Years
Discussion Span
Last Post by jholland1964
0

Hi furyboy38109 and welcome to daniweb.
If that Virus Alert is still on the taskbar then this means that the infection is NOT removed.
How did you determine that the infection was Win.Worm.32 netnooster?
It appears that you are probably infected with Antivirus 2009, which is NOT a legitimate antivirus program but is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus . Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.


Please Download ATF-Cleaner.exe by Atribune (Windows XP, 2K, 2003 & Vista ONLY)

• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
Close ALL open Windows / Programs / Folders. except for MBA-M
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.
Then download and run HiJackThis
Do a Full System Scan with it and save the log.
Post back here with the MBA-M log and HiJackThis log.

0

Follow these steps to get rid of your alert. You will want to make sure the infection is gone as if it is not the alert will come back.

This information was copied from the following website:
http://miekiemoes.blogspot.com/2008/05/virus-alert-in-clock-and-how-to-restore.html


VIRUS ALERT! in clock and how to restore it
Most people recognise the words VIRUS ALERT! beside the System clock after being infected with one of the Zlob-Media Codec infections.

It's also displayed under the ProductID in your System Properties > General:

In the Registry, the following values are affected and replaced with VIRUS ALERT!

[HKEY_CURRENT_USER\Control Panel\International]
"sTimeFormat"="h:mm: VIRUS ALERT!"

Which explains the VIRUS ALERT! words in the clock.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="VIRUS ALERT!"

Which explains the VIRUS ALERT! in the System Properties.

In both cases, on every computer, above default values are different, because for the clock settings, it depends what the Regional Settings are.
To restore the VIRUS ALERT! in the clock settings, Go to start > run and type: intl.cpl
Hit enter
This opens the Regional Settings properties.
Under the tab Regional Options > standards and formats, from the dropdown list, re-select your region again.

In my case it is set to English (United States), but in your case, it may be different ofcourse.
By default the correct region should already be displayed there, but you have to re-select it, or select another Region first and then select your Region again > click apply and OK. This will reset the default data in the Registry for the sTimeFormat, so the VIRUS ALERT! should be gone.
(in some cases, you need to log off in order to make the changes)
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)

For the ProductID - this is somewhat more advanced since every ProductID is different.
You need to restore that value in the Registry again with your ProductID. The ProductID will be a 20 long string of numbers and is used when you call Microsoft for support. It may also affect Windows XP Validation, an error in System tray with "Unable to complete genuine Windows validation" and/or you *may receive the error: "0x80080201 Cannot detect product ID (PID)"

The ProductID that was modified here is under the:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"

Note, this is not your Product Key used to install Windows!

To retrieve your Product ID and restore it for above key/value, you can find it under next value in the registry as well:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"

If you're not familiar with the registry, I suggest you use the Microsoft Genuine Advantage Diagnostic (MGADIAG) tool instead to retrieve your Product ID.

Run MGADiag.exe, click Continue and you'll find your Product ID under the Windows Tab.

There you can find your Product ID.
Now you have to restore that value in the registry again.
To do this, go to start > run and type: regedit
This will open your Registry Editor.
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)

Now browse to the following key by expanding the folders (keys)
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows NT > CurrentVersion
On the right, you should find: ProductId
In your case, you'll see VIRUS ALERT! next to it.
Doubleclick the value to open it and edit the string as you see in the screenshot below:

Where you see VIRUS ALERT! in the "edit string Window", delete the VIRUS ALERT! in there and replace it with your Product ID key you retrieved previously: XXXX-XXX-XXXXXXX-XXXXX
The X stands for random numbers/letters
Click the OK button after you edited the ProductID value in the Edit string Window to apply the changes.

This infection also adds a lot of policies (taskmanager disabled, registry editor disabled etc..) and also made some modifications in the startmenu as you see in the screenshot below:


To fix this, download this zipfile to your desktop.
Unzip it. Then RIGHTCLICK the VArestorepolicies.inf and select to Install from the Context menu.

Then, log off or reboot to apply the changes.

Note: Above will set the display in the Startmenu to Windows default. This in case you have modified this previously and already "disabled" some StartMenu items there.
It will also delete some policies which you *may have set yourself previously.

Note2: Above instructions only remove the VIRUS ALERT! in the clock and System properties and the restrictive policies+registry modifications being set. This doesn't clean the infection itself if still present. As long as the infection is still present and active, it will replace above values (with VIRUS ALERT!)+policies again.

