Spyware Infection Desktop

[Guest]

I'm currently on a Compaq Presario V2000 laptop. Before I had set up my
antispyware software, I got a desktop background saying:

SPYWARE
INFECTION

Your system is infected with spyware. Windows recommends you to use a
spyware removal tool to prevent loss of important data and increase system
performance. Using this PC before having it cleaned from spyware threats is
highly discouraged.


I removed the spyware and now when I try to change my desktop, it still
remains the SPYWARE INFECTION desktop. Help Please.

 

[David H. Lipman]

From: "BadWithTechnology" <[email protected]>

| I'm currently on a Compaq Presario V2000 laptop. Before I had set up my
| antispyware software, I got a desktop background saying:
|
| SPYWARE
| INFECTION
|
| Your system is infected with spyware. Windows recommends you to use a
| spyware removal tool to prevent loss of important data and increase system
| performance. Using this PC before having it cleaned from spyware threats is
| highly discouraged.
|
| I removed the spyware and now when I try to change my desktop, it still
| remains the SPYWARE INFECTION desktop. Help Please.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Guest]

Hey BWT,

Just go into start > control panel > appearance and themes > Display >
desktop tab > customize desktop button > web tab > uncheckmark and delete all
entries in there > ok > ok > restart. Good Luck

Joe

Kemco Technician

 

[David H. Lipman]

From: "Kemco" <[email protected]>

| Hey BWT,
|
| Just go into start > control panel > appearance and themes > Display >
| desktop tab > customize desktop button > web tab > uncheckmark and delete all
| entries in there > ok > ok > restart. Good Luck
|
| Joe
|
| Kemco Technician
|


And how will that remove the SmitFraud Trojan (or FakeAlert, ZLob, etc.) that has caused
this ?
How about if the malware has also set the Policies to limit the user's ability to change teh
Desktop ?

 

[Guest]

I am trying to remove the spyware off my computer, but it won't let me.It
tells me the system is locked and can't close it down now what.

 

[David H. Lipman]

From: "missie" <[email protected]>

| I am trying to remove the spyware off my computer, but it won't let me.It
| tells me the system is locked and can't close it down now what.
|


The same advice I gave the OP...

Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07

http://www.java.com/en/download/manual.jsp

Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html

Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072

Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Guest]

The OP stated:

| I removed the spyware and now when I try to change my desktop, it still
| remains the SPYWARE INFECTION desktop. Help Please.

I suppose I should have covered that he may still have smitfraud but I was
assuming, and I know that its not the right thing to do, that when he says he
removed the spyware that he had an anti-spyware capable of removing the
threats. My bad, I guess....

Joe

Kemco Technician

 

[David H. Lipman]

From: "Kemco" <[email protected]>

| The OP stated:
|
|> I removed the spyware and now when I try to change my desktop, it still
|> remains the SPYWARE INFECTION desktop. Help Please.
|
| I suppose I should have covered that he may still have smitfraud but I was
| assuming, and I know that its not the right thing to do, that when he says he
| removed the spyware that he had an anti-spyware capable of removing the
| threats. My bad, I guess....
|
| Joe
|
| Kemco Technician
|

The utilities I posted, incli\uding my own, are written specifically for this falmily of
malware and will remove the policies that block changes to the desktop as well as other
known relationships with this family of malware.

 

[Jay]

I'm currently using Ad-aware and the Mcafee security centre, do you
think this a sufficient amount of security to repel current spyware
threats?

Regards,
Jay

 

[David H. Lipman]

From: "Jay" <[email protected]>

| I'm currently using Ad-aware and the Mcafee security centre, do you
| think this a sufficient amount of security to repel current spyware
| threats?
|
| Regards,
| Jay


No. Insufficient to fully get rid of this family of malware.
That's why these specialty tool exist.

 

[Plato]

I'm currently using Ad-aware and the Mcafee security centre, do you
think this a sufficient amount of security to repel current spyware
threats?

No. Best bet is NOT to install spyware in the first place.