Unable to detect major problem!

[Alan]

Does not detect or remove the following problem:
Pop-up dialog:
"Windows Security Centre" WARNING: Windows firewall
detected suspisious network activity....blah blah blah...

and sys tray balloon pop-up:

"Your virus protection status is bad. Click here to fix
this problem" etc.. etc..

WHY NOT??!!!
Also these can't be seen in advanced tools/running
processes, BHOs, ActiveX or anywhere else for that
matter. I can't find any trace or source for this one. The
only solution is reinstalling the entire system from
scratch!
Come on Microsoft! This problem is being talked about all
over the internet for God's sake! Get on to it!

 

[plun]

Does not detect or remove the following problem:
Pop-up dialog:
"Windows Security Centre" WARNING: Windows firewall
detected suspisious network activity....blah blah blah...

Hi

Probably not blah blah blah

and sys tray balloon pop-up:

"Your virus protection status is bad. Click here to fix
this problem" etc.. etc..

Well, is it bad ? Updated ? Which one ?

Run Trendmicros Housecall (all 3 scanners)
Permit ActiveX modules from Trendmicro.

http://housecall.trendmicro.com/

WHY NOT??!!!
Also these can't be seen in advanced tools/running
processes, BHOs, ActiveX or anywhere else for that
matter.

1) Open up a command prompt (start -> run -> cmd)
2) Type in the following "regsvr32 msvbvm60.dll" (without
the quotes).
3) Close and re-open Windows AntiSpyware
4) If that fails, install VB6 runtime files:
http://www.softwarepatch.com/windows/vbrun6download.htm

I can't find any trace or source for this one. The
only solution is reinstalling the entire system from
scratch!

Why ?

Come on Microsoft! This problem is being talked about all
over the internet for God's sake! Get on to it!

Well ?

 

[AndyManchesta]

Its sounds to me that you have malware that is giving you
these pop ups, In my opinion they are not genuine pop ups

If you click the links or pop ups you will probably be
sent to a site that only has rogue removers so be
carefull about following them.

I suspect its Wareout or IST so check your add/remove
screen for both but don't format the machine over this it
can be easily dealt with once we know who put it there !!

For now try Ewido Security Suite and run that in safe
mode. I will do a quick test with wareout and ist and see
if I get similar messages then repost

 

[AndyManchesta]

From the quick test it doesnt look like its wareout or
ist thats causing this but I do think it is malware
related,

Let us know the results of Ewido and the Trend scanner
Plun suggested as it may solve the problem for you. Ive
got to go out for awhile but Ive seen these messages
appear before when malware is installed then when you
click the pop up it takes you to a site with malicious
removers I just cannot remember exactly what it is but
will check some more when I get back.

Andy

 

[AndyManchesta]

Ive just got myself an infection which no scanner is
stopping or even detecting up to now (MSAS, Ewido, Trend,
CAeTrust, Adaware, Spybot) but its abit similar to what
your seeing I remember seeing your messages awhile ago
but cannot remember the malware involved so visited afew
common sites for this junk but have a beast now

I dont think yours is as serious as this but if it
remains Download Hijack This & Post a log if the ewido &
trend scan doesnt kill it and we can try help you out

I get a message now in the system tray which says this :

"Warning: Your Computer is infected
Windows has detected a spyware infection
It is recommended to use special antispyware tools to
prevent data loss, Windows will now download and install
the most up to date antispyware for you"

It then installs SpySheriff

There seems to be a serious infection here with files
using genuine sounding names, This is just a test setup
but I advise you to stay away from these pop ups and use
other scanners to clear the problem, All this has passed
by MSAS without being noticed but ewido and antivirus
scans has missed most of this too so this must be new,
Ive just rebooted and now have a nice Red spyware Warning
desktop wallpaper which Ive not seen before Its abit like
the smitfraud/AV Gold infection.

