Hi

I hope someone here can help me with this prblem.
I have been getting a persistent System Error pop up message:
Your system is infected with dangerous virus!
Note: Strongly recommended to install antispyware program to clean your system and avoid total crash of your computer!
click OK to download the antispyware.(Recomended)

It happens mostly when surfing in IE but also sometimes when clicking on desktop icons.
I have run AVG antivirus which has cleaned up a lot of stuff axcept for the popup.
With Google search it puts link at the top which goes to a bogus antispyware site which tries to make me run an exe. Attached are the system scanner results.

Thanks
Chris

Attached Files

	extra.txt (28.0 KB, 1 views)
	main.txt (14.6 KB, 2 views)

Hello, and welcome to PCHF.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks chiaz for the quick reply.
Here is the report output:

SmitFraudFix v2.323
Scan done at 23:55:55.04, Sat 31/05/2008
Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AUTOSH~1\AS_Service.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Chris/LOCALS~1/T...p_image002.gif"
"SubscribedURL"="file:///C:/DOCUME~1/Chris/LOCALS~1/T...p_image002.gif"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="file:///C:/DOCUME~1/Chris/LOCALS~1/T...p_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Chris/LOCALS~1/T...p_image002.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: apsagy.dll
BHO: IE - {73AB9095-4904-4C64-83D8-01F9F7DDC41C}
CLSID: {73AB9095-4904-4C64-83D8-01F9F7DDC41C}
AppID: {73AB9095-4904-4C64-83D8-01F9F7DDC41C}
AppID: apsagy.dll
Classes: bho.bho
TypeLib: {64618114-CAC8-49A9-9462-85B863535410}
Interface: {E524CB90-D09F-4785-B3C6-FBD970F14DD5}

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2 - Packet Scheduler Miniport
DNS Server Search Order: 10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{27960D02-F53F-4995-9BDA-66E3BB96815C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27960D02-F53F-4995-9BDA-66E3BB96815C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{27960D02-F53F-4995-9BDA-66E3BB96815C}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Please now run HijackThis from your desktop and place a checkmark by the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
O2 - BHO: (no name) - {465E08E7-F005-4389-980F-1D8764B3486C} - (no file)
O2 - BHO: IE - {73AB9095-4904-4C64-83D8-01F9F7DDC41C} - C:\WINDOWS\apsagy.dll

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


Upon reboot, navigate to the following folder:
C:\WINDOWS\

Locate and delete the following file if it still exists:
apsagy.dll


Then download " SUPERAntiSpyware Free Edition" from this link:
SUPERAntiSpyware.com - Downloads

Install and update the scanner.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
PC Hell: How to Start Windows in Safe Mode

Start the scanner, click "Scan your computer", mark the drives that you want to scan (in the left window). Select "Perform Complete Scan" (in the right window). Click "next"

The scanner will now start to scan. As soon as it has finished, you should mark everything that is found, and let the scanner fix it.

Reboot your computer. After reboot, open the scanner again. Click "preferences"-> "stastics/logs". Mark the log. Click "View log", and copy the content of this log into your next reply, along with a new log from Deckard's System Scanner.

Ok, done everything as you suggested and looks like the problem has been licked.
Attached are the files you requested.
Thank you so much for your help chiaz, I'm really glad I found you guys.

Cheers
Chris

Attached Files

	main.txt (12.5 KB, 1 views)
	extra.txt (28.0 KB, 0 views)
	SUPERAntiSpyware Scan Log - 06-01-2008 - 01-08-39.log (28.7 KB, 2 views)

Glad to hear.

You may wish to peruse the "Afterwork" for tips on malware prevention:
http://www.pchelpforum.com/progress-...afterwork.html


Good luck!