Malwarewiped

  • Thread starter Thread starter inkleputDEL
  • Start date Start date
I

inkleputDEL

The last few days I've been getting spyware and virus "notices" with IE
insisting on dialing out. AVG have removed a couple things (2 tmp files
had trojans) and Ad-Aware deleted 19 spyware items not found a couple days
ago, but the notices persist.

Most recently IE went to malwarewiped.com where spyware remover software
was advertised with an offer to run a free security scan on my computer.
Not knowing them from a blue tailed bull, I declined.

This whole thing seems pretty off the wall. It seems that I wouldn't be
getting all the advertisements of I weren't infected with spyware, and
indeed, the notices say that very thing - but both Ad-Aware and XoftSpy
find nothing. Is malwarewiped.com known to be good, bad or indifferent?
Might they be the actual source of the spyware?


JimL

--
 
From: <[email protected]>

| The last few days I've been getting spyware and virus "notices" with IE
| insisting on dialing out. AVG have removed a couple things (2 tmp files
| had trojans) and Ad-Aware deleted 19 spyware items not found a couple days
| ago, but the notices persist.
|
| Most recently IE went to malwarewiped.com where spyware remover software
| was advertised with an offer to run a free security scan on my computer.
| Not knowing them from a blue tailed bull, I declined.
|
| This whole thing seems pretty off the wall. It seems that I wouldn't be
| getting all the advertisements of I weren't infected with spyware, and
| indeed, the notices say that very thing - but both Ad-Aware and XoftSpy
| find nothing. Is malwarewiped.com known to be good, bad or indifferent?
| Might they be the actual source of the spyware?
|
| JimL
|

You arew infected with a ZLob Trojan or a FakeAlert Trojan.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
The last few days I've been getting spyware and virus "notices" with IE
insisting on dialing out. AVG have removed a couple things (2 tmp files
had trojans) and Ad-Aware deleted 19 spyware items not found a couple days
ago, but the notices persist.

Most recently IE went to malwarewiped.com where spyware remover software
was advertised with an offer to run a free security scan on my computer.
Not knowing them from a blue tailed bull, I declined.

This whole thing seems pretty off the wall. It seems that I wouldn't be
getting all the advertisements of I weren't infected with spyware, and
indeed, the notices say that very thing - but both Ad-Aware and XoftSpy
find nothing. Is malwarewiped.com known to be good, bad or indifferent?
Might they be the actual source of the spyware?
Click to expand...

From the behavior you can assume that malwarewiped is a bad site.

You do have malware that's managed to evade the scanners you have
used.
 
In <#[email protected]>, on 02/24/07
at 08:17 PM, "David H. Lipman" <[email protected]> said:

Thanks!

Wow! There were at least two similar ones and that Zlob is one mean
critter that seems to have evolved somewhat. Best I can figure there were
30 or more instances in different places most of them different entries in
the registry. It took hours of repeated operations and, ultimately, four
different spyware programs to finally get rid of it. Some instances kept
reinfecting, requiring a certain sequence of different cleaner programs to
clear it up.

The last to go were an IE Favorites URL and an IE registry entry. I don't
know spit about the registry, but something apparently kept putting an
infected backup copy back in place, either with a spyware cleaner or if I
used Regedit. That finally cleared up when I tried it in Safe mode.

Someone who knew what they were doing probably would have gotten this done
faster. But it doesn't help that some of the spyware cleaner programs out
there are trojan installers themselves - Malwarewiped being one of them.

Thanks again.
From: <[email protected]>
Click to expand...
| The last few days I've been getting spyware and virus "notices" with IE
| insisting on dialing out. AVG have removed a couple things (2 tmp files
| had trojans) and Ad-Aware deleted 19 spyware items not found a couple days
| ago, but the notices persist.
|
| Most recently IE went to malwarewiped.com where spyware remover software
| was advertised with an offer to run a free security scan on my computer.
| Not knowing them from a blue tailed bull, I declined.
|
| This whole thing seems pretty off the wall. It seems that I wouldn't be
| getting all the advertisements of I weren't infected with spyware, and
| indeed, the notices say that very thing - but both Ad-Aware and XoftSpy
| find nothing. Is malwarewiped.com known to be good, bad or indifferent?
| Might they be the actual source of the spyware?
|
| JimL
|
Click to expand...
You arew infected with a ZLob Trojan or a FakeAlert Trojan.


