"Your System is Infected" is virus leeching my computer - help please! :)

[pigeonpoo9]

Hi there
I think I may have picked up this virus when a friend of mine used Skype on my computer - it's the only thing that's been different with regards to the use of my computer lately.
When I started my computer today, my desktop showed  ablue background with a message in red writing in a black box showing:
"YOUR SYSTEM IS INFECTED - System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed."
An internet webpage opened with antivirus bits and pieces, but I closed it immediately, not really thinking. I immediately ran a spyware scan trhough my anti-virus (PC Guard from Virgin Media), which found several spyware, including one that had some name about antivirus something-or-other - I must admit, I didn't take a note of the exact name. I then ran a virus scan which found nothing. I rebooted my computer, only to be confronted with the same thing. When I tried to bring up task manager, I got the erroe message  "WARNING - Application cannot be executed. The file is infected. Please activate your antivirus software." (I'm still getting this message) This doesn't look 'real', and when I press Ctrl-Alt-Del again, I can get a 'real' looking message, which tells me that the Task Manager has been disabled by my administrator. At this point, my internet wouldn't work either, so I restored my system. This seemed to work at first , and I got my old background back.  I ran another spyware scan, which found nothing. I rebooted, but this fake warning background came back. I know it's fake, because when I shut my computer down, it reverts back to my old background just as it's shutting down. I can now get on the internet, but still get an error message when I try to get task manager up.
I've followed the advice on the 'Read this before requesting malware removal help; I've attached my logs.

Help would be much, much appreciated. Many thanks






[attachment deleted by admin]

[raiever]

ok heyy hope this helps!!

Click your start button, go up to run. Type "gpedit.msc" (without the quotes) and press the enter button. When the screen comes up, look on the left side. Open User configuration>administrative templates>system>CTRL+ALT+DEL options on the right side of the screen make sure that "Remove Task Manager" is set to disabled.

If that is set correctly, or doesn't work, you need to hack your registry. Click start>run>regedit to open the editor

with "my computer" highlighted, click file then export, Save the file to your desktop. This is your registry and if you mess up, you will need this file.

When that is done, navigate to the following keys and make sure they are set like this.

[HKEY_CURRENT_USER\Software\Microsoft\…
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\… Policy Objects\LocalUser\Software\Microsoft\Win…
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft…
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft… NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

You may need to restart your computer.

DON'T DO THE REGISTRY STUFF UNLESS YOU KNOW WHAT YOU ARE DOING.

If that doesn't work, you are going to need to start your computer in safe mode and run a virus scan, cause you still have a bug.


source: my mind cause it happend to me! CAREFULL WHEN EDITING YOU REGISTRY!!!

[Karnac]

Stay out of the registry and wait for a specialists help....your logs are done, just wait.

[pigeonpoo9]

Hi both

I haven't a clue when it comes to the above registry stuff, so stayed well clear for the time being.
I can now open task manager, although I still cannot change my desk top background to what I had originally. My computer is also painfully slow when loading.
Many thanks, I look forward to specialist help

[raiever]

Question! When You try to change your background is it that the button to browse is locked? or you can not change it to any of the already given ones period? and You can select to set a pic as background but it wont change?

[pigeonpoo9]

Hiya
The browse and drop down position buttons are locked; they're grey and I can't select any of the other pictures in the list to the left either. Really annoying!!

[raiever]

Ok!
 
Download this program!

http://www.the-pc-guru.com/files/dwpfix.reg

•Run the file
•Respond Yes to the prompt to merge the file with the registry.

Thank If it works please =D

[BC_Programmer]

It won't work to simply edit the registry. the fake spyware program has ALREADY installed Change notification hooks on the registry keys, so if you change them, it instantly changes back.

[pigeonpoo9]

I haven't done anything since I followed the guidelines; although I have been running anti-spyware scans using PC Guard, which keep finding something called Kollah. Does this help?

[Karnac]

Win32/Kollah is a family of trojans that steal sensitive information.....banking info, etc......... Don't use any removal tools listed at Google since they are from rogue sites.......wait for evilfantasy.

[CBMatt]

Sorry for the long wait, pigeonpoo.  Us malware guys are extremely busy at the moment with our personal lives, so we haven't been able to spend a lot of time on here.  And unfortunately, there are only a couple of us who do this, unlike the other sections that have tons of helpers.

Anyway, the majority of your infection should be gone, but it looks like some of it is still lingering.  Run another scan with HijackThis and look for this entry:
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

If you find it, place a checkmark next to it, and click on Fix Checked.  You should then enter Safe Mode and delete this file:
C:\WINDOWS\system32\winupdate.exe

Once you have done that, simply restart your computer and scan with HijackThis again.  This time, save a new log and post it here.  I would also like for you to download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[evilfantasy]

@ raiever

You are trying to fix the symptoms which is doing no good. You need to learn how to fix the problem which has a side effect of fixing the symptoms as well... 

Also see here: http://www.computerhope.com/forum/index.php/topic,57605.0.html

[pigeonpoo9]

Hi
Thanks ever so much for getting back to me, I really, really appreciate your help with this.
I've come across one snag: I've just ran the first HijackThis scan, and cannot find O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

Would it be under another name?

[evilfantasy]

Just continue on with CBMatts instructions please.

[pigeonpoo9]

Hiya
I completed the steps, although as stated, I couldn't find:

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe when I ran the HikackThis scan; neither could I find:

C:\WINDOWS\system32\winupdate.exe in Safe Mode, so couldn't delete it.

I've attached both the HijackThis log and the ComboFix log; all is looking good so far, it's brilliant not having to look at the stupid background I had enforced on my computer.

Once again, many thanks; I do appreciate that you guys are really busy.

[attachment deleted by admin]