PDA

View Full Version : Which Files Should I Delete?



Scorpion
2006-03-27, 17:55
Hi,

I was on the Internet last night and I clicked on a link, and my antivirus said that it had detected a virus, there were various files that it was showing, but it could't delete the files, only 'heal' them. I run the antivirus afterwards, and it found the files again and successfully deleted them.
But the the next time I restarted my PC, in the bottom right of the screen was a red circle with an X in the center, saying "Your computer is infected! Windows has detected a spyware infection!"
I found out, after reading through various forums that it wasn't a genuine message from Windows, and someone said they got rid of that icon using the latest version of Spybot - Search & Destroy.


Spybot - Search & Destroy found some problems, that other programs didn't,
I have attached a screen shot of the results, but due to having to compress it, it may not be readable, so I have also uploaded a higher quality picture using Rapidshare, here's the link:

http://rapidshare.de/files/16551915/PCPS.GIF.html

My question is, which files are OK to delete?

Can some plaese tell me, as I don't want to delete anything that may be important.

Hope someone can help.

Thanks

spybotsandra
2006-03-27, 18:07
Hello,

Please fix and delete Smitfraud.

About the Windows Security Center:

Since the Detections Update from July 25, 2005, Spybot - Search & Destroy 1.4 has been detecting Security Risks (renamed to "Windows Security Center" on July 30) associated with Microsoft Security Center Registry changes. This is neither a false positive nor a bug. It is just an information.
Spybot-S&D only wants to bring to your attention that "someone" disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date. If you changed the settings yourself you can safely tell Spybot-S&D to exclude those detections from further scans.
In order to do so please right-click each in turn, then click "exclude this detection from future scans". That way, should any other part of security center settings change, Spybot-S&D will still detect those.
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security). These programs do also disable the Windows Security Center in order to take care of things themselves.
The reason why the changes are flagged by Spybot-S&D is that there are also malware programs that disable the notifications so the user doesn't take note of his security tools not being effective.

Some more information is also available in our forum:
http://forums.spybot.info/showthread.php?t=87

Best regards
Sandra
Team Spybot

md usa spybot fan
2006-03-27, 18:10
Please post the actual log of the detections. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste those results to a new post in this thread.
Thanks

Scorpion
2006-03-27, 18:26
Thanks for the advice Sandra!

md usa spybot fan, here are the results:

Smitfraud-C.: Autorun settings (Windows installer) (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1993962763-1343024091-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer

Smitfraud-C.: Program file (File, nothing done)
C:\winstall.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\tool2.exe

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-24 Includes\Cookies.sbi (*)
2006-03-24 Includes\Dialer.sbi (*)
2006-03-24 Includes\Hijackers.sbi (*)
2006-03-24 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-24 Includes\Malware.sbi (*)
2006-03-24 Includes\PUPS.sbi (*)
2006-03-24 Includes\Revision.sbi (*)
2006-03-24 Includes\Security.sbi (*)
2006-03-24 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-03-24 Includes\Trojans.sbi (*)

Thanks

md usa spybot fan
2006-03-27, 18:54
re: The following detections:


Smitfraud-C.: Autorun settings (Windows installer) (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1390067357-1993962763-1343024091-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows installer

Smitfraud-C.: Program file (File, nothing done)
C:\winstall.exe

Smitfraud-C.: Executable (File, nothing done)
C:\WINDOWS\tool2.exeFix them!

re: The following detections:


Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
If you go into Start > Control Panel > Security Center > Resources (on the left hand side of the window – expand if necessary) > click "Change the way Security Center alerts me". This brings up an "Alert Setting" window.

There are three possible alerts:
Firewall
Alert me if my computer might be at risk because of my firewall settings
Automatic Updates
Alert me if my computer might be at risk because of my Automatic Updates settings
Virus Protection
Alert me if my computer might be at risk because of my virus protection software settings

I believe that you will find that all three items are unchecked.

What firewall and anti-virus are you running.?

As spybotsandra (http://forums.spybot.info/member.php?find=lastposter&t=3286) indicated Norton Internet Security and McAfee SecurityCenter (if you set it as the default Security Center) will turn off that first and third alerts (Firewall and Virus Protection). However, the Automatic Updates alert being off concerns me unless you intentionally turned it off. Fix this item:
Windows Security Center.UpdateDisableNotify

Unless you are running Norton Internet Security or McAfee SecurityCenter I suggest that you also fix these detections and see if they return after the next time you re-boot you system:
Windows Security Center.FirewallDisableNotify
Windows Security Center.AntiVirusDisableNotify

Scorpion
2006-03-28, 00:48
Thanks!

I fixed the problems, and it cleared the icon(red circle, with the X in the center).
The next time I restarted my PC, I had a genuine message from Windows' Security Center saying "Your computer may be at risk" It said that because my Windows Firewall was switched off.
When I tried to access the Firewall settings to switch it on, a message came up saying:

"Due to an unidentified problem, Windows can cannot display Windows Firewall settings"

I found a page on the internet that had a solution to this problem, this is what it said:

Resolution
Download sharedaccess.reg (only for systems running Windows XP Service Pack 2) and save to Desktop. Then double-click the file to merge the contents to the registry. The Services entry will be created. Restart Windows (mandatory step, otherwise the following NETSH command will display an error message).

After restarting Windows, run this from Command Prompt (cmd.exe)

NETSH FIREWALL RESET

Launch firewall applet from Control Panel, and then configure your Windows Firewall settings.


Here's the link to the page: http://windowsxp.mvps.org/sharedaccess.htm


I have one last question, I downloaded sharedaccess.reg, double clicked it, and restarted my PC and, I can now access the Windows Firewall settings, and have now switched it on, but I didn't type NETSH FIREWALL RESET in the Command Prompt, here's my question:

Is it necessary to type NETSH FIREWALL RESET in the Command Prompt, I as I can now access the Windows Firewall settings?

Thanks

md usa spybot fan
2006-03-28, 01:09
I suggest that you post in the Malware Removal forum and get your system cleaned up. The Malware Removal forum is the forum on this site were where volunteers familiar with malware removal assist people having problems like yours.

Follow the instructions here:
BEFORE you post a log, and who will advise you. START OWN TOPIC
http://forums.spybot.info/showthread.php?t=288
Then post in the following forum:
Malware Removal
http://forums.spybot.info/forumdisplay.php?f=22

Scorpion
2006-03-28, 02:23
I'll do that!

I'd like to thank you and spybotsandra again for helping me, I really apreceiate it.

Thanks

Scorpion