Hello,

Yesterday I found I had an "You are infected!" warning box start appearing at startup and shutdown for a few seconds. I have XP and run ZASS. After doing various scans and finding nothing, I was recommended to this product. After running, I now have the same warning permamently on my desktop and also receive "do you want to get rid of junkmail" pop-ups.

I feared I must have done something wrong during the process - here is my registry changes log below. Also, virtumonde and SpySheriff were detected and "fixed" by spybot, though the problem is worse than before.

Thank you for your assistance and direction.

6/25/2008 4:53:12 PM Allowed (based on user decision) value "SpybotDeletingB4555" (new data: "command /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup user entry!
6/25/2008 4:53:42 PM Allowed (based on user decision) value "SpybotDeletingD5252" (new data: "cmd /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup user entry!
6/25/2008 4:53:44 PM Allowed (based on user decision) value "SpybotDeletingA8821" (new data: "command /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup global entry!
6/25/2008 4:53:45 PM Allowed (based on user decision) value "SpybotDeletingC5682" (new data: "cmd /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup global entry!
6/25/2008 4:53:45 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
6/25/2008 4:53:46 PM Allowed (based on user decision) value "{E9BD0828-1FD9-410C-A50F-43EBE65D310F}" (new data: "") deleted in Browser Helper Object!
6/25/2008 4:53:47 PM Allowed (based on user decision) value "xxyxyyx" (new data: "") deleted in Winlogon Notifiers!
6/25/2008 5:54:38 PM Denied (based on user decision) value "SpybotDeletingB4555" (new data: "") deleted in System Startup user entry!
6/25/2008 5:54:41 PM Denied (based on user decision) value "SpybotDeletingD5252" (new data: "") deleted in System Startup user entry!
6/25/2008 5:54:42 PM Denied (based on user decision) value "SpybotDeletingA8821" (new data: "") deleted in System Startup global entry!
6/25/2008 5:54:42 PM Denied (based on user decision) value "SpybotDeletingC5682" (new data: "") deleted in System Startup global entry!
6/25/2008 5:54:49 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!

6/25/2008 4:53:12 PM Allowed (based on user decision) value "SpybotDeletingB4555" (new data: "command /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup user entry!
6/25/2008 4:53:42 PM Allowed (based on user decision) value "SpybotDeletingD5252" (new data: "cmd /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup user entry!
6/25/2008 4:53:44 PM Allowed (based on user decision) value "SpybotDeletingA8821" (new data: "command /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup global entry!
6/25/2008 4:53:45 PM Allowed (based on user decision) value "SpybotDeletingC5682" (new data: "cmd /c del "C:\WINDOWS\wt\webdriver.dll"") added in System Startup global entry!
6/25/2008 4:53:45 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
6/25/2008 4:53:46 PM Allowed (based on user decision) value "{E9BD0828-1FD9-410C-A50F-43EBE65D310F}" (new data: "") deleted in Browser Helper Object!
6/25/2008 4:53:47 PM Allowed (based on user decision) value "xxyxyyx" (new data: "") deleted in Winlogon Notifiers!
6/25/2008 5:54:38 PM Denied (based on user decision) value "SpybotDeletingB4555" (new data: "") deleted in System Startup user entry!
6/25/2008 5:54:41 PM Denied (based on user decision) value "SpybotDeletingD5252" (new data: "") deleted in System Startup user entry!
6/25/2008 5:54:42 PM Denied (based on user decision) value "SpybotDeletingA8821" (new data: "") deleted in System Startup global entry!
6/25/2008 5:54:42 PM Denied (based on user decision) value "SpybotDeletingC5682" (new data: "") deleted in System Startup global entry!
6/25/2008 5:54:49 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!

Apparently, you are NOT letting Spybot remove the infected files on reboot. This is because you are DENYING the change value.

No wait... Yes, once the remove file on reboot is done Spybot will remove itself from the start-up entry. Apparently, you are not letting Spybot do that.

Are you still experiencing any other problems? Download the latest updates for Spybot and run a full scan. Run it in SAFE MODE this time and remove it. If Spybot prompts you to reboot, then reboot.

Thank you for taking time to assist me. I have now run spybot in Safemode and it did not detect anything major. I have restarted my machine and the problem of the spyware warning persists. Could someone please let me know if my refusal of some registry changes is the cause of my continued problems, and, if so, how to correct it or allow them now? The program does not make it clear that these changes are recommended and part of the fix of the problem.

If anyone can give me further directions I would be very appreciative.

Hm. Your description of the symptoms seems to resemble the SmitFraud trojan :P. It's more like those rouge pop-ups posing as legitimate Windows OS windows, correct?
-- In this case...
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
--

Also, the next time TeaTimer prompts of a startup entry of a "Spybotdeleting..." I would suggest you allow it. Whether it's a added or deleted entry from the Startup Manager.
Good luck.