I have a client that is running XP home & a warning keeps popping up as follows “Warning your computer is at risk: no anti-spyware has been detected on your computer”. The warning is associated with a yellow triangle in the task bar with an exclamation mark inside it. Right clicking on the icon does not yield any popup menu and therefore no properties are available. Left clicking on the balloon takes you to a site http://topantispyware.com. The system has Spybot loaded. I have run a scan with Avast & Trend Housecall. Does anyone know how I can get rid of this??
Sounds like the warning from the security center in XP.
What exact version of XP (including SP’s)?
What exact version of Avast?
Is Avast running?
The fact that clicking it takes you to a website rather than the windows security center make me think it is not WSC but some form of adware trying to get you to buy and anti-spyware product.
I think you/they should run hijackthis and post the log or have them/you visit Eddy’s website.
The client is using a Emachines CPU (1800+) running XP Home with SP2. Avast is running Home 4.6 With the latest updates. So far I found out that the problem seams to be some malicious mallware. The instigator is four programs that reside in windows/system32. There two programs which hide as spooler programs (spoolsrv32 run once) and two other randomly named. Removing the programs doesn’t solve the problem because they get re-spawned each time I reboot. I have tried Avast, Trend Housecall, and Spybot. Nobody seems to have picked this up yet I haven’t found many comments in news groups or on the web…
The best tool for the job is hijackthis they can only get respawned if the entry still exists to spawn it.
The process might be running so you will need to end it in task manager.
Eddy’s Website click the “HiJackThis Section” and also the “Malware removal instructions and applications” section, and follow the directions there and get back to us if you need more help…
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
If they haven’t already got these, download, install, run and update.
I’m telling you people that if you run Bazooka Spyware scanner it will give you exact advice on how to get rid of those nasties. It doesn’t clean anything automatically, it’s just wonderful diagnostic program that gives you wonderful instructions on how to get rid of some ugly things in your PC. It picks up so many things that Spybot and Ad-aware can not even imagine to recognize. After it finds some nasties, you have to click on those entries and it will teleport you to Bazooka official web site with exact information on how to remove those things manually. In most of the cases, you have to reboot and boot into Safe mode, then run regedit and completely follow Bazooka’s advice what to find in registry and what to erase. After that, some other things (files and/or folders) needs to be removed physically from your hard drive… everything is perfectly well explained in those instructions…
People are scared of this wonderful program just because it doesn’t clean anything automatically, so I guess many are just too lazy… but this great program can find so many things other programs are unable to recognize. Give it a try… I’m using it while cleaning my customer’s PC stations. Believe me, Spybot is great, Ad-aware is great, but in 80% of cases, they couldn’t even find some things… and that’s where Bazooka jumped in and helped a lot.
Download it from here:
http://www.kephyr.com
Just take a look at impressive file database in here (Click on those letters and you’ll see so many different nasties in there):
http://www.kephyr.com/filedb/index/all.html
You can also see here about the latest detections:
http://www.kephyr.com/spywarescanner
And here is just one of many examples how nicely everything is explained, how to remove some nasties… in this case, it’s about ZServ:
http://www.kephyr.com/spywarescanner/library/zserv/index.phtml?source=alerts
Part of that text:
Manual removal Please follow the instructions below if you would like to remove ZServ manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If ZServ remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Start your computer in safe mode. Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.) Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {00000000-C1EC-0345-6EC2-4D0300000000}', if it exists. Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {00000000-C1EC-0345-6EC2-4D0300000000}', if it exists. Exit the registry editor. Restart your computer. Start Windows Explorer and delete: %WinDir%\ZServ.dll Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000). Start Microsoft Internet Explorer. In Internet Explorer, click Tools -> Internet Options. Click the Programs tab -> Reset Web Settings.
Just want to help…
Cheers !
Thanks Craftec for recommending Bazooka. I’ve just downloaded it, and will try it out.
One of my friends computer (Win98SE) has/had this spyware/adware infection involving a sp.dll file (which is coded to contain a listing of sites to redirect the browser to…). Does pop-up ads too. It’s evil. U delete it, but it respawns itself… I’ve used Hijack This, Ad-aware, Spybot, Spycatcher, cwshredder etc., all in safe mode, deleted the offending registries, emptied the temp directories, deleted the bad files, … but it comes back… nasty nasty nasty… I think we finally nuked it though, as the offending entries don’t show up in Hijack this anymore (1 week and counting!). Also using Firefox only on that PC…no more Internet Exploder!
No problems, I am glad to spread the word if some program is really good. I’m tellin’ ya, Bazooka helped me a lot in cases like that. If other programs weren’t able to clean something, and that something kept comming back… Bazooka helped me to totally erase it, find every single registry entry that needs to be erased, every single file or folder. I really never had problems with Bazooka. So small, almost anonymous program (too bad it’s not advertised more) deserves better publicity…
Also, wanna add… I’m using Spyware Blaster as preventive tool. It runs resident (even if you completely close it), doesn’t eat your system resources and it’s ideal IMHO. Bazooka and others are something like healing programs, but we all know that it’s much better if you can prevent than heal… especially if “illness” is in deep deep stage.
I am not fanatic when it comes to this matter, I am not one of those which install and run million of non-useful programs, thinking that now they are protected and they can sleep peacefully… but this is what I run:
Antispyware list:
1.) Keep my Windows XP SP2 always up to date
2.) Spyware Blaster (always up to date)
3.) I run Ad-Aware sometimes, just to check on things
4.) Same thing with Spybot Search and Destroy…
Antivirus:
5.) avast! always up to date and also I like to “play” with Betas
Firewall:
6.) Hardware Firewall/Router D-Link DI-604 (always latest firmwares)
7.) ZoneAlarm Free version
So, as you all can see, I’m on as minimum protection as it one could have. Everything that goes below that level, IMHO is careless… we have to think of our PCs security, and we have to help it remains untouched.
Cheers !
: Many tnks gentlemen… I downloaded Bazooka and it identified the unknown startup item. Eventhough the directions they gave me were not exact, it still got me close enough to find & kill the bugers…
What do you mean by “…the directions they gave me were not exact…” ? Bazooka gives you wonderful explanation, exactly how to search for and clean those things…
It aslo specifies this:
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {00000000-C1EC-0345-6EC2-4D0300000000}', [b]if it exists[/b].
The key part is “IF EXISTS”. Sometimes those entries are not there for whatever the reason, most likely because there are many different variations of the same spyware or adware out there… some of them have that key, some of them don’t… Most important is to go through all those entries Bazooka told you to go through. If they are there, just clean them, if they are not present, just ignore them…
Cheers !