Spyware Question

[Guest]

Unfortunately my computer got infected with adware/spyware. The virus tries
to start up every time I boot my computer. My desktop and Internet Explorer
settings are affected by the virus. My Symantec software stops the Trojan
virus from spreading but I can't seem to find the correct files to delete.
I've tried to restore my system to an earlier date but an error message says
the files have been changed that will not allow it to restore. I've even
tried to reinstall Windows XP with the Operating System disk but I can't seem
to get the CD to read once it is rebooted. I keep getting an error message
saying my current Windows version is newer than the version on the CD.

Any thoughts on what I can do to restore my computer to its original settings?

Any suggestions are appreciated.

Thanks.

 

[Sharon F]

What is the name of the virus or spyware that Norton found.

 

[David H. Lipman]

From: "Sam" <[email protected]>

| Unfortunately my computer got infected with adware/spyware. The virus tries
| to start up every time I boot my computer. My desktop and Internet Explorer
| settings are affected by the virus. My Symantec software stops the Trojan
| virus from spreading but I can't seem to find the correct files to delete.
| I've tried to restore my system to an earlier date but an error message says
| the files have been changed that will not allow it to restore. I've even
| tried to reinstall Windows XP with the Operating System disk but I can't seem
| to get the CD to read once it is rebooted. I keep getting an error message
| saying my current Windows version is newer than the version on the CD.
|
| Any thoughts on what I can do to restore my computer to its original settings?
|
| Any suggestions are appreciated.
|
| Thanks.

Sam:

You are going to have to clean the computers of the infectors or you are going to have to
backup the PC and then wipe it clean prior to reinstalling the OS.

I suggest trying to clean the PC first.


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Sharon, checking the history on Symantec the virus name was
C:\Windows\Web\desktop.html

 

[David H. Lipman]

From: "Sam" <[email protected]>

| Sharon, checking the history on Symantec the virus name was
| C:\Windows\Web\desktop.html



Two part reply..

Perform Part 1 and then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


* * * Please report back your results * * *

 

[Leythos]

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.0 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, ect, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee AntiVirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.

 

[Sharon F]

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.0 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known Trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, ect, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee Antivirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.

 

[Sharon F]

If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

<snip>
From your headers:
From: "Sharon F" <[email protected]>

I would appreciate it if you did not use my newsgroup handle. Didn't know
if I was coming or going for a minute.

Thanks.

 

[Sharon F]

Sharon F just happens to be my name. I have been posting under it for years
in other groups. I come here under a different name and all I get are
complaints about name shifting. Now I decide to use my real name you
complain about that. You are an MVP I am not. You tell your fellow MVP's
like the P.A Bear and the rest of them to stop telling lies about me and I
will pick a name stick by it. Otherwise John eddy will have a field day
trying to find all my posts. Right now he gets about 1% of them. One other
thing If Leythos the stalker does not stop then I will not stop.

 

[Leythos]

Sharon F just happens to be my name. I have been posting under it for years
in other groups. I come here under a different name and all I get are
complaints about name shifting. Now I decide to use my real name you
complain about that. You are an MVP I am not. You tell your fellow MVP's
like the P.A Bear and the rest of them to stop telling lies about me and I
will pick a name stick by it. Otherwise John eddy will have a field day
trying to find all my posts. Right now he gets about 1% of them. One other
thing If Leythos the stalker does not stop then I will not stop.

If you didn't post from the same host as PCBUTTS1 does from time to time
people might believe that you were not PCBUTTS1, but since you post from
the SAME IP as butts does from time to time, it's kind of hard to
believe anything you say.

Even your messages have the EXACT SAME CONTENT from time to time.

 

[Sharon F]

Sharon F just happens to be my name. I have been posting under it for years
in other groups. I come here under a different name and all I get are
complaints about name shifting.

Complain? No. A simple and polite request. Normally folks that frequent the
same newsgroups try not to duplicate handles. I will continue to post as
Sharon F. What you decide to do is up to you but again I would *politely*
request that you do not use the handle that I have used in these Microsoft
newsgroups since XP was released.