OHPE Ver 4.12_23 'Your computer is infected with spyware managing popup ads' Spywarequake

[news.rcn.com]

Not sure if these two issues are related but on Thursday I installed PC
Relocator and immediately I got some kind of virus demanding that I buy some
annoying spyware program which pops up every few seconds; leaving me in no
doubt that THIS is the very spyware program which has caused the problem.
The popup appears every ten seconds or so from an exclamation mark in a
yellow triangle which has appeared in my systray along with (at the other
end of the tray to give the impression it isn't related!) a red circle with
a line through it which alternates with a green wheel chair.

In addition every few minutes I get a red flashing error message just above
the red circle telling me that have a virus infection and a mock system
warning in the centre of the screen demanding that I buy its virus
protection because it has supposedly found 4 errors.

Tried googling OHPE Ver 4.12_23 'Your computer is infected with spyware
managing popup ads' and all I found was that sometime around last November
lots of people had this hi-jacking problem which no one seemed to be able to
cure. Admittedly since that time I have gone over from NIS to AVG. But I am
a bit surprised that neither Spybot nor Adaware have managed to counter it
yet if it has been around for so long?

I have a very advanced hosts file which blocks out most dangerous sites and
ads and when I try to identify which rogue program has infected my computer,
the IE page is redirected to 127.0.0.1. Sometimes I come back to my
computer after a few hours and find up to 27 IE screens open, all with a
Yahoo toolbar which I never installed and all blank of course. However
clicking on the red Critical System Error which pops up every ten minutes
brings up a Spywarequake page demanding that I buy their product to get rid
of whatever they managed to install on my computer.

I have run Trend, Kaspersky and (I think ) Sophos from AV-CLS and
coincidentally my anti-virus program which helpfully didn't stop this from
coming in (AVG) keeps duly reporting viruses (something called TROJAN HORSE
DIALER.btg) which it says it is healing. This may be just coincidence
although the incidence of detected viruses has increased markedly since
Thursday. Prior to then, virtually none, since then sometimes 5-20 a day and
both supposedly in emails and in my IE Temporary folder when IE hasn't even
been opened.

Is there any way of ridding myself of this and reporting the offending
company to the appropriate authorities?

I am also obviously worried about relocating anything to a new computer with
a virus! This program has also done something to my Outlook which now both
reports untruly that it wasn't closed properly last time and runs a very
slow mini-scanpst on all folders each time I open it AND then goes into
Outlook with the Outlook splash screen still open in the centre of the
window, preventing the whole program from running

 

[David W. Hodgins]

brings up a Spywarequake page demanding that I buy their product to get rid

See http://www.symantec.com/avcenter/venc/data/spywarequake.html or
http://www.bleepingcomputer.com/forums/topic47826.html

Regards, Dave Hodgins

 

[news.rcn.com]

Which is in progress at the moment. I also 'spent' an hour or so on hold
with Microsoft (I had THEM on hold) trying to tell them about the fact that
this virus was getting past their much vaunted security analysis site; but
in the end had to go off and take a shower and missed when they actually
answered. But I cant help but also wonder why Trend Micro, AVG, Kaspersky
etc also didn't see this infection there?

"David W. Hodgins"

 

[news.rcn.com]

Are these real viruses? This is an extract of what Sophos found, my having
run Trend, Kaspersky, AVG, etc and found nothing:

Could not open c:\WINDOWS\SYSTEM32\config\system.LOGRemoval failed
Could not open c:\WINDOWS\temp\win22.tmp.exe
Could not open c:\WINDOWS\temp\win23.tmpRemoval successful

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

| Are these real viruses? This is an extract of what Sophos found, my having
| run Trend, Kaspersky, AVG, etc and found nothing:
|
| Could not open c:\WINDOWS\SYSTEM32\config\system.LOG| Removal failed
| Could not open c:\WINDOWS\temp\win22.tmp.exe
| Could not open c:\WINDOWS\temp\win23.tmp| Removal successful
|

Oh yeah their real. many found in ther System Restore cache.
C:\System Volume Information\_restore

'Troj/FakeVir-Q' and 'Troj/Zlob-NN' are why you were subsequently infected with the
SpywareQuake malware.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[news.rcn.com]

Oh well, AVG seemed like a good idea and came highly recommended by
experts, - though, suspiciously, experts who use Linux!? But I suppose I
had better get rid of it and install NAV again. Pity, it looked as if my
anti virus was really occupying hardly any resources. Was this because it
wasn't doing an anti-virus job properly? I must say it IS locating a huge
number of trojan_horse_dialer.btg viruses both in the temporary internet
files folder as well as those you can see reported by Sophos in the
windows\temp directory which are in fact 0 or 1 byte files AVG has already
cleaned. Ten or twenty a day! In addition it just started a popup headed
COMPLETE TEST which has also found 35 files infected with this dialer in
that folder which it says it deleted and I cannot quite comprehend what this
means: Does it mean that these viruses somehow got through or that the AV
program is doing its job and identifying them? I thought I had deleted those
0 and 1 byte files yesterday? Despite reporting them continuously, are
these 35 OTHERS which have got through? During its own test, it saw three
more of these come in!

