System Instrusion Detected

robhon · Jan 6, 2006

Hi,

My computer has recently been under attack from more spyware/malware. I think I have removed most of it using AdAware, Ewido, HiJackThis and Silerntrunners to get rid of any suspicious files.

I still have a contact popup on the windows taskbar. The icon replciates the Windows Update icon and the popup reads:

********
System Instrusion Detected!

Dangerous infection was detected on your PC
The system will now download and install most efficient
antimalware program to prevent data loss and your private
information theft.
Click here to protect your computer from the biggest malware
threats.
*********

Could anyone offer any help on how to remove it?

chaslang · Jan 6, 2006

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

robhon · Jan 9, 2006

Hi,

Thanks for the info. System Instrusion Detected! popup still exists.

Here's what happened:

Spybot found Smitfraud-C. Could not fix so opted to run scan on startup. Scan ran on Startup but again could not remove. PDF log attached.

Everything else was clean

Bitdefender found c:/windows/system32/csfbu.exe and deleted. Log attached.

Panda Activescan also attached.

HiJackThis log also attached.

Nothing else seems to be wrong except this popup which I can't get rid of.

Please help!!

robhon · Jan 9, 2006

Sorry.

Forgot to mention after discovering SmitFraud I followed your instructions for Smitfraud removal.

Smitrem log attached.

Cheers!

chaslang · Jan 9, 2006

You really should install HJT properly per the directions in step 7 of the READ ME. It should not be in and sub folder of Documents & Settings. However at the present time, there are no problems showing in your HJT log.

The problems with Smitfraud showing in Spybot is a different problem than the SmitFraud sticky is meant to repair. Use the below procedure to fix what Spybot is detecting.

Please download DelDomains and unzip it to your desktop. Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Please note you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adders.)

No run a new Spybot scan and verify that you are clean.

Make sure BitDefender really was able to delete the c:/windows/system32/csfbu.exe file.

robhon · Jan 9, 2006

Thanks for the speedy feedback.

Have moved HJT to C:\ for future use.
Have run Deldomains and Spybot is now clean, and have re-run the Immunize.

c:/windows/system32/csfbu.exe has been removed.

"System Instrusion Detected!" popup is still there!

Is there anything else I can run?

chaslang · Jan 9, 2006

Please run the steps in the below thread but make sure you delete any version of SmitRem.exe you aleady have and make sure to download now from the link given. It has recently been updated.

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

Post the new smitfiles.txt log and also tell me if the System Intrusion Detected popup still occurs.

robhon · Jan 9, 2006

Hi,

After all the previous scans and restarted my machine (power off as opposed to shutdown) and then restarted. The popups have disappeared. I think it was the netwrap.dll file in c:\windows\system32.

I have downloaded the latest smitrem with log just in case. But it seems to be clean now, which is such a relief, the popups make a sound everytime they appear and they appear about every 5 seconds!!!!!!!

I have attached the clean smitrem log!!

Thanks for all your help. I am assuming it has gone now right???

chaslang · Jan 9, 2006

Yes netwrap.dll is part of the SpywareStrike problem that causes these popups. Only the latest version of SmitRem fixes this.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

System Instrusion Detected

robhon Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

robhon Private E-2

Attached Files:

Spybot - Search & Destroy scan report.pdf

bitdefscan.txt

Activescan.txt

hijackthis.log

robhon Private E-2

Attached Files:

smitfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

robhon Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

robhon Private E-2

Attached Files:

smitfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member