A new hijacking

[floresrikitic]

This one doesn't seem to be affecting things too much EXCEPT
that I now have a wallpaper that won't go away. It's a blood-
red screen with a black area in the middle with "DANGER: SPYWARE"
flashing in huge red letters. Then it goes on to tell me how
I can pay them extortion money (my words not theirs) "for as
low as $49.95" to get rid of the shit. My homepage had also
been replaced by a warning from them, that I was being watched,
along with listing my DNS etc. etc. (I think I've gotten
rid of that problem, but the wallpaper I haven't been able to.)

All this crap started yesterday after very briefly visiting
an adult site. I wish they all had one neck and my hands
were around it. It'll stop when these scum start being sent
to prison for doing this. I've run HijackThis and Spybot,
and have of course tried to change my wallpaper, but of course
they've covered that and I can't override what they've done.
Not yet anyway. Anybody know about this one and what to
do to solve it? Thanks a bunch.

 

[kurttrail]

This one doesn't seem to be affecting things too much EXCEPT
that I now have a wallpaper that won't go away. It's a blood-
red screen with a black area in the middle with "DANGER: SPYWARE"
flashing in huge red letters. Then it goes on to tell me how
I can pay them extortion money (my words not theirs) "for as
low as $49.95" to get rid of the shit. My homepage had also
been replaced by a warning from them, that I was being watched,
along with listing my DNS etc. etc. (I think I've gotten
rid of that problem, but the wallpaper I haven't been able to.)

All this crap started yesterday after very briefly visiting
an adult site. I wish they all had one neck and my hands
were around it. It'll stop when these scum start being sent
to prison for doing this. I've run HijackThis and Spybot,
and have of course tried to change my wallpaper, but of course
they've covered that and I can't override what they've done.
Not yet anyway. Anybody know about this one and what to
do to solve it? Thanks a bunch.

LOL! People that get spyware, get what they pay for, and deserve it.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Alias]

Write zeros to your hard drive and reload Windows. OR, spend the next who
knows how many hours trying to track down the spyware and not really know if
you've gotten rid of it all or not.

I trust you have backed up your data.

Alias

P.S. Next time you want porno, rent a DVD.

 

[Malke]

This one doesn't seem to be affecting things too much EXCEPT
that I now have a wallpaper that won't go away. It's a blood-
red screen with a black area in the middle with "DANGER: SPYWARE"
flashing in huge red letters. Then it goes on to tell me how
I can pay them extortion money (my words not theirs) "for as
low as $49.95" to get rid of the shit. My homepage had also
been replaced by a warning from them, that I was being watched,
along with listing my DNS etc. etc. (I think I've gotten
rid of that problem, but the wallpaper I haven't been able to.)

All this crap started yesterday after very briefly visiting
an adult site. I wish they all had one neck and my hands
were around it. It'll stop when these scum start being sent
to prison for doing this. I've run HijackThis and Spybot,
and have of course tried to change my wallpaper, but of course
they've covered that and I can't override what they've done.
Not yet anyway. Anybody know about this one and what to
do to solve it? Thanks a bunch.

When visiting "adult sites", never download the "free viewer". There is
no free lunch; those "viewers" are trojan horses or other malware.

Go through the following malware removal steps, doing everything in Safe
Mode with updated tools. It would be smart to get all the tools and
updates from a different, known-clean computer with Internet access and
a cd burner (or have a usb thumbdrive with enough capacity to transfer
the files).

http://www.elephantboycomputers.com/page2.html#Removing_Malware

To get rid of the desktop warning being displayed by malware, go to the
Display applet in Control Panel and look on the Desktop tab. Click on
Customize Desktop, and then click on the Web tab. You will see that
there are checkmarks next to "My Current Home Page" and probably "Lock
Desktop Items". Uncheck these. By highlighting the "My Current Home
Page" and clicking on the Properties button, you will be able to
determine the name of the file that is the message. It might be called
something like "security.html" or the like.

Click Apply and OK out when you've made your changes. Then you want to
find the *.html malware file and delete it.

If you can't enable desktop backgrounds after a virus, MVP Kelly Theriot
has a fix. Look under Wallpaper-Desktop-Disable Changing here:

http://www.kellys-korner-xp.com/xp_w.htm

If Display tabs are missing, run Kelly's registry edit on line 285,
right-hand side "Restore all display tabs".

Malke

 

[Guest]

I dealt with this one on a few systems last week, if you run a good online
scan ie trendmicro, it should identify that wininet.dll is infected but it
cant be cleaned because it starts at boot, use a decent boot disc and take a
good copy of wininet.dll and delete the current one and replace with the new
one, this should solve your issue

 

[Bob Smith]

LOL! People that get spyware, get what they pay for, and deserve it.

