Warning! S Detected On Your Computer.............help!!!

"flush system restore"
This should be one of the Last things you do, after your Computer is Clean…

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

2OG

 

Hey blueduke.

I have done some very interesting research, and I believe that I know what we are dealing with. The picture which I told you to find is the picture which posed as the message: Warning!.... Clean your Computer. I am led to believe that this malware is not as easy as we thought, and comes off a variant of virtumundo. As for your clock problem, we'll have to deal with it after the cleanup, like your system restore flush, which you should do after your system is clean, just like 2oldgeek said.

Please do all the following steps in safe mode if possible, and also do them in order.

1. Please download Virtumundobegone, run it, and post the log here.

2. Go to C:\Windows\Temp, and post a list of all the files there. If there are too many files, take a screenshot.

3. Search in regedit for "Antispyware". List the results.

4. Download Spybot, update it, and run it. Remove all results, while making sure that it is backed up. On instructions on how to post a log, see here: http://forums.spybot.info/showthread.php?t=2973

5. Download Deckard's System Scanner, and post a log here.

6. In other cases, I have noted that when you rightclick on your desktop (in nomral mode) to show Display Properties, the Desktop tab isn't there. If this is the case for you, download the reg file here ( http://www.kellys-korner-xp.com/regs_edits/desktoptab.reg ) and run it.. Please do this in normal mode.


Best Regards

PS: How about the virustotal.com scans I told you to do?

 

Hey blueduke,

If you can’t find it,
Here is the download link for VirtumundoBeGone >>> HERE

 

Here's what i have for you guys so far.............

Virtumundobegone log file:

Searched regedit files abd this is what I've found (tried saving this to desktop, wordpad, notepad, etc and couldn't. I'm not very computer savvy). I don't know how to make a screen shot. if you can walk me through it I'll do it

going to download Spybot now

Incidentally, couldn't do this in safe mode. For some reason I can't connect to the internet in safe mode

EDIT: started to installed spybot and it told me to unistall Adaware 2008 which I did. i have an important question that I need an answer for ASAP: while running the setup for S&D, a box can up that says "S&D has detected an important registry entry tht has been changed "Category: Session Manager Changed: Value Changed Entry:BootExecute Old Data: Isdelete\ New Data: (this is blank). then it asks if I want to allow the change. Should I??? I'm not doing anything else until I know this as I'm afraid I'll mess something up

EDIT: Figured out how to take a screenshot. saved them in My Pictures but don't know how to post them in this message





now I do!!! Learn something everyday I guess

 

Thus far I've downloaded Virtumundobegone and posted the log. Now here's the c:\windows\temp files you wanted:



Repost the search of the Registry Editor:



Haven't fully installed Spybot as I got this message and am nit sure I should advance until I get confirmation it's okay:



Now going to download Deckard's Scanner and will post a log but it might be futile considering Spybot isn't fully installed

Log from Deckard's System Scanner:

What next, fellas?

 

Don't forget to tell me how to get the time clock changed from military time to regular time

 

Hey blueduke,
I’m gonna let cdavfrew finish what he started with Deckard, etc. He knows more about his plan than I do at this point……….
As far as your clock:

To change the way your computer displays the time:

Open Regional and Language Options, click Start, click Control Panel, and then double-click Regional and Language Options.
On the Regional Options tab, under Standards and formats, click Customize.

in Time format, (drop down box) select a format using lowercase h for 12 hour time or uppercase H for 24 hour time.


2OG

 

Thanks. Both you guys have been a huge help to me

 

Sorry 2oldgeek, for kicking you out of this unintentionally. Hope you won't mind.

Hey blueduke

It seems that after these final steps, you should be totally clean. Don't worry: it seems that you only got infected by one rogue antispyware, and it was pretty much destroyed by Adaware during your first scan. All that was left were traces and hidden settings.

Don't worry about Spybot anymore. You can uninstall it if you want to.

Boot into safe mode. Delete these registry entries from the place you took the screenshot.

antispyware
c:\windows\system32\phclrej0cp6p.bmp
c:\windows\system32\phclrej0cp6p.bmp
phclrej0cp6p.bmp
divicodec

Also delete this entry:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware

If deleting this entry results in problems again, please use a startup manager like those posted on this page: http://www.download.com/3120-20_4.html?qt=startup+manager&tag=srch&tg=dl-20
Use this startup manager to disable the Antispyware entry.

After that, you should be clean!

Best Regards

 

Hey, hey, cdavfrew, you didn’t kick me out, I simply relinquished my spot….. LOL

It’s been a couple of years since I’ve worked with malware and I’m behind the times….
I have all the computers that I deal with BLOCKED and don’t have the chance to get experience with removing Bad guys anymore. That’s why I got back on here. To have a little FUN………….

2OG

 

Haha... ok, if you say so, 2oldgeek.

Now is as good a time as any to learn how to fight malware again! Newer tools, newer malware, it is indeed a great game! I have fun too!

Cheers!

 

Thanks for your help. Have one quick question: the HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiSpyware entry....where do I delete it from? Hijack this? Another thing.... on the infected computer (Ive been using a different one when conversing with you guys)pop up ads are starting to come up. Thing is they're popping up in IE. I've been using Mozilla Firefox exclusively but a friend had used IE. I take it deleting the above entires will take care of it? The ads are for Best Buy and places like that though

 

Hi blueduke.

Delete the registry entry using regedit, not HijackThis.

No, deleting those entries will probably not solve your popup problem. Please note that pop ups can either be part of spyware, or could be a website or ISP problem.

If this is spyware, it means that there is still spyware on your system that we do not know about. If you still have Superantispyware and A-squared, do a scan with both of them in safe mode and post the scan log. Quarantine all detected items found by Superantispyware, but ignore A-squared's detected items.

Also, please be reminded of the fact that the spyware is disguised as something we view as harmless. The only two programs I can think of on your system is Kiwee Toolbar and ErrorSmart.

Can you rule this out as a ISP problem? Also, go to IE, Tools, Manage Add-ons, Enable and Disable Add-ons. Either post a screenshot of all your add-ons, or list them one by one.

Best Regards

PS: Shouldn't your google, yahoo, and kiwee toolbars block popups?

Edit: Please also remove ErrorSmart and RegistrySmart off your system. It seems that they are indeed bad programs, as indicated by Spybot and A-squared.

 

Should I still make a new restore point for sys restore?

 

Latest spyware scan:





Quarantined them

 

Uh oh...........removed SuperAntiSpyware from the computer. A box appeared wanting to know if I wanted to remove the spy logs and quarantined items and I clicked "no". Did I just do something outrageously stupid? Few more questions.........should I set a new system restore point? If so any suggested day and time to set it to? Also, when you quarantine a file should you delete it as well?

 

Hi blueduke.

No, you did not do something dumb. When you clicked "no", it means that those files are still isolated in quarantine, and anytime you reinstall Superantispyware, the files will be there for you to have the option of restoring them.

Yes, set a new restore point. Just disable system restore, and then reenable it. That will do the trick.

You should be good by now. If you have any more problems, just post it. Also, please consider cleaning up your computer by using tool such as ATF Cleaner and Advanced Windowscare.

Best Regards

 

great advise on this thread, learned much myself also.