Balloon from tray: when Giant handle it?

[Guest]

Theres a new adware/malware out, I thinks its been out since about 8 Nov
2005. The symptom is a balloon popping up from the system tray (from a red
circle) and the balloon says: "Your Compuer is Infected ... blah blah" and
clicking on the balloon takes you to some side selling ... guess what ...
anti-spyware software (www.spyaxe.com or www.spykiller.com or ???).

When is MS anti-spyware going to handle this one? I've updated to the
latest data set, but it is not fixing the problem.

Thanks in advance for any help,
neal

 

[Guest]

Hi Neal

Bring up Task Manager (Press Control, Alt & Delete together or right click
the system tray and choose task manager)

On Task Manager Press processes , Click Image name to sort them into order
and look for winstall.exe or intel32.exe, let us know if its found,

Winstall.exe would display a red circle with a white X in the system tray
displaying infected warnings then link to rogue removers or attempt to
install Spysheriff, If its found in task manager then left click it and
choose End Process then delete the winstall.exe file from c:\drive

Intell32 & Intel32.exe are also responsible for these Fake warnings but
these will display a red circle with a white exclamation mark again saying
the system is infected, itf you left click them messages or the icon it will
open a webpage promoting rogue removers which is usually PSGuard and
SpySheriff

If found in task manager end the process and delete the Intell32.exe
(Intel32) file from c:\windows\system32 folder.

There is also run Keys for these so they start with windows but using
Microsoft Antispyware is probably easier than editing the registry once you
know what the filename is or use SmitRem if it is Winstall or Intell32 as
that will remove the files and registry entries for you.

Open Microsoft Antispy and goto Advanced Tools then to System Explorer's ,
Click StartUp Programs and in the 'Registry Run' area's check for the entry
that has a path to winstall or intell32, If found then left click and from
the bottom right choose "Permanently Remove startup program' then click ok

If you do not have either file then Download Ewido Security Suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes (the status bar
at the bottom will display "Update successful") Exit Ewido. DO NOT scan yet.

Download Ccleaner (To Remove Temp and unused files from your system)

http://www.ccleaner.com/ccdownload.asp

Install Then close

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run Ewido

Click on the Scanner button in the left menu, then click on complete system
scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and
"Create encrypted backup" before clicking on ok. When the scan finishes,
click on "Save Report" from the bottom of the screen and save it to your
desktop incase you need more help with this.

Run Ccleaner and press "Run Cleaner" then exit.

Then Reboot back to Normal Mode

If you have problems with your desktop wallpaper or Internet settings being
changed by these trojans or cannot access task manager then let us know and
we can use SmitRem with Ewido to fix them.

SmitRem can be found here if needed:

http://noahdfear.geekstogo.com/

Andy

 

[Guest]

Thanks for the tips.

I do not have either winstall.exe or intel32.exe running .. nor are they in
my auto-start lists, nor anywhere on my disks.

I believe that this malware I'm experiencing (and many other are, based on
numerous web postings in the past 2 days) must be a new variant of the two
you describe.

The threat I have shows, in the system tray, a Microsoft blue globe,
alternatiing with a red circle (with a white X in it) with a period of about
2 seconds. The pop-up ballooon appears and dissappears with about a 10
second period. In addition, it is spawning a process named ldXXXX.tmp every
10 minutes or so (characters XXXX change every time) but I cannot tell what
that process is doing.

I have run AdAware on my computer: no threats detected.

I ran MS-Giant: no threats.

I have scrutinized my running processes VERY thoroughly .. and none are
unexpected ... this malware must be running thru a DLL somehow.

I have checked my startup events very thoroghly usiing the AutoRuns tool
from www.sysinternals.com (great tool, by the way): nothing suspicious.

I have not run ewido (never have before) but I can give it a try. I'm not
optimistic tho: if AdAware and MS-Giant do not have this threat in their DB,
who will? Besides, it only seems to be 3 days old or so.

Bottom line: I think this is a brand new variant of older threats, and
spy-ad software companies need to dissect it and add it to their databases.

 

[Bill Sanderson]

One thing to do:

Tools, Suspected spyware report--and describe what you see.

This'll help get it into the defs eventually.

 

[Guest]

I followed your instructions:

- booted in safe mode
- ran a full ewido scan
- ran CCleaner
- started up again

.... the adware is still there.