I wonder if the other anti viruses didn't see it because I ran them before
running roguescanfix and smitRem or is Sophos just better? Sorry to admit
this but I cannot make head nor tail of the figures set out in the reports
at http://www.av-comparatives.org/. Especially if these viruses can get
through AVG!

And my whole computer has slowed to a complete crawl so I suppose I had
better do an SFC /purgecache and / scannow to see what else these viruses
screwed up!

 

[news.rcn.com]

From: "news.rcn.com" <news.rnc.com>

| Are these real viruses? This is an extract of what Sophos found, my
having
| run Trend, Kaspersky, AVG, etc and found nothing:
|
| Could not open c:\WINDOWS\SYSTEM32\config\system.LOG
| Removal failed
| Could not open c:\WINDOWS\temp\win22.tmp.exe
| Could not open c:\WINDOWS\temp\win23.tmp
| Removal successful
|

Oh yeah their real. many found in ther System Restore cache.
C:\System Volume Information\_restore

'Troj/FakeVir-Q' and 'Troj/Zlob-NN' are why you were subsequently
infected with the
SpywareQuake malware.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.
If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to
JRE/JSE
Version 5.0.

My version of Java was way out of date!

Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of
C:\McAfee }

Bud Perry Deres Jus One Thing I Dont Understand: does all this mean that the
McAfee can engine is BETTER than the others which seem to have let these
past? And how come none of them seem to relate to the virusses I earlier
identified?

Please Copy and Paste the contents of the HTML Log files;

Interestingly enough the process did find these 9 further viruses. These are
the relevant bits:
C:\Program Files\Common
Files\Real\WeatherBug\MiniBugTransporter.dll\00017b68.EXE ... Found
potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\WINDOWS\SYSTEM\im64.dll ... Found potentially unwanted program
Adware-Netpals.
The file or process has been deleted.
C:\WINDOWS\BELT.INI ... Found potentially unwanted program IPSentry.
The file or process has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP342\A0057475.exe
.... Found potentially unwanted program SpywareQuake.
The file or process has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP343\A0057530.exe
.... Found potentially unwanted program SpywareQuake.
The file or process has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP343\A0058594.exe
.... Found potentially unwanted program PrcViewer.
The file or process has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP345\A0058956.dll\00017b68.EXE
.... Found potentially unwanted program Downloader-AGT.
The file or process has been deleted.
The archive has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP345\A0058957.dll
.... Found potentially unwanted program Adware-Netpals.
The file or process has been deleted.
C:\System Volume
Information\_restore{0F20BA62-02EA-4B67-BE33-AE5D6F74EF90}\RP345\A0058958.INI
.... Found potentially unwanted program IPSentry.
The file or process has been deleted. > Dave>
http://www.claymania.com/removal-trojan-adware.html>
http://www.ik-cs.com/got-a-virus.htmI'll repost if safe mode scan sees even
MORE viruses!!

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

< snip >

|
| Interestingly enough the process did find these 9 further viruses. These are
| the relevant bits:
| C:\Program Files\Common
| Files\Real\WeatherBug\MiniBugTransporter.dll\00017b68.EXE ... Found
| potentially unwanted program Downloader-AGT.
| The file or process has been deleted.
| The archive has been deleted.


The WeatherBug Downloader Trojan. It is an Adware Downloader.


| C:\WINDOWS\SYSTEM\im64.dll ... Found potentially unwanted program
| Adware-Netpals.


Adware, not virus.


| The file or process has been deleted.
| C:\WINDOWS\BELT.INI ... Found potentially unwanted program IPSentry.
| The file or process has been deleted.

The rest were all in the System Restore cache.
C:\System Volume Information\_restore


No viruses found.

 

[news.rcn.com]

So it DIDN'T find the viruses supposedly noted by Sophos? And AVG may well
be doing its job properly?

Interestingly, my computer is now screamingly fast with all that adware
removed. I wonder why the much vaunted Adaware (and Spybot) gave it such a
clean bill of health so often when the problems were so bad that they were
bringing the whole computer down to the level of a 75 MHz? Especially if the
adware was in the system restore cache???