Problem with WinXP firewall

[Fred]

Hi, I have a problem with the winxp firewall that just won't go away.
Recently I had some spyware on my computer which the winxp firewall
discovered and offered to download a fix from microsofts site. I decided to
use a 3rd party program to rid myself of the problem which it did and now I
get a constant message from winxp's firewall telling me that my computer is
infected and to click on the bubble for help. When I do this, the bubble
disappears and then shows up at very regular intervals.

This is very annoying and could be a bug. Can anyone help me please.

Cheers, Fred.

 

[Anando [MS-MVP]]

Hello Fred,

The Windows firewall does not help in detecting spyware or downloading patches. The update patches
are downloaded by Windows Update. I am guessing that you might not have a anti-virus program
installed (or maybe the anti-virus definitions are too old) and thats what you are being warned
about by theSecurity Center. Check to see if you have a anti-virus program installed and if it is up
to date or not.

--

Anando
Microsoft MVP- Windows Shell/User
http://www.microsoft.com/mvp
http://www.mvps.org


Folder customizations
http://newdelhi.sancharnet.in/minku

Protect your PC!
http://www.microsoft.com/protect

 

[Guest]

HI FRED
the first thing is to say the windows firewall will not detect
anything like that, it is there to prevent your pc being attacked by other
users, i would imagine that you have clicked on a pop up screen that has come
via windows messenger service, also your firewall would not tell you to
download any patch, now i am going to tell you something that some people
will disagree with but i would suggest going to trend micro and perform what
they call a housecall, this will scan your pc for every nasty under the sun
and it will delete them also, its fantastic and free, although you can make a
donation if you want to, i hope this helps, keep us posted.

pete

 

[Kerry Brown]

Hi, I have a problem with the winxp firewall that just won't go away.
Recently I had some spyware on my computer which the winxp firewall
discovered and offered to download a fix from microsofts site. I
decided to use a 3rd party program to rid myself of the problem which
it did and now I get a constant message from winxp's firewall telling
me that my computer is infected and to click on the bubble for help.
When I do this, the bubble disappears and then shows up at very
regular intervals.

This is very annoying and could be a bug. Can anyone help me please.

Cheers, Fred.

This message is not from the Windows firewall. It is from the spyware
itself. It can be quite hard to remove this type of spyware. It is probably
a variant of the smitfraud family of spyware. Here is a link that will help
you get rid of it.

http://noahdfear.geekstogo.com/

Another good program that may remove it is here. This is a commercial
program but they have a free trial available.

http://www.ewido.net/en/

Kerry


Kerry

 

[ANONYMOUS]

To protect from spywares etc you will need to download MS new
antispyware program called Windows® Defender (Beta 2)

It can be downloaded from here:

http://www.microsoft.com/downloads/...e7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en

hth

 

[Fred]

Hello Fred,

The Windows firewall does not help in detecting spyware or downloading
patches. The update patches are downloaded by Windows Update. I am
guessing that you might not have a anti-virus program installed (or
maybe the anti-virus definitions are too old) and thats what you are
being warned about by theSecurity Center. Check to see if you have a
anti-virus program installed and if it is up to date or not.

Thanks for your reply. I'm using AVG 7 with the latest updates and I
cleared the spyware problem with the latest AD-Aware softwate updated very
recently. The popup is coming from the tray from a red circle with a X
inside. Does that help?

 

[Anando [MS-MVP]]

The pop-up might be coming from a different anti-spyware program that you might be running. What
does right-clicking on the notification icon lead to ?

--

Anando
Microsoft MVP- Windows Shell/User
http://www.microsoft.com/mvp
http://www.mvps.org


Folder customizations
http://newdelhi.sancharnet.in/minku

Protect your PC!
http://www.microsoft.com/protect

 

[Kerry Brown]

Thanks for your reply. I'm using AVG 7 with the latest updates and I
cleared the spyware problem with the latest AD-Aware softwate updated
very recently. The popup is coming from the tray from a red circle
with a X inside. Does that help?

Adaware will not remove this spyware. See my other post for programs that
will.