I submitted a "spyware report" from MS-Giant .. so at least now MS-Giant has
all the details.

The puzzling thing is that Ive scrutinized by start-up programs very, very
closely and I cannot see where this thing is getting activated.

 

[Guest]

Hi Again

When Antispy applications are failing like this then we should use Hijack
This to check the system in more detail, Its very likely it would show in the
log as a running process and show the registry run key unless its a rootkit
infection then rootkit revealer from Sysinternals would help. Its great you
have submitted a spyware report so that Microsoft can include this at some
stage but I think we should now use Hijack This to identify whats causing the
problem.

Download 'Hijack This'.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click
HijackThis.exe, and click "System scan and save the logfile".

When the scan is finished it will open the results in notepad and also save
the log into the Hijack This folder, Can you email that log to
(e-mail address removed).

Most of what it lists will be harmless or even essential to your system so
don't fix anything at this stage.

Run HijackThis Again and from the main menu click on “Open the Misc Tools
sectionâ€, and then on “Open Uninstall Managerâ€. Click the “Save list†button,
save the file 'uninstall_list.txt' to your Desktop, and post the contents
with the Hijack This log .

Thanks

Andy

 

[Guest]

Hi Again Neal

I've sent this to your email but thought Id repost it on here.

First about your questions , Hijack This will not fix things unless you
place a check next to the entries and choose Fix Checked, on some it will
delete the file and registry key for example the 02 BHO entries will do that,
others it will restore the registry to the default settings, the R0 & R1
entries for example will be preset to Microsoft's default, 04 Lines which are
the registry run keys will be deleted but not the file its running so once
the system reboots then the file cannot start as the run key has been
removed, You should get advise if your unsure of anything as Hijack This is
very powerfull and also has afew small bugs where it can display (file
missing) if the file is not found on some entries when the file does exist
but in a different location.

There's only a couple of problems showing in your log,

Copy this to notepad and save it as you will need to close all Browser
windows before fixing these entries.

Goto Add/Remove screen (Start Menu > Control Panel > Add/Remove Programs)

Remove this:

Security Toolbar

Then Run Hijack This and choose system scan, place checks next to these
entries

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} -
C:\WINDOWS\System32\hpB95F.tmp (file missing)

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)

O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} -
C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)

Do you have restrictions placed on your account by a network administrator
or other party? This entry would indicate that, if not check it to be
removed.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Have you run Rootkit Revealer on your system as the below entry is possibly
connected to that

O23 - Service: QQYMSUKIY - Unknown owner -
C:\DOCUME~1\Owner\LOCALS~1\Temp\QQYMSUKIY.exe (file missing)

Rootkit Revealer is available here
http://www.sysinternals.com/Utilities/RootkitRevealer.html And installs a
similar service with a random name, The above might be malware related as
Rootkit revealer would have Sysinternals and the site address in the name but
this has Unknown Owner. Fix this entry as the file is missing, its in a
temporary folder so Ccleaner will have removed the file when clearing the
temp folders at some stage.

After checking these entires close all open browser windows except Hijack
This and then press 'Fix Checked'


Remove This folder :

C:\Program Files\Security Toolbar <--This Folder

Finally Run Ccleaner and press "Run Cleaner" to remove temp and unused files
from your system

Then your done !

Please navigate to http://windowsupdate.microsoft.com and download all the
"critical updates" for Windows. This can patch many of the security holes
through which attackers
can gain access to your computer. Your current version is outdated. You may
need to revisit the site a couple of times after rebooting especially if you
decide to upgrade to Service Pack 2 but if you dont want to install that then
at least make sure you have all the latest updates.

In order to protect yourself against spyware, you should consider installing
the following free program as it doesnt need to be running on your system
and just needs the protection enabling in each area and updating, It will
just add malicious sites to the restricted zone and block known malicious
ActiveX components:

SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html

Hopefully this should take care of your problems but let me know if I can
help more

Good luck.

Regards

Andy

 

[Guest]

I finally got rid of this adware/malware. I dont fully understand how it
worked, but the following seemed to take care of it:

deleted file C:\Windows\System32\svchosts.dll

Every anti-spyware tool i tried (AdAware, ewido, HijackThis) could not
remove it.

