Spyware Infection Notice -- NEED HELP

[Guest]

I use Windows XP Home with Norton Anti-Virus 2005, Microsoft Anti-Spyware
Beta 1 and Ad-aware 6. Some how, my computer became seriously infected with
spyware over the weekend. Still not sure how this happened, but that is
irrelevant for now.

Anyway, Windows XP Home recognized the spyware issue and replaced my desktop
image with a black box inside a blue screen with the following text:

SPYWARE INFECTION
Your system is infected with spyware. Windows recommends you to use a
spyware removal tool to prevent loss of important data and increase system
performance. Using this PC before having it cleaned from spyware threats is
highly discouraged.

After hours of "deep cleaning" via Norton, Microsoft Anti-Spyware an
Ad-aware, Windows has stopped popping up "infection" messages and I believe
my system is 100% clean. However, the desktop image still remains. I cannot
"right-click ... properties" and change my desktop image back to what it was.

Any thoughts / help is GREATLY appreciated.

Thank you.

 

[David H. Lipman]

From: "admannj" <[email protected]>

| I use Windows XP Home with Norton Anti-Virus 2005, Microsoft Anti-Spyware
| Beta 1 and Ad-aware 6. Some how, my computer became seriously infected with
| spyware over the weekend. Still not sure how this happened, but that is
| irrelevant for now.
|
| Anyway, Windows XP Home recognized the spyware issue and replaced my desktop
| image with a black box inside a blue screen with the following text:
|
| SPYWARE INFECTION
| Your system is infected with spyware. Windows recommends you to use a
| spyware removal tool to prevent loss of important data and increase system
| performance. Using this PC before having it cleaned from spyware threats is
| highly discouraged.
|
| After hours of "deep cleaning" via Norton, Microsoft Anti-Spyware an
| Ad-aware, Windows has stopped popping up "infection" messages and I believe
| my system is 100% clean. However, the desktop image still remains. I cannot
| "right-click ... properties" and change my desktop image back to what it was.
|
| Any thoughts / help is GREATLY appreciated.
|
| Thank you.



Two part reply..

Perform Part 1 then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Guest]

David ...

First off, thank you very much for your QUICK reply. Much appreciated. A
couple of questions if I may ...

(1) I don't use McAfee, I use NAV. Does Part 2 of your reply still work?

(2) I am pretty confident that I have resolved my spyware issues. Are you
suggesting there may be spyware burried deeper than what NAV, MS Anti-Spyware
and Ad-aware are finding?

(3) Will Part 1 and Part 2 in your response get my desktop back to its
original state ... or at least allow me to change back to a customized
desktop?

Thanks again!

 

[David H. Lipman]

From: "admannj" <[email protected]>

| David ...
|
| First off, thank you very much for your QUICK reply. Much appreciated. A
| couple of questions if I may ...
|
| (1) I don't use McAfee, I use NAV. Does Part 2 of your reply still work?
|
| (2) I am pretty confident that I have resolved my spyware issues. Are you
| suggesting there may be spyware burried deeper than what NAV, MS Anti-Spyware
| and Ad-aware are finding?
|
| (3) Will Part 1 and Part 2 in your response get my desktop back to its
| original state ... or at least allow me to change back to a customized
| desktop?
|
| Thanks again!
|


1. Yes. It will dowanload the needed McAfee components for you. Part 2 applies.

2. You'll find out after running the Mcafee part of the tool by viewing the HTML Log
file...
C:\mcafee\ScanReport.HTML

3. Your desktop won't get back your original state. The tools will undo the those things
the malware performed that locked the desktop. After the tool's execution you should be
able to set the desktop as you wish and allow you to change back to a customized desktop.

 

[Guest]

Thank you very much. All is back to normal. I appreciate your help.

 

[David H. Lipman]

From: "admannj" <[email protected]>

| Thank you very much. All is back to normal. I appreciate your help.
|


YW -- Glad to help.

Please Copy and Paste the contents of; C:\mcafee\ScanReport.HTML in your reply.

 

[MAP]

Hi David,
This seems to be an epidemic lately, I have read several posts from
different people all with the same infection?

Hope you had a great holiday! (I had to work :-( )

 

[David H. Lipman]

From: "MAP" <[email protected]>

| Hi David,
| This seems to be an epidemic lately, I have read several posts from
| different people all with the same infection?
|
| Hope you had a great holiday! (I had to work :-( )
|

Thanx Mike. My Holiday continues. Tonight is the 4th night.

There seems to be quite a problem lately. It may be that some web sites are taking an
advantage of Sun Java installations prior to JRE version 5 and there are Trojans such as the
Klob that are taking advantage of this and auto installing the faux anti malware such as
SpyAxe and SpySheriff and a few others.

There certainly is a slew of malware that takes advantage of users who don't practice Safe
Hex and don't keep their systems up-to-date with security related software patches, upgrades
or HotFixes.

 

[Guest]

Hai admannj,
May peace be upon you. I have the same problem 'spyware Infected' in black
box behind blue screen. To my surprise me too have Norton AV 2005, Microsoft
Antispyware, Ad-aware from Lavasoft.

