New Malware/spyware found

G

Guest

Well I think I have found a new one.
Having the router firewall and the Windows Server 2003 EE SP1 firewall did
not seem to stop this beast from getting in.

I also have MS Anti Spyware beta 1 installed - all definations up to date as
well as Windows itself.

I was googling, searching for something, click on a link within that page
(this incident happened twice but on different websites) and it redirected to
somewhere else.

It installed automatically it's own stuff, anti spyware did not kick in
(even though it was enabled) and the software/malware/whatever just did its
job.

It then downloaded software called spyware strike or something similar to
that name and you get nothing but warnings on your taskbar saying that "your
computer is infected..." blah blah blah from that software

It also tried to change the IE settings - which MS Anti spyware picked up
and asked for my approval to which I responded "Block" - this approval box
kept appearing every few seconds.

Now, it installs and keeps in memory some files, of which are these:

mssearchnet.exe
nvctrl (no, this is not the nvidia related files)

both these files are located in the %windir%\%sysdir% folders.

They also create tmp files and what not...

Now, I tried scanning the system whilst infected, it didn't pick up anything
unfortunatly.

I did google this and found that it is of course spyware/malware and that it
opens a door to lead hackers into the system as well as reporting information
back to them automatically.

When you reboot the system and boot back into Windows - Explorer.exe crashes
constantly giving me the "application read error" messages pointing to
different memory address locations.

Repairing this file does not help, not even deleting the files in recovery
console and replacing them and removing the mssearchnet etc... files.

Even scanning from another system to this infected computer does not help,
it does find some things but even when removed - it still some how installs
itself.

The only solution - to format and re-install, which should not be an option.

This is of course in no way Microsoft's fault - that is what we are doing,
creating such software to prevent these things happening but no one can be
constantly up to date on the "per second" details of new spyware/anti
software found.

I am unsure if anyone has heard this but this is what is happening. We need
a cure for this.

Many thanks,
 
T

Tom Emmelot

Hello Ahmed,

see the tread "WARNING ! SpywareStrike"
in announcements 6/7/8/Jan 2006

Regards >*< TOM >*<

Ahmed Ilyas schreef:
 
G

Guest

Hi,

MSAS is generally a reactive application. It tends to deal with spyware
after it is already on your computer. If your looking for protection before
it can download to your computer, you'd perhaps be interested in
SpywareBlaster.

http://www.javacoolsoftware.com/spywareblaster.html

Oh, and it sure doesn't hurt to have both of these applications for multiple
layers of protection.

If you want something proactive, add Prevx Home
http://www.prevx.com

YOU must have the expertise since it is your choices and education that
dictate how secure is your system.

I hope this post is helpful, let us know how it works ºut.

Engel

--
 
G

Guest

Hi, i have had this same thing start on my computer about 3 days ago and now
there is a non-stop screensaver on my puter saying: your computer may be
infected . I also get the constant warnings every few seconds at the bottom
of my computer screen, what can i do to fix this? I have run my microsoft
spyware scan and nothing comes up. I would appreciate any help in this
matter.

Thanks you
 
G

Guest

Use Smitrem & Ewido then Ccleaner to remove temp files (Copy and save this to
notepad so you can still view it in safe mode)

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Double click on the SmitRem.exe file and extract it
to it's own folder on the desktop.

Download Ewido Security Suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes (the status bar
at the bottom will display "Update successful") Exit Ewido. DO NOT scan yet.

Download Ccleaner (To Remove Temp and unused files from your system)

http://www.ccleaner.com/ccdownload.asp

Install Then close

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run Smitrem :

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

Run Ewido

Click on the Scanner button in the left menu, then click on complete system
scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and
"Create encrypted backup" before clicking on ok. When the scan finishes,
click on "Save Report" from the bottom of the screen and save it to your
desktop incase you need more help with this.

Run Ccleaner and press "Run Cleaner" then exit.

While still in safe mode reset the Internet Settings : Goto Start Menu then
Control Panel then to Internet Options, Click the Programs Tab and press
"Reset Web Settings" and include the homepage then press Yes, Then goto the
General Tab and enter the homepage you want to use into the space provided
and press Apply .

Then Reboot back to Normal Mode

You will need to reload your wallpaper after this tool finishes, Smitrem
will reset it because Trojans related to this infection will display a
spyware warning as a desktop wallpaper which cannot be removed, To change
your wallpaper right click desktop and choose properties, Set the Theme to XP
if you are running XP then goto the Desktop tab and choose your wallpaper
from there.

Some of the Trojans/Exploit files that install this junk also delete Spybot
Search & Destroys SDHelper.dll so if you have Spybot its worth reinstalling
to be sure its not been damaged.

All The Best

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top