“Security warning” Solved

Question

Hello,

I have a red round icon with a yellow exclamation point that has appeared next to my PC's clock.
It says: "Security warning: your computer may be infected with harmful or unwanted software"

I don't dare click on it.
The information I find is in English, but I'm not fluent enough to understand it well.

Thank you in advance for your help!!

Kristopher · Answer

Hi,

- Download the SmitfraudFix software created by S!Ri:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip and unzip it.

- Open the "SmitfraudFix" folder that will appear, double-click on "Smitfraudfix.cmd", choose option 1, a log will be generated...

Copy and paste the report on the forum.

Then

Do this operation:

- Restart the PC in safe mode: tap the F8 key on your keyboard (or F5 depending on the version of Windows) and select "safe mode".

- Run SmitfraudFix again this time choosing option 2 and answer yes to everything.

Paste the new report afterwards.

See you later.

Gribouille · Answer

SmitFraudFix v2.119

Report made at 13:02:58.03, 04/11/2006
Executed from C:\Documents and Settings\Fff\Desktop\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix executed in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ismini.exe PRESENT !
C:\WINDOWS\system32\drvmam.dll PRESENT !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fff

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fff\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Fff\Favorites

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop items

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My homepage"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Warning, the keys that follow are not necessarily infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Warning, the keys that follow are not necessarily infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Searching for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Kristopher · Answer

If you’re not mistaken, the icon will disappear :)  I’ll come back this evening if you have any other problems...  See you later

Gribouille · Answer

Here is the second one in safe mode Option 2:
SmitFraudFix v2.119

Report made at 13:13:18.84, 04/11/2006
Executed from C:\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Fix executed in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, the following keys are not necessarily infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Stopping processes

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ismini.exe deleted
C:\WINDOWS\system32\drvmam.dll PRESENT!

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\Favorites

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop items

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, the following keys are not necessarily infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, the following keys are not necessarily infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Searching for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

It didn't ask me anything so I didn't have to say yes!!!
The icon in question is still there...

What exactly did I just do!?

Gribouille · Answer

I ran Ad-aware, Spybot, and Ccleaner. The latter sees this file: C:\WINDOWS\TEMP\win252.tmp.exe 32.50KB, but doesn't remove it. Manually, I can't do it; it's inaccessible...

Gribouille · Answer

I removed this file, but the icon is still there!!! I think it's some kind of "bullshit" to make me go to a website....

^^Marie^^ · Answer

Hi,

To move forward Kristopher whom I greet well baaass...

Do the following

F - Hijackthis - Diagnostic and repair tool
read demo
http://pageperso.aol.fr/balltrap34/Hijenr.gif
http://pageperso.aol.fr/balltrap34/demohijack.htm
Download the French version here
http://telechargement.zebulon.fr/160-patch-francais-pour-hijackthis-1991.html
Copy/paste the report

Good luck

A++

Avoid bold characters, it's really not pleasant at all Thanks
--
Don't take offense, stay silent as a carp, and
pet the dog with the grain!

Gribouille · Answer

Good evening,  Here is the Hijackthis report: Logfile of HijackThis v1.99.1 Scan saved at 16:48:45, on 04/11/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton AntiVirus
avapsvc.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\wuauclt.exe D:\Programmes\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.sfr.fr/offres-numericable.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvmam.dll,startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe   Thank you.

Gribouille · Answer

Kristopher ??

^^Marie^^ · Answer

Hi  You are still on SP1, ==>

Kristopher · Answer

Hello everyone :)

Gribouille, let's keep it simple - leave the reports as they are, without having fun making them bold or putting them in tags because it makes reading more difficult for everyone. Thank you.

The file that is the source of your concern is drvmam.dll.

Before deleting it, it would be wise to analyze it:

1/ Display all files and folders:

Click on "Start" -> "Control Panel" -> "Tools" (at the top) -> "Folder Options..." -> "View".

Check:
"Show hidden files and folders"
Uncheck the boxes:
"Hide protected operating system files (recommended)"
"Hide extensions for known file types"

Click on "Apply", then "Ok"

2/ Go to http://www.virustotal.com/flash/index_en.html
Click on "Browse..." and find the bold file:
C:\WINDOWS\system32\drvmam.dll
Wait for the rectangle to turn green (on the right) and click on "Send".
Once the scan is complete, copy/paste the report on the forum.

Have a good Sunday.