What I did when the problem happened to me

1. Turn off System restore immedately
- Right Click My Computer->Properties->select System Restore
This will stop viruses, and infected files, spywares, adwares & other
malicious softwares from being RESTORED later

2. Download a Trial Software Norton Internet Security from its website
- 2.1) Update the Norton Internet Security->Youmay get failed news->try
again
(it will display in Green colour sometime will display in red that your pc
is not protected)->Click Protect Me Now Untill you Get Norton Icon in
OK(green Tick Mark) at the bottom right corner of the desktop
- Run a full System Scan
- View Quarantine List (by Clicking at Left Norton Anti Virus->Reports)
and select all those Infected files and Select submit (this will help the
Norton Co to do research & update their Anti-Virus Softwares and help people
like us in future) and at last DELETE (BEFORE DELETE WRITE THE LOCATION OF
INFECTED FILES FOR DOUBLE CHECK TO ENSURE IT IS COMPLETELY REMOVED)

VERY IMPORTANT: - 3. Then download FREE ONLINE SCAN from McAfee.Com and
Click OK to download ActiveX Controls to scan your computer. After the
download completes it will display what to scan page(here go to File of the
web page->Send->Shortcut to Desktop)

(read the steps follows you will need to redo the process for atleast five
times)

and 3.1) Scan Crive (By doing this I found some Infected files still not
detected by a) Norton Internet Security b) Microsoft AntiSpyware c) Ad-aware )

3.2) Take a fresh paper and write up the location and NAME of the infected
file
then close all the programs and [do the following thing ONCE "Right Click
Recycle Bin->Properties->Select Do Not Move Deleted files to Recycle Bin"
dOING tHIS oNCE iS eNOUGH ] THEN
3.3) Click Start ->Choose Run ->type msconfig ->enter
3.4) choose BOOT.INI->Select /SafeBoot check box (Now the Computer start
in Safe Mode)
3.5) Click Start button->Search->all files and folders->type the file
name(e.g if the McAfee online scan shows an infected file name called
Appwrap[1].exe you just type Appwrap
- The search will find the infected file and display
- Write the FULL PATH of the file in a paper and SELECT the files->Right
Click->Delete

3.6) Then restart your computer in Normal Mode by UN-CHECKING SAFEBOOT
(Run->msconfig->BOOT.INI->UNCHECK the SafeBoot check box and click the first
tab and select Normal Mode check box) as Internet will not work in Safe Mode

3.7) Then 1) Update Norton Internet Security->Scan fully and REDO THE
PROCESS 2.1) and then goto desktop click McAfee Online Virus Scan SHORTCUT
aand REDO THE PROCESS 3.1 to 3.7 ATLEAST FIVE TIMES AS I AM ALSO DOING THE
SAME THING

FOR ME THE INFECTED FILES WERE DELETED AND THE MESSAGE AT THE CENTRE OF
DESKTOP AND BLUE BACKGROUND WERE GONE but the only thing is I have a WHITE
Back ground and i cant change desktop background as I cant click at desktop
top at its properties

Ok try this I spent almost 1 1/2 hr to write to you inorder to save people
like me who got trouble because of these problems

Good luck to you reply me your feed back at (e-mail address removed)

 

[Ron Martell]

Hai admannj,
May peace be upon you. I have the same problem 'spyware Infected' in black
box behind blue screen. To my surprise me too have Norton AV 2005, Microsoft
Antispyware, Ad-aware from Lavasoft.

What I did when the problem happened to me

1. Turn off System restore immedately
- Right Click My Computer->Properties->select System Restore
This will stop viruses, and infected files, spywares, adwares & other
malicious softwares from being RESTORED later

Bad advice. Dangerously bad advice in fact. If the removal process
gets badly fouled up you may have no way of recovering. an infected
but usable system is vastly preferable to one that is unusable.

Once the infestations have been cleaned up and the system is operating
properly then system restore needs to be cleaned up. However there is
a safer way to do this. First, create a new manual restore point.
Then launch Disk Cleanup (in the Accessories - System Tools menu) and
go to the More Options tab and click on the "Clean up..." button in
the System Restore (bottom) section. That will remove all but the most
recent restore point, which is the one you just created.

2. Download a Trial Software Norton Internet Security from its website
- 2.1) Update the Norton Internet Security->Youmay get failed news->try
again

Poor choice. A bloated application that will almost certainly have
the "who dropped the anchor" effect on system performance and which
will probably require a supplementary uninstaller program in order to
get rid of it when the cleanup is finished. The trial versions of
Webroot's SpySweeper or Kaspersky Personal Antivirus are much better.

VERY IMPORTANT: - 3. Then download FREE ONLINE SCAN from McAfee.Com and
Click OK to download ActiveX Controls to scan your computer. After the
download completes it will display what to scan page(here go to File of the
web page->Send->Shortcut to Desktop)

McAfee is not a bad choice for a "second opinion". Trend Micro's free
scan at http://housecall.trendmicro.com is another good one.

Ron Martell Duncan B.C. Canada

 

[David H. Lipman]

From: "Ron Martell" <[email protected]>

|
| McAfee is not a bad choice for a "second opinion". Trend Micro's free
| scan at http://housecall.trendmicro.com is another good one.
|
| Ron Martell Duncan B.C. Canada

And my Multi AV Scanning Tool is even Better. It has the the command line scanners of Trend
Micro, McAfee, Sophos and Kaspersky all in one menu driven utility.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *