[waynestep]

I recently noticed a yellow warning triangle and pop-ups advising that my computer was infected with spyware. When clicking the pop-up it took me to some sites trying to sell anti-virus etc. I then noticed that i couldn't access my control panel or my task manger - I got warnings "this operation has been cancelled due to restrictions on this computer. please contact administrator....". I am the administrator.

I tried getting rid of it by smitfraud, which did identify some hi-jacking and appeared to get rid of the yellow triangle and I could access the control panel...until the next day, when triangle came back and no access to control panel again.

I downloaded various anti-virus and have got rid of yellow triangle (spybot and a-squared) and lots of other nasties, but I cannot access the control panel. I've tried running "control.exe" and I still get the "operation cancelled" messsage. I tried ssytem restore and it won't do it, telling me nothing has changed!!!

Please help me someone. I've attached the last smitfraud log and clean up if that helps anyone.

regards

Wayne

[evilfantasy]

Welcome to TCF.
Lets start here.

Go into add/remove programs and see if anything you know shouldn't be there has been installed that you can un-install. Like toolbars.

Download HijackThis Here
Once you have it downloaded install/save it to it's own folder!!! This is important for it to work properly.
For example save in C:\program files\hijackthis
You can then create a shortcut on the desktop.
Once installed open the program and select Do a system scan and save logfile.
**Important DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Save the log as a .txt file.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.

After seeing the HJT log we can go from there.

[evilfantasy]

I spoke too soon.
If you can not get to control panel just run the HJT scan please.
Also what was the name of the stuff Spybot could not fix?

[waynestep]

Hi,

I've attached the log file for hijack this. Not sure what you meant by "go advanced"? I don't think there was any file that spybot couldn't deal with.

Thanks for your interest and help. I am going to bed now, it is 02.15 in UK and I'm at work tomorrow early, this problem has driven me crazy enough tonight.

Wayne

[evilfantasy]

You have multiple anti-malware/spyware and anti-virus running.
Are these trial versions or paid? If trial versions then un-install them. They conflict with each other.
If you need advice on good free programs then let us know and we will get you set up.
You should only run one Antivirus, one firewall and maybe 2 spyware blockers. All can be had for free.
You can have multiple scanners but the real time protection is un-necessary and usually take up too much resorces for what they do. Spyware blockers are better.

Go here http://www.java.com and update your Java.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources. Open HJT and select Do A System Scan Only.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
(Description: ADSL modem monitor from Eicon Networks (as used by BT for its Broadband internet service for example). Can safely be disabled without affecting the connection - all this does is give an indication of connectivity and access to the diagnostic facilities. Removing this entry will free up some system resources.)
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
(Description: AOL system tray icon. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV0 2.EXE
(Description: EPSON Status Monitor 3 is a utility program that monitors your printer and gives you information about its current status, including the amount of remaining toner. If a print error occurs, the Status Monitor also provides you with a message describing the error. You can access EPSON Status Monitor 3 from your printer driver. Removing this will free up some system resources.)
**Important** Close all browser windows including this one before clicking Fix Checked.

Then run CCleaner. Use the default options.
If you do not have CCleaner please install it. Here
Once CCleaner is open use the default options and click Analyze and it will show a log of what will be removed. Next click Run Cleaner to remove everything.
Next on the upper left of CCleaner select the Issues tab.
Click Scan For Issues. Then click Fix selected issues.
It will prompt you to make a backup. For the first run I would suggest doing so.

Then re-boot your computer and begin the steps in my next post.

[evilfantasy]

Run this online scanKaspersky
When the scan is finished Save the results from the scan!
Please save it as a text file.
In the next post click Go Advanced.
Scroll down and click Manage Attachments and add the log as an attachment.

[Hybr!d]

Pretty sure this is a smitfraud virus, spybot and the rest won't fix it.

http://www.thecomputerforums.co.uk/f...dfix-exe-5469/

[evilfantasy]

Yes he ran the fix and it came right back.
After I see the online scan report I am sure we will be running it again.

[Hybr!d]

The fix needs to be run in safe mode.

[waynestep]

Hi,

Thanks for your help so far.

I've done everything you suggested but when I came to carry out the on-line scan for Kasperski it failed to download, and this message indicated reason for failure "You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level." Presumably this is because the virus has hijacked the security settings!!

Where do I go next?

Regards

Wayne