Spyware/popup thing

[Jonathan]

I just started getting a yellow triangle with a black exclamtion mark in the System tray, and when it appears so does a popup saying " Your PC is infected click here to download removal programs" Or to that sort of thing. It is obviously fake, if you do click on it it goes to a website called antispywareupdate.net, Norton 360 had picked up a risk called "adware.180 Search" it has never found this before i got the pop ups, I close all open programs excpet Norton like it says and the click the fix button, but if I scan again it will still find the same risk. I have looked around on google but generally it just tells me to download a program to fix it, and I don't really trust them. So has anyone here had this problem or know a legitmate way to fix this?

And it has also disabled the taskamanger, a message comes up and says task mananger has been disabled by your system admin, I have found how to fix this on the microsoft site by editing the registry, but it does not work and I still can't access it. I have tried for Ctrl-Alt Del, right click taskbar, command prompt.

Sorry for the long post, but I am really "worried/concerned" about this.

[Tarkus]

Hi Jonathan-

Sorry to hear about your issues--that is rather worrisome.  

Has Norton 360 given you a filename by any chance for this adware file?  If so, provided it hasn't taken the parasitic approach and embedded itself in another useful file, removing it manually is an option.  I had to do this with a co-worker's computer at a prior job--turned out there was a rootkit that was disguising itself as a Control Panel extension.  Sometimes the Norton info will give you the wrong file extension (because viruses can sometimes switch file extensions), so if you look for the filename without the extension, that could do it.
I checked Symantec's website to see if I could find the exact threat you're dealing with, and while I didn't find it, I found one that seemed similar [link].

You could also try using Lavasoft AdAware [link] if you haven't already.  There is a free version of it that exists.  Sometimes checking things out with a second program can help diagnose/find the problem.

The Registry Entry that a lot of viruses like to alter is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, so I'd check there as well if you haven't already.  That could also give you a clue as to the name of the infected file.

Hope that helps!

-Alex (Tarkus)

[Shadow Assassin]

I did a quick Google Search and it seems that it will also hide itself in the System Restore restore info, as well as some other places.

So, you will need to clear your system restore:

    * click Start >> Run - type SYSDM.CPL & press Enter
    * select the System Restore Tab
    * tick on the checkbox - "Turn off System Restore on all drives"
    * click Apply
    * then untick the same checkbox & click OK

That is for Windows XP.

For Vista:
    * click Start >> Run - type SYSDM.CPL & press Enter
    * select the System Restore Tab
    * untick the C: drive checkbox - this clears the cache
    * click Apply
    * then tick the same checkbox & click OK [or you could just leave it off if you don't want System Restore]

Also:

Go to your folder options [via Control Panel], select Show Hidden Folders & Files, and make sure that Hide Protected System Files and Hide Extensions for Known File Types is unchecked.

Apply those settings.

Now, the next stage of the process is:

Fire up the search utility.

Search for the following: *.tmp

Make sure in Advanced Search that you have the "Include Hidden and System Files" checkbox selected in Advanced Search.

It should have a list of all the temporary files on your computer.

Select all of them and delete them. If some won't delete, note their file names. (don't worry, it should be quite safe.)

Restart the computer, and do the search again. Compare the file names to what, if any, are remaining. Normally, the computer will delete the files on shut down.

Also, try running MSConfig [type in msconfig.exe, then Run], and search for the service. It's probably called what the anti-virus said it was.

Oh, and if it doesn't work, looks like you'll have to restart your computer, as it's starting up [BEFORE the Windows Vista Logo], hit F8. Then go to Safe Mode. Try all that again, just in case.


Once you've done it, do the virus scan again.

Additionally, once you've found the file and deleted it, run regedit, and search for the file name. It should come up in a few places.

Note this solution also works for a nasty little worm known as telecms.exe.

[Jonathan]

Thanks, SA. IT has now gone and I have the task manager back

[Shadow Assassin]

Excellent to see that it fixed the problem for you.