Adware and hijacking, please help!

Discussion in 'Windows XP Security' started by Guest, Nov 4, 2006.

  1. Guest

    Guest Guest

    Please forgive me I am not super computer literate but I really need some help.

    A couple of days ago I noticed a weird little icon in the tray on the right
    hand side of the screen near the clock. It was blinking between a question
    mark and an X and sometimes a little bubble would come up that said "critical
    system errors!" If you click on it or open Internet Explorer you are taken to
    "iesecurepage.com" and it tries to tell me that I have adware on my PC and I
    need to download this program to fix it. Well I don't trust this program and
    I think it is what is causing the problems so after searching for help I go
    to try to doanload ad-ware because it is a well known trusted program.
    Whenever I click on the link to try to download it I am taken to what looks
    like a "cannot find server" page and a little bar is at the top (like when a
    pop up is blocked) that says "this web site is being blocked because you have
    spyware on your PC, click here to download spyware doctor to fix it" But I
    don't want to download spyware doctor. Please help me fix this, I don't want
    to have to reformat my hard drive.

    Also I tried to do a system restore from about a week agu but it failed
    because it said there had been no changes made to my computer.
     
    Guest, Nov 4, 2006
    #1
    1. Advertisements

  2. From: "Robin" <>

    | Please forgive me I am not super computer literate but I really need some help.
    |
    | A couple of days ago I noticed a weird little icon in the tray on the right
    | hand side of the screen near the clock. It was blinking between a question
    | mark and an X and sometimes a little bubble would come up that said "critical
    | system errors!" If you click on it or open Internet Explorer you are taken to
    | "iesecurepage.com" and it tries to tell me that I have adware on my PC and I
    | need to download this program to fix it. Well I don't trust this program and
    | I think it is what is causing the problems so after searching for help I go
    | to try to doanload ad-ware because it is a well known trusted program.
    | Whenever I click on the link to try to download it I am taken to what looks
    | like a "cannot find server" page and a little bar is at the top (like when a
    | pop up is blocked) that says "this web site is being blocked because you have
    | spyware on your PC, click here to download spyware doctor to fix it" But I
    | don't want to download spyware doctor. Please help me fix this, I don't want
    | to have to reformat my hard drive.
    |
    | Also I tried to do a system restore from about a week agu but it failed
    | because it said there had been no changes made to my computer.



    Two part reply..

    Perform Part 1 then perform Part 2.

    If the first two parts don't work, perform the alternate section.

    It is suggested that you execute each tool in Normal Mode then in Safe Mode.



    Part 1
    -----------

    Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
    http://noahdfear.geekstogo.com/click counter/click.php?id=1

    http://www.bleepingcomputer.com/forums/topic43659.html


    Part 2
    -----------

    Download SmitFraud.exe from the URL --
    http://www.ik-cs.com/programs/virtools/SmitFraud.exe

    Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to enable WGET.EXE to download the needed McAfee related files.

    Execute; c:\mcafee\clean.bat
    { or Double-click on 'Clean Link' in c:\mcafee }

    A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
    C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
    displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
    WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
    shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
    but your PC will automatically be shutdown. It is suggested that you move the report out of
    c:\mcafee before performing another scan.

    It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session.


    ALTERNATE:

    S!ri's SmitfraudFix
    http://siri.urz.free.fr/Fix/SmitfraudFix_En.php



    Please Copy and Paste the contents of the HTML Log files;
    C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

    * * * Please report back your results * * *
     
    David H. Lipman, Nov 4, 2006
    #2
    1. Advertisements

  3. Guest

    Guest Guest

     
    Guest, Nov 5, 2006
    #3
  4. Guest

    Guest Guest

    I have the same exact problem and have run Adaare, smitfraudfix, Spybot
    Search and destoy all in safe mode as well as hijackthis and NOTHING shows up
    in the scans.
    The persistant blinking icon will not go away.

