Adware and hijacking, please help!

[Guest]

Please forgive me I am not super computer literate but I really need some help.

A couple of days ago I noticed a weird little icon in the tray on the right
hand side of the screen near the clock. It was blinking between a question
mark and an X and sometimes a little bubble would come up that said "critical
system errors!" If you click on it or open Internet Explorer you are taken to
"iesecurepage.com" and it tries to tell me that I have adware on my PC and I
need to download this program to fix it. Well I don't trust this program and
I think it is what is causing the problems so after searching for help I go
to try to doanload ad-ware because it is a well known trusted program.
Whenever I click on the link to try to download it I am taken to what looks
like a "cannot find server" page and a little bar is at the top (like when a
pop up is blocked) that says "this web site is being blocked because you have
spyware on your PC, click here to download spyware doctor to fix it" But I
don't want to download spyware doctor. Please help me fix this, I don't want
to have to reformat my hard drive.

Also I tried to do a system restore from about a week agu but it failed
because it said there had been no changes made to my computer.

 

[David H. Lipman]

From: "Robin" <[email protected]>

| Please forgive me I am not super computer literate but I really need some help.
|
| A couple of days ago I noticed a weird little icon in the tray on the right
| hand side of the screen near the clock. It was blinking between a question
| mark and an X and sometimes a little bubble would come up that said "critical
| system errors!" If you click on it or open Internet Explorer you are taken to
| "iesecurepage.com" and it tries to tell me that I have adware on my PC and I
| need to download this program to fix it. Well I don't trust this program and
| I think it is what is causing the problems so after searching for help I go
| to try to doanload ad-ware because it is a well known trusted program.
| Whenever I click on the link to try to download it I am taken to what looks
| like a "cannot find server" page and a little bar is at the top (like when a
| pop up is blocked) that says "this web site is being blocked because you have
| spyware on your PC, click here to download spyware doctor to fix it" But I
| don't want to download spyware doctor. Please help me fix this, I don't want
| to have to reformat my hard drive.
|
| Also I tried to do a system restore from about a week agu but it failed
| because it said there had been no changes made to my computer.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php



Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Guest]

Please forgive me I am not super computer literate but I really need some help.

A couple of days ago I noticed a weird little icon in the tray on the right
hand side of the screen near the clock. It was blinking between a question
mark and an X and sometimes a little bubble would come up that said "critical
system errors!" If you click on it or open Internet Explorer you are taken to
"iesecurepage.com" and it tries to tell me that I have adware on my PC and I
need to download this program to fix it. Well I don't trust this program and
I think it is what is causing the problems so after searching for help I go
to try to doanload ad-ware because it is a well known trusted program.
Whenever I click on the link to try to download it I am taken to what looks
like a "cannot find server" page and a little bar is at the top (like when a
pop up is blocked) that says "this web site is being blocked because you have
spyware on your PC, click here to download spyware doctor to fix it" But I
don't want to download spyware doctor. Please help me fix this, I don't want
to have to reformat my hard drive.

Also I tried to do a system restore from about a week agu but it failed
because it said there had been no changes made to my computer.

 

[Guest]

I have the same exact problem and have run Adaare, smitfraudfix, Spybot
Search and destoy all in safe mode as well as hijackthis and NOTHING shows up
in the scans.
The persistant blinking icon will not go away.

Remo

 

[David H. Lipman]

From: "Remo" <[email protected]>

| I have the same exact problem and have run Adaare, smitfraudfix, Spybot
| Search and destoy all in safe mode as well as hijackthis and NOTHING shows up
| in the scans.
| The persistant blinking icon will not go away.
|
| Remo
|

Run MSCONFIG.EXE.

Selectivley disable different StartUp items until the "flashing icon" no longer shows up in
the system tray.

Based upon the line item of that StartUp item, find the file that is loaded.

Then, please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Guest]

From: "Remo" <[email protected]>

| I have the same exact problem and have run Adaare, smitfraudfix, Spybot
| Search and destoy all in safe mode as well as hijackthis and NOTHING shows up
| in the scans.
| The persistant blinking icon will not go away.
|
| Remo
|

Run MSCONFIG.EXE.

Selectivley disable different StartUp items until the "flashing icon" no longer shows up in
the system tray.

Based upon the line item of that StartUp item, find the file that is loaded.

Then, please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

David,

I should have done everything you said before posting!

You are really good, man.

All I did was go to safe mode and run smitRem\runthis.bat It did the rest.
It took a while to clean my C: drive so I just went and had breakfast. When
I came back and rebooted the icons were gone...finally.

Thank you so much.

Bob Montgomery

 

[David H. Lipman]

From: "Remo" <[email protected]>


| David,
|
| I should have done everything you said before posting!
|
| You are really good, man.
|
| All I did was go to safe mode and run smitRem\runthis.bat It did the rest.
| It took a while to clean my C: drive so I just went and had breakfast. When
| I came back and rebooted the icons were gone...finally.
|
| Thank you so much.
|
| Bob Montgomery
|

OK -- I'm glad you got it all sorted out and are now w/o this malware.