0

thanks, I'm about to do what you instructed. Before i ran both of my anti spyware programs my pc was going crazy with "system alert" pop-ups and alot of fake "you're infected" pop-ups and my pc was going extremely slow. But since i ran both of my anti-spyware programs everything as far as the crazy stuff are gone, also my pc is moving much faster. I was assuming that the VIRUS ALERT! and not being able to see "all programs" and my C-drive were just "side affects" of what the spy-ware did while it was on my pc. So as long as the VIRUS ALERT! thing is there and i can't access my c-drive or see "all programs" in the start menu means that spyware is still there??? i just need clarified. thnx for the help

EDIT: My "RUN" feature is not there and I'm positive my pc isn't infected anymore it's just the VIRUS ALERT! and the missing things from my start menu

0

Comlor i think what you are telling me to do is my solution. I have a few questions and/or problems

1. my "RUN" feature is gone
2.If i were to somehow get "RUN" back and then do what you're saying does that restore "all programs" to my start menu
3. you said download "this" zipfile but nothings there

0

Comlor i think what you are telling me to do is my solution. I have a few questions and/or problems

1. my "RUN" feature is gone
2.If i were to somehow get "RUN" back and then do what you're saying does that restore "all programs" to my start menu
3. you said download "this" zipfile but nothings there

Ok to get everything back to your start menu is a different situation.

My appologies if I overlooked that before.

I have seen this alot recently.

Just right click on your start menu and go to properties
Go to customize and you will have a list of all the items in your start menu, run command, favorites, my computer and such. Just change everything you want back to link to folder or display in start menu and click apply and ok and you should have everything back

0

furyboy38109, I promise you this infection is not gone from your computer. As long as that Virus Alert is sitting there that means the infection is still there.
What you have IS the Antivirus 2009 infection.
The recommended solution is to do as I have stated in my original post to you above in Post #2.
You need to run those steps before doing anything else.
Once you do those steps THEN is when to try anything else but generally this Virus Alert notification will also be gone. This has been removed on several threads here in this forum using the steps I outlined above.
Judy
P.S. Once you have run those steps then post back with the MBA-M log and also a HJT log. If you had this infection there is a good possibility that you have others. By seeing a HJT log we may be able to give you the finishing clean up.

0

here it is

Attachments
Malwarebytes' Anti-Malware 1.28
Database version: 1235
Windows 5.1.2600 Service Pack 2

10/6/2008 5:54:26 PM
mbam-log-2008-10-06 (17-54-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 39464
Time elapsed: 54 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rxoyhynw.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5A8D322F-A8C2-6EAE-79C6-02C079A1D443} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\uprppchk.uprppchk.1 (Rogue.Privacy.Protector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{936301de-ed09-4540-9daf-0c8443a7f334} (Rogue.Privacy.Protector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{abcd4567-d8e8-4df1-a3ea-d0aa72f42622} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ebf4b37a-6262-40a8-aad6-3a36b08ae98b} (Rogue.Privacy.Protector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f0e4888b-938d-43e9-8444-787e2ffc178b} (Rogue.Privacy.Protector) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac8c6ac6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\actmonmnt (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\amgjsrrn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nrrsjgma.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rxoyhynw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wnyhyoxr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wlxmmjjo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojjmmxlw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\onjjvyc\actmonmnt.dll (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP214\A0035817.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0038877.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0039899.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0039920.cpl (Rogue.MicroAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0039922.cpl (Rogue.MicroAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0039936.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0039965.cpl (Rogue.MicroAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0040008.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP216\A0040012.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP217\A0041117.cpl (Rogue.MicroAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP217\A0041113.cpl (Rogue.MicroAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP218\A0042123.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP218\A0043127.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP218\A0043128.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP218\A0043129.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043421.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043422.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043423.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043424.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043425.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043426.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043427.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043428.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043429.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043431.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{16D3000A-9618-456B-89CF-E321774E4FF3}\RP219\A0043430.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\evqb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
0

Hi furyboy38109,
As you can see by your MBA-M log there were 44 infected items on the computer that you were positive was clean.
I still have not seen a HiJackThis log. This must also be posted to see what else may remain. There is NO guarantee that this was the only infection on the computer. We have no idea what your anti-virus program is, what other security items you have running OR even how they are running unless we FIRST see this HiJackThis log.
The fix I noted for you is the current and most up to date recommendation for removal of this infection. It is noted on NUMEROUS reputable and legitimate websites dealing with malware removal. You WILL find other not so reputable removal instructions on other websites. There is NO mention anywhere of registry editing to remove this on these reputable sites, so I hope you have not continued on to that path without first knowing what else may be on the computer.
If your C-drive is still inaccessable or your "run" option still does not appear in your start menu then there are ways this can also be fixed usually without walking through the registry and making changes.
If you will note the FakeAlert items were all found in the System Restore, meaning yes,some were removed earlier BUT what remained were some key files Vundo trojan which was removed with this run of MBA-M. Now either these were either NOT there on the first run of the program, meaning it is a new infection which shows you computer is not secure OR there was something running at the time which prevented the removal of all of the Vundo on the first run.
There is no way we can tell because no logs were posted the first time. But we DO need to see that HiJackThis log now.
Judy

P.S. When you post a log please Copy/Paste it and do not attach it. When you attach a log this means that helpers must download and open a file which may have come from an infected computer. Please Copy/Paste from now on.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.