Kerry

 

[George Hester]

What spyware are you referring to when you say, "Adaware will not remove
this spyware." I grant you that Adaware cannot remove all spyware but I am
at a loss what you mean by "this."

 

[George Hester]

The issue here is to look in your Run Keys. Chances are the call to the
non-existant spyware is still occuring. Go to Start | Run | regedit | OK
and drill down to these two keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The best system has virtually nothing in these two keys as seen on right.
But AV software will stick a whole bunch of stuff in here. Try to identify
entries here. You can save a reg files of these two keys and open them in
Notepad. Edit | Select All | Copy | and paste in your response.

Adaware should have removed and nasties from these keys but they may in fact
be reoccuring.

 

[Kerry Brown]

What spyware are you referring to when you say, "Adaware will not
remove this spyware." I grant you that Adaware cannot remove all
spyware but I am at a loss what you mean by "this."

SmitFraud, SpyAxe, SpySherriff and others of this general type. Adaware will
remove some variations but not all.

Kerry

 

[Kerry Brown]

The issue here is to look in your Run Keys. Chances are the call to
the non-existant spyware is still occuring. Go to Start | Run |
regedit | OK and drill down to these two keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The best system has virtually nothing in these two keys as seen on
right. But AV software will stick a whole bunch of stuff in here.
Try to identify entries here. You can save a reg files of these two
keys and open them in Notepad. Edit | Select All | Copy | and paste
in your response.

Adaware should have removed and nasties from these keys but they may
in fact be reoccuring.


George Hester

Although there may be registry entries here removing them will not get rid
of this family of spyware. It hooks into the Windows login process.

Kerry

 

[George Hester]

Oh yeah SpySherrif I know that one. Hmm...surprising AdAware cannot get
those. HijackThis should find these. Trouble is they do remove them but
they sometimes come back. The temp folder should really be emptied as much
as possible after the executable they are using is stopped in Task Manager.

 

[George Hester]

One way to stop their reoccurance is to set the security on these Run keys
so that nothing has permissions. That should throw an error at logon and
then that can be used to find the culprit. Trouble is these things keep
changing their names and you are right they are in the WinLogon process that
is also in the registry.

Usually here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

or the key just above the WinLogon key. There is another place here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot and keys under
Minimal.

 

[Guest]

There is a time when you have to decide "Can I go on using my computer, or
not?" Then you have to decide if the malware has infected your PC to the
extent that it may cause worse problems in due course. I see that at the time
of my posting you have had 13 others scratching their heads. That must tell
you something. Like, maybe it's time to reformat the system. Back up all your
data and files and then go for it. Happens to all of us sometime.

 

[Kerry Brown]

One way to stop their reoccurance is to set the security on these Run
keys so that nothing has permissions. That should throw an error at
logon and then that can be used to find the culprit. Trouble is
these things keep changing their names and you are right they are in
the WinLogon process that is also in the registry.

Usually here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon

or the key just above the WinLogon key. There is another place here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot and keys
under Minimal.

You cannot delete these keys easily. As the spyware loads with the logon
process it is always running even in safe mode. It monitors the keys and
replaces them before shutting down. You have to edit the registry from a
BartPe CD or use one of the smitfraud removal programs.

Kerry

 

[George Hester]

Can you provide links for these "BartPe CD or ... one of the smitfraud
removal programs?"

 

[Kerry Brown]

Can you provide links for these "BartPe CD or ... one of the smitfraud
removal programs?"

Already provided links for a smitfraud removal program earlier in the
thread. Here's BartPe.

http://www.nu2.nu/pebuilder/

I'm pretty sure you're trolling George. You've been around a while and I'm
pretty sure you've heard of BartPe before. I'm done with this thread.

Kerry

 

[George Hester]

Kerry I would not have asked you for the links if I had heard of it. Now
you can choose to disbelieve me if you want. Why do you need to take a
perfectly good conversation and turn it into a name-calling contest? I
really do not understand your civility.

 

[Plato]

Hi, I have a problem with the winxp firewall that just won't go away.

http://www.bootdisk.com/utility.htm
FIREWALLS