# "Your computer is infected!" pop-up



## llopez704 (Mar 16, 2008)

I keep getting a pop-up in my system tray that says "Your computer is infected! Windows has detected spyware infection!" The red circle with an X sits in my tray. I can no longer run HiJack This, not even in Safe Mode, so I cannot post that log. I have searched various forums to find a KillBox.exe and a ComboFix.exe; neither of which will run.

I have run a registry cleaner, which was able to clean up various .dlls and keys. I have run a scan from TrendMicro's website, which cleaned up a trojan, some adware, and some ActiveX controls. I ran Microsoft's Malware tool, which found nothing.

Any ideas on how to rid my system?!?!?!?!?!?!


----------



## Byteman (Jan 24, 2002)

Hi,

http://www.radiosplace.com/

On your left side, in the blue list menu, Hijackthis.exe

We can try this older standalone version of Hijackthis, to use to see a log until we can get the new one to run:

this is a standalone .exe> as soon as you get it downloaded, *rename hijackthis.exe to tool.exe and try to get the log for us...it will work the same way.* Don't open it, make sure you download it onto your desktop and then, double click tool.exe or whatever you rename it to, select Scan and Save a log, and copy and Paste the log into a reply here.


----------



## stylez79 (Mar 16, 2008)

{Edited by Moderator}-Hi stylez79>> I have removed what you posted here.

I'm sorry but our site has a Rule that no one may assist with removing/ cleaning malware unless qualified with TSG forum permission. There are specific removal tools we use for this infection, they are the best way to attack this. I am posting the Rule here, so you have it as a guide-

Also, we have all the tools, with download links, available here:

http://forums.techguy.org/general-security/603629-security-help-tools.html

And, throughout the security sections, there are links to just about every removal tool and protective or cleaning tool known. We have had to put restrictions in place, about malware removal, due to the newer infections that require cleaning with advanced special tools- that's one additional reason. These tools carry some special directions, and we also reccommend that they only be used with our help.



TSG said:


> Only members who are deemed qualified to remove malware may post to security related threads. These members can be easily recognized by a gold shield
> 
> 
> 
> ...


----------



## Byteman (Jan 24, 2002)

Hi llopez704 

Have you been able to get Hijackthis to run?

Please try what I have in my reply and post the log if you do.


----------



## Cookiegal (Aug 27, 2003)

{Edited by Moderator} said:


> -Hi stylez79>> I have removed what you posted here.
> 
> I'm sorry but our site has a Rule that no one may assist with removing/ cleaning malware unless qualified with TSG forum permission. There are specific removal tools we use for this infection, they are the best way to attack this. I am posting the Rule here, so you have it as a guide-
> 
> ...


Just wanted to be sure you saw this. To elaborate, while it's fine to have the link to your site in your signature, we like to see that people are here to help others and not solely for the purpose of gaining exposure and more traffic for their own sites.


----------



## Byteman (Jan 24, 2002)

Byteman said:


> Hi llopez704
> 
> Have you been able to get Hijackthis to run?
> 
> Please try what I have in my reply and post the log if you do.


----------



## Compaq__ (Mar 18, 2008)

This could be caused by the messenger service in Windows. If you run Windows Update and get all of the latest security patches, this should stop. It's basically just "Instant Messenger SPAM" that is broadcast out across the net. Good possibility this is the problem.

Load those security patches. I see this all the time.


----------



## Byteman (Jan 24, 2002)

Hi Compaq__
This infection is well-known, and is the SmitFraud, or Privacy-Danger, fake alert, we have been dealing with this for a very long time...

The poster cannot execute any files.... he may not be able to even post a Hijackthis log, but I am having them try. Most likely, he will not be able to install patches.... I would have them try some of the removal tools for it, but probably they won't run, either...

I would like to see a Hijackthis log, first though....

Also> this site has a Rule about who may post advice when dealing with malware cleaning....this thread obviously is. You may not have seen the Rules section, so here it is:



TSG said:


> Only members who are deemed qualified to remove malware may post to security related threads. These members can be easily recognized by a gold shield
> 
> 
> 
> ...


