adware,trojans,dialers,etc.

  • Thread starter Steve Brown and Pat Wehren
  • Start date
S

Steve Brown and Pat Wehren

I recently experienced a blitz of adware, trojans and dialers apparently
from the same site. While Symantec Antivirus seems to have purged all
serious consequences, I'm left with some weird residual stuff that Symantec
doesn't now detect as an active problem (nor does Ad-aware). The most
annoying thing is the large black and red SPYWARE INFECTION notice that has
replaced my wallpaper (formerly a group of bighorn sheep). When I try to
restore this in the Display icon of the Control panel, I find the function
that allows for selection of " background " to be frozen. Pretty much
everything else works, although the Task Manager seems to be disabled. Could
someone steer me in the right direction to undue this invasion? My paltry
technical resources lead me to suspect that a file or registry key was
altered, but I have no clue how to troubleshoot these things. Any help would
be greatly appreciated.

Thanx
Steve Brown
 
P

Paul Smith

Steve Brown and Pat Wehren said:
I recently experienced a blitz of adware, trojans and dialers apparently
from the same site. While Symantec Antivirus seems to have purged all
serious consequences, I'm left with some weird residual stuff that Symantec
doesn't now detect as an active problem (nor does Ad-aware). The most
annoying thing is the large black and red SPYWARE INFECTION notice that has
replaced my wallpaper (formerly a group of bighorn sheep). When I try to
restore this in the Display icon of the Control panel, I find the function
that allows for selection of " background " to be frozen. Pretty much
everything else works, although the Task Manager seems to be disabled.
Could someone steer me in the right direction to undue this invasion? My
paltry technical resources lead me to suspect that a file or registry key
was altered, but I have no clue how to troubleshoot these things. Any help
would be greatly appreciated.
Click to expand...

I'd try
http://www.microsoft.com/athome/security/spyware/software/default.mspx if
that doesn't help

http://www.lavasoft.com/ and both have free tools
http://www.safer-networking.org/en/index.html although I'd only recommend
running one in the background, Microsoft's one seems better at this job.

--
Paul Smith,
Yeovil, UK.
http://www.windowsresource.net/
http://www.xbox360degrees.com/

*Remove 'nospam.' to reply by e-mail*
 
H

Harpo

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.0 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known Trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, etc, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee Antivirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.
 
G

Guest

Steve,

I've had the exact same problem.... eminating from some program called
"spysherrif". I've run the suggested Microsoft AntiSpyWare Beta program which
found several registry problems but I still have the blue screen blocking my
wallpaper and, like you, I still can't access the background to change it.
How have you gone... any fixes yet?

David Floyd
Adelaide, Australia
 
R

Rob Giordano \(Crash\)

I got hit with the same thing the other day. After removing all traces I
could find: paytime.exe, winstall.exe, and a bunch of other junk I still had
the hijaacked screen and the hijacked hosts file. So I thought what the
heck...just go back to a restore point, which I did and all seems fine now.
EzTrust does pick up something everynight now, but it gets deletec right
away...maybe something is hiding in the restore files?...dunno, gonna see
what happens tonight.


| Steve,
|
| I've had the exact same problem.... eminating from some program called
| "spysherrif". I've run the suggested Microsoft AntiSpyWare Beta program
which
| found several registry problems but I still have the blue screen blocking
my
| wallpaper and, like you, I still can't access the background to change it.
| How have you gone... any fixes yet?
|
| David Floyd
| Adelaide, Australia
|
|
 
G

Guest

I have the same thing going on. Trojan.Desktophijack. Found this info from
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.html
It was a crazy, pc was going nuts, I believe I have rid of all the other
spycrap,VX2 spysherrif, command, etc.. there were alot.

I am going to try the registry entries when I get home tonight. I created
this reg file to remove alot of it.

Windows Registry Editor Version 5.00



[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{145E6FB1-1256-44ED-A336-8BBA43373BE6}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B599C57E-113A-4488-A5E9-BC552C4F1152}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL]

[-HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution
Units\{11120607-1001-1111-1000-110199901123}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Uninstall\Internet Connection Update and HomeP KB234087]

[-HKEY_USERS\Software\Microsoft\Internet
Explorer\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Goodluck to ya.

DTM
 
G

Guest

hey Steve and Pat - I just had the same prob. It is a fake message and hard
to get rid of. You have to start your puter in safe mode and then run the
program that detected it. I have Spyware Doctor and once i did this it
removed the red and black message. Good Luck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FWT Newsletter - Weekly - August 16, 2004 1

Top