I have no clue how this malware worked. The only web site I could find that
even discusses this variant is:


http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/237336/Main/237244/

 

[Guest]

Hi Neal

Im glad you managed to solve the problem, It shows this junk is constantly
creating new files and they need submitting to Antispyware vendors as it
looks like none of the ones you tried detected this, Hopefully Microsoft
Antispyware, Ewido and co can add this soon but its great to see Pandascan
found the file on that forum so it could be removed on your system,

Thanks for letting us know your clean again

Regards Andy

 

[Guest]

Hey guys. I'm still having trouble with SpyAxe, and it's frustrating to say
the least. I'm still a newbie at this, so please forgive me. I figure I know
enough just to be dangerous to my own computer.

So far, I've followed the instructions posted here and what I find when I do
a search on this newsgroup for "SpyAxe". I've downloaded Ewido, Panda Scan,
CCleaner, SpyAxeFix, Smitrem, Killbox, etc. to add to my already-installed
HJT, Adaware. I've even paid for the 2006 version of Panda Scan and
downloaded it.

When I follow the directions from AndyManchesta (post was dated 11-11-2005),
it temporarily removes SpyAxe, but not the pop-up balloon. Then I did the
"fix.reg" to try to kill the balloon, but it's still there even after a
reboot.

I've stopped the processes in HJT. I started looking at more posts and at
some of the files themselves. Most reference a file
"c:\windows\system32\svchosts.dll" and that noleander's post (also dated
11-11-2005) said it did the trick. I did a search on my computer, and I can't
find it, even when I'm running in SAFE mode and viewing hidden files. I'm
wondering if maybe this is why the fixes aren't working for me?

When I run a search for "svc*" on my computer, these are the files I find:

- c:\I386\svchost.exe
- c:\I386\svcpack.dll
- c:\I386\svcpack.inf
- c:\windows\system32\svchost.exe
- c:\windows\system32\svcpack.dll

Any suggestions? Any feedback is definitely appreciated. Thanks!

 

[Guest]

Hi there

Can you check for these and let me know if they are found, Check the
Add/Remove screen(Start Menu > Control Panel > Add/Remove Programs) for
Security Toolbar or SpyAxe and remove if found. Also check C:\Drive / Program
Files for the same folders and remove them, If there is a SpyAxe Folder in
Program Files open it and run the uninstaller first then remove the folder.

Try running the fix again but this time use SmitRem, SpyAxeFix has been
combined into SmitRem so the download link isnt available now. SmitRem will
also remove alot of other infected files related to the Fake Spyware messages
so it may solve the problem if its a different variant .

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Double click Smitrem.exe to extract it to it's own
folder on the desktop.

Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

When thats finished run Ewido then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Reboot Back To Normal Mode

You will need to reload your wallpaper after this tool finishes, To change
your wallpaper right click desktop and choose properties, Set the Theme to XP
if you are running XP then goto the Desktop tab and choose your wallpaper
from there.

Let me know if it continues and we can try other tools.

Regards Andy

 

[Guest]

Hi Andy. Thanks for the reply.

Well I tried it, but unfortunately SpyAxe is still there. Interesting to
note: I first delete SpyAxe via Control Panel, then I run SmitRem. The whole
time, the balloon pop-up never goes away. It's about the same time when the
Disk Cleanup is running that SpyAxe reappears on my desktop as a shortcut and
even in the Start menu. Then I tried going back to kill it via Control Panel,
and by the time Ewido finishes, SpyAxe is back again.

I'm still at a loss. Any other suggestions?

Thanks again.

 

[Guest]

Hey Again

That sounds abit frustrating, If you are running the fix tools in safe mode
and they still cannot clear the problem, try running the Online scan from
Panda and check if that detects svchosts.dll, If you have already run that
scanner can you send me a Hijack Log from your system, Run Hijack This in
Normal Mode when you have the pop up showing, choose to do a system scan and
save the logfile, when the scan finishes it will open the results in Notepad
and also save them into the Hijack This folder. Send that to
(e-mail address removed) and I will check it over for any problems. Smitrem
should remove all the files connected to these infections including the Spy
Axe junk so It could be a new variant or a Trojan downloader still on the
system which may be re-infecting you with Spy Axe but Hijack This should make
that part abit clearer.

Chat to you later

Andy

 

[Guest]

Hi Andy- It's on the way.

Thanks again for the help.