Two part reply..
Click to expand...
Perform Part 1 then perform Part 2.
Click to expand...
If the first two parts don't work, perform the alternate section.
Click to expand...
It is suggested that you execute each tool in Normal Mode then in Safe
Mode.


Part 1
-----------
Click to expand...
Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe http://noahdfear.geekstogo.com/click counter/click.php?id=1


Part 2
-----------
Click to expand...
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Click to expand...
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee
} Choose; Unzip
Choose; Close
Click to expand...
NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your FireWall to enable WGET.EXE to download the needed McAfee
related files.
Click to expand...
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
Click to expand...
A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the
scan, it will be displayed in your browser (Opera, FireFox or Internet
Explorer). However, if you are using WinXP, Win2K or Win2003 your system
will be left in a state where you will have to manually shutdown/reboot
the PC. On Win9x/ME platforms the report will not be shown in your
bowser but your PC will automatically be shutdown. It is suggested that
you move the report out of c:\mcafee before performing another scan.
Click to expand...
It would be best to scan in both Safe Mode and in Normal Mode and save a
copy of the HTML report for each session.


S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in
your reply.
Click to expand...
* * * Please report back your results * * *
Click to expand...





JimL

--
 
From: <[email protected]>

| In <#[email protected]>, on 02/24/07
| at 08:17 PM, "David H. Lipman" <[email protected]> said:
|
| Thanks!
|
| Wow! There were at least two similar ones and that Zlob is one mean
| critter that seems to have evolved somewhat. Best I can figure there were
| 30 or more instances in different places most of them different entries in
| the registry. It took hours of repeated operations and, ultimately, four
| different spyware programs to finally get rid of it. Some instances kept
| reinfecting, requiring a certain sequence of different cleaner programs to
| clear it up.
|
| The last to go were an IE Favorites URL and an IE registry entry. I don't
| know spit about the registry, but something apparently kept putting an
| infected backup copy back in place, either with a spyware cleaner or if I
| used Regedit. That finally cleared up when I tried it in Safe mode.
|
| Someone who knew what they were doing probably would have gotten this done
| faster. But it doesn't help that some of the spyware cleaner programs out
| there are trojan installers themselves - Malwarewiped being one of them.
|
| Thanks again.
|


You're welcome.
 
In <[email protected]>, on 02/25/07
at 02:08 PM, "David H. Lipman" <[email protected]> said:


| Someone who knew what they were doing probably would have gotten this done
| faster. But it doesn't help that some of the spyware cleaner programs out
| there are trojan installers themselves - Malwarewiped being one of them.
|
| Thanks again.
|

You're welcome.
Click to expand...
Dave
Click to expand...

You may have detected an odd note about my post. Apparently due to the
nature of the contaminents I was unable to download one of the components
you listed. Therefore I didn't finish reading everything and as easily as
my brain gets addled failed to absorb even more.

Today without the contaminents I got through it all. Perhaps you can tell
me what it means to get Error -94 notices when using sysclean.com?

Also I'm curious what happens when using that one with it set to repair as
it goes and it finds "contamination" in the signature files themselves.


JimL

--
 
From: <[email protected]>


|
| You may have detected an odd note about my post. Apparently due to the
| nature of the contaminents I was unable to download one of the components
| you listed. Therefore I didn't finish reading everything and as easily as
| my brain gets addled failed to absorb even more.
|
| Today without the contaminents I got through it all. Perhaps you can tell
| me what it means to get Error -94 notices when using sysclean.com?
|
| Also I'm curious what happens when using that one with it set to repair as
| it goes and it finds "contamination" in the signature files themselves.
|
| JimL
|

Sure...

It maens the file could not be scanned. This is often the case of a OS Protected System
file or a file that has its respective File Handle held open by the OS.