    Remo
     
    Guest, Nov 5, 2006
    #4
  5. From: "Remo" <>

    | I have the same exact problem and have run Adaare, smitfraudfix, Spybot
    | Search and destoy all in safe mode as well as hijackthis and NOTHING shows up
    | in the scans.
    | The persistant blinking icon will not go away.
    |
    | Remo
    |

    Run MSCONFIG.EXE.

    Selectivley disable different StartUp items until the "flashing icon" no longer shows up in
    the system tray.

    Based upon the line item of that StartUp item, find the file that is loaded.

    Then, please submit a sample to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all participating vendors.

    You can also submit a suspect, one at a time, via the following email URL...
    mailto:?subject=SCAN

    When you get the report, please post back the exact results.
     
    David H. Lipman, Nov 5, 2006
    #5
  6. Guest

    Guest Guest

    David,

    I should have done everything you said before posting!

    You are really good, man.

    All I did was go to safe mode and run smitRem\runthis.bat It did the rest.
    It took a while to clean my C: drive so I just went and had breakfast. When
    I came back and rebooted the icons were gone...finally.

    Thank you so much.

    Bob Montgomery
     
    Guest, Nov 5, 2006
    #6
  7. From: "Remo" <>


    | David,
    |
    | I should have done everything you said before posting!
    |
    | You are really good, man.
    |
    | All I did was go to safe mode and run smitRem\runthis.bat It did the rest.
    | It took a while to clean my C: drive so I just went and had breakfast. When
    | I came back and rebooted the icons were gone...finally.
    |
    | Thank you so much.
    |
    | Bob Montgomery
    |

    OK -- I'm glad you got it all sorted out and are now w/o this malware.
     
    David H. Lipman, Nov 5, 2006
    #7
  8. Guest

    Guest Guest

    Hi,

    I had the same problem also and was able to get rid of the flashing icon
    without downloading anything new. However, everytime I open IE I still am
    automatically taken to the http://iesecurepage.com/ page. If I try to click
    on the icon to bring me to my home page, it just reloads the same page. Do I
    need to go thru the same procedures? (sorry, but I'm really not all that
    computer literate - I know how to use one but not USE one...if you know what
    I mean...)

    Appreciate the help,
     
    Guest, Nov 8, 2006
    #8
  9. From: "Nbisson07" <>

    | Hi,
    |
    | I had the same problem also and was able to get rid of the flashing icon
    | without downloading anything new. However, everytime I open IE I still am
    | automatically taken to the http://iesecurepage.com/ page. If I try to click
    | on the icon to bring me to my home page, it just reloads the same page. Do I
    | need to go thru the same procedures? (sorry, but I'm really not all that
    | computer literate - I know how to use one but not USE one...if you know what
    | I mean...)
    |
    | Appreciate the help,



    Two part reply..

    Perform Part 1 then perform Part 2.

    If the first two parts don't work, perform the alternate section.

    It is suggested that you execute each tool in Normal Mode then in Safe Mode.



    Part 1
    -----------

    Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
    http://noahdfear.geekstogo.com/click counter/click.php?id=1

    http://www.bleepingcomputer.com/forums/topic43659.html


    Part 2
    -----------

    Download SmitFraud.exe from the URL --
    http://www.ik-cs.com/programs/virtools/SmitFraud.exe

    Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to enable WGET.EXE to download the needed McAfee related files.

    Execute; c:\mcafee\clean.bat
    { or Double-click on 'Clean Link' in c:\mcafee }

    A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
    C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
    displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
    WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
    shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
    but your PC will automatically be shutdown. It is suggested that you move the report out of
    c:\mcafee before performing another scan.

    It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session.


    ALTERNATE:

    S!ri's SmitfraudFix
    http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


    Please Copy and Paste the contents of the HTML Log files;
    C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

    * * * Please report back your results * * *
     
    David H. Lipman, Nov 8, 2006
    #9
  10. Guest

    Emilio Wilde Guest

    Hi best regards, some times this are messages over the web calles messenger
    [not the windows messenger or msn or live messenger] I try this solution and
    works fine, first you need administrative privileges, so that means you
    logged into system as administrator or if your account have this privileges
    loggin with your account, well first open the control panel and locate
    ADMINISTRATIVE TOOLS [remember if your control panel only shows groups of
    the tools locate in the left panel the title CLASSIC VIEW and click on it]
    now into the SYSTEM TOOLS locate the icon SERVICES, and double click on it,
    in the right pane locate the line called MESSENGER ok BE CAREFULLY on read
    this instructions, double click on the icon called MESSENGER, Change the
    STARTUP TYPE to "DISABLED" and then click on buttom [STOP] then click on the
    buttom [OK]close the window SERVICES, restart the machine and see if this
    messges appear again, I hope not, but if appears again, there are several
    ways to fix this problem without reformating the system, it's a pleasure to
    serve you, if you have more help try to write me at ,
    best regards and don't essitate this problems are frecuentely and always are
    a solution for this, by the way SORRY MY ENGLISH I live in Bolivia and don't
    speak [or write] wery well.

    Bye....
     
    Emilio Wilde, Nov 13, 2006
    #10
  11. From: "Emilio Wilde" <>

    | Hi best regards, some times this are messages over the web calles messenger
    | [not the windows messenger or msn or live messenger] I try this solution and
    | works fine, first you need administrative privileges, so that means you
    | logged into system as administrator or if your account have this privileges
    | loggin with your account, well first open the control panel and locate
    | ADMINISTRATIVE TOOLS [remember if your control panel only shows groups of
    | the tools locate in the left panel the title CLASSIC VIEW and click on it]
    | now into the SYSTEM TOOLS locate the icon SERVICES, and double click on it,
    | in the right pane locate the line called MESSENGER ok BE CAREFULLY on read
    | this instructions, double click on the icon called MESSENGER, Change the
    | STARTUP TYPE to "DISABLED" and then click on buttom [STOP] then click on the
    | buttom [OK]close the window SERVICES, restart the machine and see if this
    | messges appear again, I hope not, but if appears again, there are several
    | ways to fix this problem without reformating the system, it's a pleasure to
    | serve you, if you have more help try to write me at ,
    | best regards and don't essitate this problems are frecuentely and always are
    | a solution for this, by the way SORRY MY ENGLISH I live in Bolivia and don't
    | speak [or write] wery well.
    |
    | Bye....

    Emilio:

    This was NOT the case of the NT Messenger Service. It is a case of the FakeAlert or ZLob
    Trojan infection which is part of the SmitFraud family of malware.

    As for the NT Messenger Service.
    These are actually NetBIOS Pop-Ups and are often used in a form of spam scam. Usually noted
    to indicate your PC had Registry errors and you should get a Registry fix software. All of
    thse Pop-Ups will have the words "Messenger Service" located in the border.

    One should also note that the reception of these Pop-Ups is indicative of a bigger problem.
    It measn the NetBIOS over IP is exposed to the Internet and the user of the PC is at risk of
    NetBIOS over IP Internet worms and hackers above and beyond the NetBIOS Pop-Ups.

    The fact that one receives these Pop-Ups is indicative of two things.
    1. They are NOT using; a FireWall appliance, NAT Router or FireWall application.
    2. They do NOT have winXP Service Pack 2 installed.

    If you install WinXP SP2 then it will automatically disable the NT Messenger Service. It
    will also install the upgraded and improved WinXP SP2 FireWall.

    Additionally, if you are connected to Broadband Internet you should use either a NAT Router
    or a NAT Router with a full FireWall implementation. Such a device will greatly enhance
    your security and even if WinXP SP2 was NOT installed, would effectively block the receipt
    of NetBIOS Pop-Ups as well as grately diminish the chaces of getting an Internet worm or be
    hacked.
     
    David H. Lipman, Nov 13, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.