----------



## Compaq__ (Mar 18, 2008)

Saw it. LOL Yes, very familiar with this type of issue. Didn't see him say he can't run executables. From his description sure looks like the old messenger service spam...no tools required to fix that. Just runnin those security patches...
That's my observation...not advice.


----------



## Byteman (Jan 24, 2002)

Hi Compaq- No, this isn't Messenger spam, though that does give popups. This is an infection, part of the trojan Zlob. or Smitfraud family, of which there are quite a few variants.

One of the symptoms, is the red X, in the system tray, as well as a large notice on your screen proclaiming it's bogus message.

Here is a page about this very similar family:

*http://www.dslreports.com/faq/seclean?text=1* <Scroll down to where it has

"Screenshots of Desktop Hijack" for good examples of this trojan.

*http://fix-slow-computer.com/index.php?s=delete*

*http://www.wilderssecurity.com/showthread.php?t=75890* screenshot of one type

*http://www.smokey-services.eu/forum/viewtopic.php?t=2035*

About not being able to run executables: Seems it is mostly, *antimalware tools that will not run*- and actually, we see quite a few of these infections that can disable Hijackthis, plus other security programs.....perhaps not ALL executables, my mistake there... There are some things we can have them try, that will let them post a Hijackthis log, and run tools.

Still, you are not authorized to post removal advice here at TSG- this person has to clear up this infection before being sent off to do a lot of Windows Updates....

See the Quoted information for directions to try and become qualified here at this forum, if you would like to help with malware cleaning.

You will see from the links I posted, that the infection is this type...



llopez704 said:


> I keep getting a pop-up in my system tray that says "Your computer is infected! Windows has detected spyware infection!" The red circle with an X sits in my tray. * I can no longer run HiJack This, not even in Safe Mode, so I cannot post that log. I have searched various forums to find a KillBox.exe and a ComboFix.exe; neither of which will run.*
> 
> I have run a registry cleaner, which was able to clean up various .dlls and keys. I have run a scan from TrendMicro's website, which cleaned up a trojan, some adware, and some ActiveX controls. I ran Microsoft's Malware tool, which found nothing.
> 
> Any ideas on how to rid my system?!?!?!?!?!?!


----------



## Byteman (Jan 24, 2002)

Hi llopez704

Please ignore the posts between Compaq_ and myself and try what I have below:

Hi,

http://www.radiosplace.com/

On your left side, in the blue list menu, Hijackthis.exe

We can try this older standalone version of Hijackthis, to use to see a log until we can get the new one to run:

this is a standalone .exe> as soon as you get it downloaded, rename hijackthis.exe to tool.exe and try to get the log for us...it will work the same way. Don't open it, make sure you download it onto your desktop and then, double click tool.exe or whatever you rename it to, select Scan and Save a log, and copy and Paste the log into a reply here.

If that does not work for you: First, *delete any copies of ComboFix.exe you have now*



> NOTE>>!Very important!! I want you to rename Combofix.exe as you download it to a name of your choice like such as ben.exe. It is very important that save the newly renamed EXE file to your desktop, so it appears right on your screen area.
> 
> *****Download link is below, read all of this, before you attempt to download or use ComboFix!!*****
> 
> ...


*Please download ComboFix from **Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop***

Once you have the renamed ComboFix file on the desktop:

*It's important that you do turn off the protective programs such as antivirus, and the ones mentioned in the link below, so do go there and act on that advice!*

*Please read all through the info so you know what will be done.*
Here are directions etc but I also have them below:
*http://www.bleepingcomputer.com/combofix/how-to-use-combofix*

*There is a Printable Version* button up under the Thread Tools drop down menu that will let you print a nice text version of these instructions. 
*Alternate way to save directions:*Open Notepad> Copy and Paste any text you wish into Notepad, and Save the file as something you will recognize like TSGhelp.txt and save it onto your desktop. 
Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know


Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combofix.exe* & follow the prompts.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * in your next reply..*And, after you are done posting the log from ComboFix....run Hijackthis again, Scan and Save a Log....post the brand new log*
***Note: Do not mouseclick combofix's window while it's running. That may cause it to stall***


----------