I concur. Now, in saying that, here are some suggestions to get rid of that
bugger. First, make a note of who is offering that $49.95 fix, as you can
use that information to report them to the government authorities.

Next, make sure that your Anti-Virus software definitions file is up to
date. Click on the update feature to see.

Go back into Spybot S & D, and check for a more recent updated definitions
file. Go into the inoculate tab, and inoculate your system. Don't run the
program yet.

Go to www.majorgeeks.com , click on their spyware detection link in the left
frame, and download SpywareBlaster & Ad-Aware SE. Install each one of them,
and then click their update functions to make sure that you have the most
recent definition files. Don't run Ad-Aware just yet.

Reboot your computer into safe mode, and then run your anti-virus program,
Ad-Aware & Spybot ... one at a time. Either one of those programs should be
able to find and delete that nasty. Reboot your computer into regular mode
and see if it shows up again.

If it does, then run HiJackThis and post your log at one of the following
forums.

(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://castlecops.com/forum67.html)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=2)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://www.wilderssecurity.com/forumdisplay.php?f=24)
(http://boards.cexx.org/viewforum.php?f=1)
(http://www.malwarebytes.biz/forums/index.php?showforum=5)
(http://forum.gladiator-antivirus.com/index.php)
(http://www.dslreports.com/forum/security)

Someone from one of these sites can provide some answers for you.

Oh one more thing ... STFA from porn sites ...

Bob

 

[Guest]

i found -webroots,spysweeper cleaned up alot of crap on my comp-but you
probably have worse bugs.hope it helps.--is it in your add/remove programs??

 

[floresrikitic]

LOL! People that get spyware, get what they pay for, and deserve it.

Uh, could you elaborate? BTW, I didn't "pay" for anything, and
wasn't seeking anything at a porn site. I was looking for
a particular NON-porno image on Google and I ended up getting
tagged by these scum. As for your worthless post, why'd you
bother? But a big THANKS to the rest of you guys.

 

[DanS]

i'll top-post here, but i just wanted to mention to give M$ Anti-spyware
a go as well.

i found that the spybot's 'innoculate system' tea timer thing really did
no nothing for me.

MS AS is the only one of the freebies that has a realtime monitor.

 

[kurttrail]

Uh, could you elaborate? BTW, I didn't "pay" for anything, and
wasn't seeking anything at a porn site.

But you went to one. I often search for photos on the web, yet never
get fooled into going to XXX sites, nor get spyware. You pay for your
ignorance.

I was looking for
a particular NON-porno image on Google and I ended up getting
tagged by these scum.
LOL!

As for your worthless post, why'd you
bother?

Because, I believe in ridicule as motivation to wake people out of their
ignorance. Certainly got your attention, as my post is the only one you
replied to.

But a big THANKS to the rest of you guys.

Not everyone who gave you advice is a guy.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

This one doesn't seem to be affecting things too much EXCEPT
that I now have a wallpaper that won't go away. It's a blood-
red screen with a black area in the middle with "DANGER: SPYWARE"

Look up Smitfraud, please.

Spybot should be able to deal with it (newest version, of course).
http://www.safer-networking.org/en/index.html


Gabriele Neukam

(e-mail address removed)

 

[Gabriele Neukam]

On that special day, kurttrail,
([email protected]) said...

But you went to one. I often search for photos on the web, yet never
get fooled into going to XXX sites, nor get spyware. You pay for your
ignorance.

Ah, yes? Look up "Brian Frond", and "picture" (he drew fascinating elf
pictures). You'll be amazed what will be thrown at you, especially how
much Google spamming is done for Tattoos. And if isn't Tattoos, the
innocent looking links will redirect you to a very XXX like site.


Gabriele Neukam

(e-mail address removed)

 

[kurttrail]

On that special day, kurttrail,
([email protected]) said...


Ah, yes? Look up "Brian Frond", and "picture" (he drew fascinating elf
pictures).
http://images.google.com/images?as_...as_filetype=&imgc=&as_sitesearch=&safe=images

You'll be amazed what will be thrown at you, especially how
much Google spamming is done for Tattoos. And if isn't Tattoos, the
innocent looking links will redirect you to a very XXX like site.

http://images.google.com/images?as_...as_filetype=&imgc=&as_sitesearch=&safe=active

If you know how to search and interpret the results, then you get
nothing. Fools catch want they deserve.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Fitz]

By your reply, "If you know how to search and interpret the results, then
you get nothing. Fools catch want they deserve.", if a person doesn't know
how to "search and interpret"...then he's a fool? Perhaps he's a newbie (as
we all were at one time) or unknowingly clicked a link he shouldn't have. I
consider myself an expert in some business areas but would never call
someone a fool because they didn't know as much as I did in my particular
area of expertise. IMO.