I don't understand what you mean by...
| Also I'm curious what happens when using that one with it set to repair as
| it goes and it finds "contamination" in the signature files themselves.
 
on 02/25/07 said:
It maens the file could not be scanned. This is often the case of a OS
Protected System file or a file that has its respective File Handle held
open by the OS.
Click to expand...

I guess I still have no clue what safe mode really means.
I don't understand what you mean by...
| Also I'm curious what happens when using that one with it set to repair as
| it goes and it finds "contamination" in the signature files themselves.
Click to expand...

The program is assumedly going to "clean" anything that is "bad"
automatically. It listed a pattern file from the program's home directory
in a "dry run." Does that mean it will remove the "patterns" or even
delete the "bad" file if allowed to run with auto repair?

JimL

--
 
From: <[email protected]>

| In <[email protected]>, on 02/25/07
|
| I guess I still have no clue what safe mode really means.
|
|> Also I'm curious what happens when using that one with it set to repair as
|> it goes and it finds "contamination" in the signature files themselves.
Click to expand...
|
| The program is assumedly going to "clean" anything that is "bad"
| automatically. It listed a pattern file from the program's home directory
| in a "dry run." Does that mean it will remove the "patterns" or even
| delete the "bad" file if allowed to run with auto repair?
|
| JimL
|

There aftre two modes in Trend Sysclean. Detect Only and Detect and Clean.
If you choose tyhe second option Trend Sysclean will try to clean the file first and if it
is not cleanable it will be deleted. The "Patterns" are the signatures or fingerprints of
malware. It is through these "Patterns" that Trend Micro will use to detect malware.
 
on 02/26/07 said:
There aftre two modes in Trend Sysclean. Detect Only and Detect and
Clean. If you choose tyhe second option Trend Sysclean will try to clean
the file first and if it is not cleanable it will be deleted. The
"Patterns" are the signatures or fingerprints of malware. It is through
these "Patterns" that Trend Micro will use to detect malware.
Click to expand...

So I guess the answer is yes. If you use "Detect and Clean" the
Detector/Cleaner could render itself inoperable.

Thanks

JimL

--
 
From: <[email protected]>

| In <#[email protected]>, on 02/26/07
|
| So I guess the answer is yes. If you use "Detect and Clean" the
| Detector/Cleaner could render itself inoperable.
|
| Thanks
|
| JimL
|

The answer is no.

The Detector/Cleaner can NOT render itself inoperable.
 
In <[email protected]>, on 02/27/07
at 01:09 PM, "David H. Lipman" <[email protected]> said:


From: <[email protected]>
Click to expand...
| In <#[email protected]>, on 02/26/07

|
| So I guess the answer is yes. If you use "Detect and Clean" the
| Detector/Cleaner could render itself inoperable.
|
| Thanks
|
| JimL
|
Click to expand...
The answer is no.
Click to expand...
The Detector/Cleaner can NOT render itself inoperable.
Click to expand...

By inoperable I mean not operating correctly - essentially inoperable.

If it cleans or removes the pattern file, how can it operate correctly?


JimL

--
 
From: <[email protected]>


|
| By inoperable I mean not operating correctly - essentially inoperable.
|
| If it cleans or removes the pattern file, how can it operate correctly?
|
| JimL
|

No... You have it wrong.

The pattern file are the fingerprints or signatures used by an anti malware scanner to dect
files that are malicious. Files deemd the be malicious are then attempted to be cleaned
first by the scanning engine and if it is not a virus that can be cleaned then the scanning
engine will delete the malicious file.
 
In <[email protected]>, on 02/27/07
at 03:34 PM, "David H. Lipman" <[email protected]> said:


From: <[email protected]>

|
| By inoperable I mean not operating correctly - essentially inoperable.
|
| If it cleans or removes the pattern file, how can it operate correctly?
|
| JimL
|
Click to expand...
No... You have it wrong.
Click to expand...
The pattern file are the fingerprints or signatures used by an anti
malware scanner to dect files that are malicious. Files deemd the be
malicious are then attempted to be cleaned first by the scanning engine
and if it is not a virus that can be cleaned then the scanning engine
will delete the malicious file.
Click to expand...

The pattern file appeared on the infected file list. That's what I was
asking about.


JimL
 
Back
Top