Here's the hijack log and the detections from ewido, I'll
just list the malware entries:

Logfile of HijackThis v1.99.1
Scan saved at 15:14:11, on 23/08/2005

R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = http=http://127.0.0.1:80
O4 - HKLM\..\Run: [Microsoft Internet Acceleration
Utility] C:\WINDOWS\iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\Run: [1aad606c2ca] C:\WINDOWS\System32
\1aad606c2ca.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration
Utility] C:\WINDOWS\iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program
Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\msras.exe
O4 - HKCU\..\Run: [1aad606c2ca] C:\WINDOWS\System32
\1aad606c2ca.exe
O16 - DPF: {10000000-1000-0000-0000-000000000000} -
file://C:\\Recycler\\Q678341.exe
O23 - Service: WindowInstallSystem (1aad606c2casvr) -
Unknown owner - C:\WINDOWS\1aad606c2ca.exe

Ewido Scan :

Created on: 15:24:35, 23/08/2005

C:Temporary Internet Files\Content\0DE3SH6V\loader7
[1].htm -> TrojanDownloader.VBS.Psyme.ap

C:Temporary Internet Files\Content\0H6301YN\file_0
[1].exe -> TrojanDownloader.Small.uv :

C;Temporary Internet Files\Content\0H6301YN\on[1].exe ->
TrojanDropper.Vidro.u

C:\Documents and Settings\Andy Manchesta\Start
Menu\Programs\SpySheriff -> Spyware.SpySheriff

C:\p.exe -> TrojanDownloader.Small.uv

C:\q.exe -> TrojanDownloader.Small.ar

C:\WINDOWS\msras.exe -> Not-A-Virus.Hoax.Renos.m :

C:\winstall.exe -> Not-A-Virus.Hoax.Renos.m

Not sure how malware can be described as not a virus.hoax
but its not helped things anyway, Im really not sure what
Im looking at here yet so need to do some more work on it
if I can kill enough to get online and get rid of the
proxy loopback with the infected machine, I cannot open
IE/Regedit/TaskManager or MSAS anymore everything I try
says the application failed to initialize properly, Click
OK to terminate If I try MSAS it says :

c:\ProgramFiles\MicrosoftAntispyware\GiantAntispywareMain.
exe

Attempt to access invalid address

Im not concerned on my system I'm just interested what's
causing all this damage and why none of it is being
detected so Im happy to play around with it, This is
really just to show you that the messages may be bogus
and potentially very dangerous if you follow them or even
click on them.At this stage its well and truly killed my
test pc (

Let us know how you get on with yours

Andy

 

[AndyManc]

If you still have a problem use Hijack This and post the
log Sorry I got abit sidetracked looking for the source
of your messages but Im sure they are not genuine because
I remember seeing them myself, Ive ended up fixing mine
with Hijack This then booted to safe mode and deleted all
the files,

On mine its a bogus message and installs spysheriff if
you click it but its alot more than this its trojans with
rootkits and backdoor functions even hacker defender is
in this which ive not seen for a long time.

Heres all the stuff I found as well as the other junk in
the last post

C:\WINDOWS\1aad606c2ca.ini is Win32.HacDef!INI trojan.
1aad606c2cadrv.sys Trojan.Hackerdefender.
C:\WINDOWS\stisvsq.exe is Win32.Liewar.G trojan.
C:\WINDOWS\msqdevl.exe " "
C:\WINDOWS\lssas.exe " "
C:\WINDOWS\svshost.exe " "
C:\WINDOWS\csrss.dll " "
C:\WINDOWS\winlogon.dll " "
C:\WINDOWS\smssa.dll " "
C:\WINDOWS\uvchost.dll " "
C:\WINDOWS\taskmgr.dll " "
C:\WINDOWS\mservice.exe " "
msiau.dll Trojan.Proxy.Symbab.Av
iau.exe Trojan.Proxy.Symbab.Av
msras.exe Hoax.Win32.Renos.m/Adware.SpySheriff

Not good but kept me quite for a couple of hours

 

[Alan]

The point I'm making is that this problem has been around
for a while now, yet MS Anti-spyware still does not deal
with it. It has 2 distinctive components; 1 the fake
security pop-up balloon and, 2 the official looking dialog
box headed "Windows Security Center".
This is the ONLY adware that I've ever not been able to
find and remove manually.
So you may think I'm just going about it the wrong way,
but when you consider that MS Anti-spyware, AVG, Norton
Anti-virus and Ad-aware, all can't detect or remove it,
maybe this one is a challenge?