--
***
NEVER download files from anywhere unless it is from the website of the
developer, manufacturer or some entity that you trust. They ALWAYS have the
most up to date files that haven't been tampered with by some third party
who is "hosting" (read Leeching) those files without permission.
***

 

[kurttrail]

By your reply, "If you know how to search and interpret the results,
then you get nothing. Fools catch want they deserve.", if a person
doesn't know how to "search and interpret"...then he's a fool? Perhaps
he's a newbie (as we all were at one time) or unknowingly
clicked a link he shouldn't have. I consider myself an expert in
some business areas but would never call someone a fool because they
didn't know as much as I did in my particular area of expertise. IMO.

Any noob, at this point, in the western world, is a fool. Basic safe
computing isn't an area of expertise, but a matter of common sense.

And apologists for fools are scum.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Harold]

Any noob, at this point, in the western world, is a fool. Basic safe
computing isn't an area of expertise, but a matter of common sense.

Arrogant nonsense. They are not fools.
Every newbie, as we have all been, has to learn about safe browsing.
Every child has to be taught how to cross the road safely. It wasn't
instilled at birth.
Home computers didn't exist in my early days, and later on my work never
required their use. I've plenty of common sense, but I still had to *learn*.

 

[kurttrail]

Arrogant nonsense. They are not fools.
Every newbie, as we have all been, has to learn about safe browsing.
Every child has to be taught how to cross the road safely. It wasn't
instilled at birth.
Home computers didn't exist in my early days, and later on my work
never required their use. I've plenty of common sense, but I still
had to *learn*.

And by now most people in the western world should have learned. They
really is little excuse other than poverty.

Keep enabling ignorance, by apologizing for fools.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.com/mscommunity
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei"

 

[Asher_N]

And by now most people in the western world should have learned. They
really is little excuse other than poverty.

Keep enabling ignorance, by apologizing for fools.

Most people in the western world do not have computers. Most people in
the Western world that have access to computers do so at work, where
professional IT staff shields them from the complexity of security. Most
people in the Western world that have computers at home only access the
'net through dial-up.

 

[Harold]

kurttrail wrote:

Keep enabling ignorance, by apologizing for fools.

There's only one fool in this thread.
Why not try preventing ignorance by helping, rather than ridiculing?
No matter whether its the Western, Eastern, Northern or Southern world.
Or the third, fourth or fifth world.

Over and out.

 

[pcbutts1]

Sounds like Smithfraud. Here is my canned answer and fix for that issue.

Windows XP/2K (includes Ewido)

You may want to print out or make a copy of these instructions before
starting, because you will not be able to connect to the internet during
most of this fix.

Please download smithrem.zip and save it to your desktop
http://www.pcbutts1.com/downloads/smithrem.zip
Right click on the file and extract it to its own folder on the desktop.

Please download, install, and update the free version of Ewido Security
Suite:
When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu"
http://www.pcbutts1.com/downloads/ewidosetup.exe .

From the main Ewido screen, click on update in the left menu, then click the
Start update button.
After the update finishes, the status bar at the bottom will display "Update
successful"
Exit Ewido. DO NOT run a scan yet.

If you do not already have Ad-Aware SE 1.06 installed, download
http://www.pcbutts1.com/downloads/aawsepersonal.exe
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows
icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Now scan with HJT http://www.pcbutts1.com/downloads/HijackThis.zip and place
a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http:://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http:://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page
=http:://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http:://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http:://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http:://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} -
C:\WINDOWS\System32\hp6DD8.tmp
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security
iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{D5BC2651-6A61-4542-BF7D-84D42228772C} - C:\WINDOWS\System32\wldr.dll (HKCU)


Delete any other malware files not associated with the smitfraud variants
and SpySheriff.


Open the smithrem folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen. Your desktop and icons will
disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a
while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite
Click on Scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one. If
ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
When the scan is finished, click the Save report button at the bottom of the
screen.
Save the report to your desktop
Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize
Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run Panda's online virus scan and perform a full system scan
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm .
Make sure the Autoclean box is checked!

Finally, restart your computer once more, and please post a new HijackThis
log as well as the log from the Ewido scan and the log from the smitRem
tool, which will be located at C:\smitfiles.txt.
Let me know if any problems persist.



Please Note: You may not find every file listed as you state you have
already removed some of the smithfraud files.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com