Bizz ^^Marie^^

Gribouille · Answer

Hello,

Here is the Virustotal report: (not very conclusive)
Antivirus Version Update Result
AntiVir 7.2.0.37 11.03.2006 no virus found
Authentium 4.93.8 11.05.2006 no virus found
Avast 4.7.892.0 11.03.2006 no virus found
AVG 386 11.04.2006 no virus found
BitDefender 7.2 11.05.2006 no virus found
CAT-QuickHeal 8.00 11.04.2006 no virus found
ClamAV devel-20060426 11.05.2006 no virus found
DrWeb 4.33 11.05.2006 BACKDOOR.Trojan
eTrust-InoculateIT 23.73.45 11.03.2006 no virus found
eTrust-Vet 30.3.3176 11.03.2006 no virus found
Ewido 4.0 11.05.2006 no virus found
Fortinet 2.82.0.0 11.05.2006 no virus found
F-Prot 3.16f 11.04.2006 no virus found
F-Prot4 4.2.1.29 11.04.2006 no virus found
Ikarus 0.2.65.0 11.03.2006 no virus found
Kaspersky 4.0.2.24 11.05.2006 no virus found
McAfee 4888 11.03.2006 no virus found
Microsoft 1.1609 11.04.2006 no virus found
NOD32v2 1.1853 11.03.2006 no virus found
Norman 5.80.02 11.03.2006 no virus found
Panda 9.0.0.4 11.04.2006 Suspicious file
Sophos 4.10.0 10.26.2006 no virus found
TheHacker 6.0.1.112 11.03.2006 no virus found

^^Marie^^ · Answer

Hi,  Did you do the <10>???   Bizz Kritopher   -- Don't get upset, stay as quiet as a fish, and pet the dog the right way!

Gribouille · Answer

What is the <10>?

^^Marie^^ · Answer

< 10 > - "Security warning"
Added by ^^Marie^^ (05/11/2006 at 11:35 GMT+1)
Hi

You are still on SP1, ==><Platform: Windows XP SP1 (WinNT 5.01.2600)

You should install SP2 ==> more protection

https://www.microsoft.com/fr-fr/search?q=Windows+XP+sp2&l=1&FORM=QBME1

--
Don't take offense, remain as silent as a carp, and
pet the dog the right way!

Gribouille · Answer

I'm sorry, but I don't understand what you mean by: <10> "Security Warning"

Gribouille · Answer

SORRY!
I just understood...

I wanted to do it once and it caused me so many problems that I gave up! Moreover, this PC is not connected to the internet...

I would like to understand where this red icon with a yellow exclamation point comes from!!

Kristopher · Answer

Hi,

It's time to put an end to this thing.

1/ - Download Pocket Killbox here:
http://www.downloads.subratam.org/KillBox.exe
Disconnect from the internet.

Double click on killbox.exe (Pocket Killbox)

- Check: "Delete on reboot"
- In "Full Path of File to Delete"
copy and paste this:

C:\WINDOWS\system32\drvmam.dll

- click on the white cross on the red background.
- a window will pop up for confirmation: click "YES".
- a second window will ask if you want to reboot: click "YES".

Let the PC restart.
If you see the following message: "pending file rename operations registry data has been removed by external process.", ignore it and restart your PC manually.
In image: http://tinypic.com/images/goodbye.jpg

2/ Scan your PC with this online antivirus (only under IE):
http://www.bitdefender.fr/scan8/ie.html
Click "I accept" then also accept the ActiveX blocked by the SP2 anti-popup bar (it will flash at the top).
Then, click "Click here to scan".
Wait until the end of the scan...
Copy/paste the entire report on the forum.

See you later.

Gribouille · Answer

The problem is that I don't use IE, and I really don't want to use it...

Kristopher · Answer

So what? You can still do the 1/, right?

Well, if you want to keep your infections, do as you wish...

But I'm a bit surprised anyway:

How do you manage updates and various online scans without using IE? (I guess it's a philosophical question, with no answer. Or rather, with an implied answer, lol)

See you!

Gribouille · Answer

Yes, sorry, I can do 1/(not this morning...)But I found the scan results not very convincing... Do you think we can remove it? Even if only 2 people found that this file was strange?I'm using Mozilla Firefox.

Kristopher · Answer

I think we can take it out.  And I advise you to use IE just for the duration of the scan.  And how do you handle updates and other online scans without using IE then?

Gribouille · Answer

I followed your procedure, and upon restarting, the icon did not reappear! Thank you very much!!!

Gribouille · Answer

No more icon, but now I get a message saying that this infamous file is missing at every restart. I checked on a friend's PC to see if I could borrow it, but it doesn't exist....

yep · Answer

start run msconfig uncheck the problematic line

Kristopher · Answer

Re Gribouille,  So, is it moving forward? ;)  See you!

Gribouille · Answer

I unchecked it, but upon restarting, it didn't want to finish booting up, and I had to put that famous line back...

alphonse · Answer

Hi everyone!!   I don't know if someone could help me! I've read everything on the forum about the "security warning" topic and I have the same problem. An icon next to the time has appeared (red circle with an exclamation mark inside).   So, I've tried several software, it detects spywares that I delete but the same icon is still there. I even tried the technique with smitfraudFix.    Thanks in advance for the help!!

Cyril · Answer

Hi everyone, after trying several ways to remove this "virus" without success, I found a simple and effective method accessible to everyone. It involves performing a system restore using Windows, in the system tools through the start menu.

“Security warning”

29 réponses

Texture issues in enshrouded

Driver his

Peritel to hdmi conversion

How to access the bios on a compaq notebook

Dsi won't turn on anymore

Search for a song with the lyrics

Left mouse click, touchpad click inactive

Codes stronghold crusader

Stuck computer system repair

Disable write protection mp3 player