DZigas said:
Hi -- Some spam was inserted on my son's computer -- a message about
the dangers of spyware. It has a black background, takes up the whole
screen with
a "Danger" warning, and I can't get rid of it. Otherwise the computer
functions normally. At the bottom, there's a link for "removal
instructions"
but when you click it, it takes you to "topantispyware.com" and lists
search results for various spyware software.
We subscribe to McAfee antvirus software online, and ran the scan,
removing all the spyware it could find. Any clues on how I can get rid
of this junk? Thanks.
This has nothing to do with viruses, so your McAfee can't deal with it.
You need to clean up your computer because I can assure you with almost
100% certainty that the cr*p causing your immediate problem is not the
only malware on your system.
To remove the spam message, you will need to go to the Display applet in
Control Panel. Click on the Desktop tab and then on the Customize
Desktop button. Now click on the Web tab. Clear all checkmarks on that
tab, Apply and OK out. I just had something like this on a client's
machine and the infector page was "security.html". Also, every time I
would open Display Properties from the Desktop, the infector would
crash Explorer. I was able to kill it from the Control Panel, and then
find the referenced file and delete it.
As I said in the first paragraph, it is extremely likely that you have
other malware on the system. Go through the following removal steps,
doing everything with updated tools in Safe Mode:
1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.
Before you remove malware, get LSPFix (or WinSockFix for XP which you
can get from MajorGeeks) - see links below.
2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.
Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).
If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.
3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).
4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.
5) Run a firewall.
Links to help with malware:
Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe
HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Malke