J
J Manderley
Hello there,
I got a real wierd situation for you here and I am humbly asking for a
bit of advice if possible please.
I am reasonably competent when it comes to pc's and Windows operating
systems, I build and maintain pc's and I know my way around the usual
areas of the operating system, so I am not entirely green ;-)
However, I am not too proud to ask for help when I am stuck, which I
am of course
I have recently been asked to try and get some spyware/adware off a
friend's recently purchased Dell pc, and upon closer inspection found
the culprit to be a variation of SpywareQuake (fake anti-spyware
pop-ups, fake scans etc...) which I THOUGHT I had removed using AVG
Anti-Virus and Adaware SE 2007. However...
I have downloaded the SpywareQuake remover (and other variations of
said remover), I have run both Adaware SE 2007 and the removal tools
in safe mode and I have run numerous anti-virus scans but I am STILL
getting pop-ups and forced "fake-scan" pages popping up when Internet
Explorer accesses the internet. Anti=Spyware adn removal tools found a
big fat NOTHING :-(
Using Sysinternals Process Explorer I traced the activity down to a
registry key which was labelled "AntiPhishing" in the HKCU hive:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F
Comparing this with a clean version I noticed a value in the last
sub-key labelled "user" which, when compared with the clean version,
should not have been there, so I blanked it and... it came back.
Finally I disabled the Phishing Filter in IE7 completely (using the
Internet Options Advanced tab) and it has stopped the pop-ups and fake
anti-spyware messages dead (registry key still will not stay blank so
obviously there is still something running on the system.) If I
re-activate the Phishing filter then obviously the pop-ups return.
Bingo! Problem side-stepped but not solved. Now, my question is, how
do I remove this little booger so I can reactivate the Phishing Filter
again if I can't get any anti-spyware software to detect it? Is this a
vulnerability involving the MS Phishing Filter? Has anybody else
suffered this problem and can they kindly offer a solution?
I am trying to resist performing a system restore unless I really have
to. ANY help at this stage would be most gratefully received and most
definitely welcome.
By the way, I also backed everything up before I started out on this
so his data is safe... just thought I'd mention that ;-)
Sorry for the ramble, hope I provided enough info. Thanks in advance
J
I got a real wierd situation for you here and I am humbly asking for a
bit of advice if possible please.
I am reasonably competent when it comes to pc's and Windows operating
systems, I build and maintain pc's and I know my way around the usual
areas of the operating system, so I am not entirely green ;-)
However, I am not too proud to ask for help when I am stuck, which I
am of course
I have recently been asked to try and get some spyware/adware off a
friend's recently purchased Dell pc, and upon closer inspection found
the culprit to be a variation of SpywareQuake (fake anti-spyware
pop-ups, fake scans etc...) which I THOUGHT I had removed using AVG
Anti-Virus and Adaware SE 2007. However...
I have downloaded the SpywareQuake remover (and other variations of
said remover), I have run both Adaware SE 2007 and the removal tools
in safe mode and I have run numerous anti-virus scans but I am STILL
getting pop-ups and forced "fake-scan" pages popping up when Internet
Explorer accesses the internet. Anti=Spyware adn removal tools found a
big fat NOTHING :-(
Using Sysinternals Process Explorer I traced the activity down to a
registry key which was labelled "AntiPhishing" in the HKCU hive:
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F
Comparing this with a clean version I noticed a value in the last
sub-key labelled "user" which, when compared with the clean version,
should not have been there, so I blanked it and... it came back.
Finally I disabled the Phishing Filter in IE7 completely (using the
Internet Options Advanced tab) and it has stopped the pop-ups and fake
anti-spyware messages dead (registry key still will not stay blank so
obviously there is still something running on the system.) If I
re-activate the Phishing filter then obviously the pop-ups return.
Bingo! Problem side-stepped but not solved. Now, my question is, how
do I remove this little booger so I can reactivate the Phishing Filter
again if I can't get any anti-spyware software to detect it? Is this a
vulnerability involving the MS Phishing Filter? Has anybody else
suffered this problem and can they kindly offer a solution?
I am trying to resist performing a system restore unless I really have
to. ANY help at this stage would be most gratefully received and most
definitely welcome.
By the way, I also backed everything up before I started out on this
so his data is safe... just thought I'd mention that ;-)
Sorry for the ramble, hope I provided enough info. Thanks in advance
J