 

[Guest]

Hi,

I had the same problem also and was able to get rid of the flashing icon
without downloading anything new. However, everytime I open IE I still am
automatically taken to the http://iesecurepage.com/ page. If I try to click
on the icon to bring me to my home page, it just reloads the same page. Do I
need to go thru the same procedures? (sorry, but I'm really not all that
computer literate - I know how to use one but not USE one...if you know what
I mean...)

Appreciate the help,

 

[David H. Lipman]

From: "Nbisson07" <[email protected]>

| Hi,
|
| I had the same problem also and was able to get rid of the flashing icon
| without downloading anything new. However, everytime I open IE I still am
| automatically taken to the http://iesecurepage.com/ page. If I try to click
| on the icon to bring me to my home page, it just reloads the same page. Do I
| need to go thru the same procedures? (sorry, but I'm really not all that
| computer literate - I know how to use one but not USE one...if you know what
| I mean...)
|
| Appreciate the help,



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Emilio Wilde]

Hi best regards, some times this are messages over the web calles messenger
[not the windows messenger or msn or live messenger] I try this solution and
works fine, first you need administrative privileges, so that means you
logged into system as administrator or if your account have this privileges
loggin with your account, well first open the control panel and locate
ADMINISTRATIVE TOOLS [remember if your control panel only shows groups of
the tools locate in the left panel the title CLASSIC VIEW and click on it]
now into the SYSTEM TOOLS locate the icon SERVICES, and double click on it,
in the right pane locate the line called MESSENGER ok BE CAREFULLY on read
this instructions, double click on the icon called MESSENGER, Change the
STARTUP TYPE to "DISABLED" and then click on buttom [STOP] then click on the
buttom [OK]close the window SERVICES, restart the machine and see if this
messges appear again, I hope not, but if appears again, there are several
ways to fix this problem without reformating the system, it's a pleasure to
serve you, if you have more help try to write me at (e-mail address removed),
best regards and don't essitate this problems are frecuentely and always are
a solution for this, by the way SORRY MY ENGLISH I live in Bolivia and don't
speak [or write] wery well.

Bye....

 

[David H. Lipman]

From: "Emilio Wilde" <[email protected]>

| Hi best regards, some times this are messages over the web calles messenger
| [not the windows messenger or msn or live messenger] I try this solution and
| works fine, first you need administrative privileges, so that means you
| logged into system as administrator or if your account have this privileges
| loggin with your account, well first open the control panel and locate
| ADMINISTRATIVE TOOLS [remember if your control panel only shows groups of
| the tools locate in the left panel the title CLASSIC VIEW and click on it]
| now into the SYSTEM TOOLS locate the icon SERVICES, and double click on it,
| in the right pane locate the line called MESSENGER ok BE CAREFULLY on read
| this instructions, double click on the icon called MESSENGER, Change the
| STARTUP TYPE to "DISABLED" and then click on buttom [STOP] then click on the
| buttom [OK]close the window SERVICES, restart the machine and see if this
| messges appear again, I hope not, but if appears again, there are several
| ways to fix this problem without reformating the system, it's a pleasure to
| serve you, if you have more help try to write me at (e-mail address removed),
| best regards and don't essitate this problems are frecuentely and always are
| a solution for this, by the way SORRY MY ENGLISH I live in Bolivia and don't
| speak [or write] wery well.
|
| Bye....

Emilio:

This was NOT the case of the NT Messenger Service. It is a case of the FakeAlert or ZLob
Trojan infection which is part of the SmitFraud family of malware.

As for the NT Messenger Service.
These are actually NetBIOS Pop-Ups and are often used in a form of spam scam. Usually noted
to indicate your PC had Registry errors and you should get a Registry fix software. All of
thse Pop-Ups will have the words "Messenger Service" located in the border.

One should also note that the reception of these Pop-Ups is indicative of a bigger problem.
It measn the NetBIOS over IP is exposed to the Internet and the user of the PC is at risk of
NetBIOS over IP Internet worms and hackers above and beyond the NetBIOS Pop-Ups.

The fact that one receives these Pop-Ups is indicative of two things.
1. They are NOT using; a FireWall appliance, NAT Router or FireWall application.
2. They do NOT have winXP Service Pack 2 installed.

If you install WinXP SP2 then it will automatically disable the NT Messenger Service. It
will also install the upgraded and improved WinXP SP2 FireWall.

Additionally, if you are connected to Broadband Internet you should use either a NAT Router
or a NAT Router with a full FireWall implementation. Such a device will greatly enhance
your security and even if WinXP SP2 was NOT installed, would effectively block the receipt
of NetBIOS Pop-Ups as well as grately diminish the chaces of getting an Internet worm or be
hacked.