Spyware

  • Thread starter Thread starter Billie Jean
  • Start date Start date
B

Billie Jean

(oops...posted this in the windowsxp.general group by accident...)

Err...I have a problem that will sound really stupid ^^; I turned on
my computer the other day and my desktop wallpaper was replaced with a
little note stating that I had spyware on my computer and that I should

not use the computer until the spyware was removed. It also wouldn't
let me change the wallpaper.


So I ran various spyware removers in hope of solving the problem, but
even after that, the message was still there....Then I did the dumbest
thing I could do (I was seriously tired by this time), I typed 'spy' in

"Find:" and deleted anything that showed up...yeah, dumb, I know ^^; I

figured I deleted some system files...is there any way to fix this? If

you could help me out, I'd really appreciate it.


Thanks in advance.
 
From: "Billie Jean" <[email protected]>

| (oops...posted this in the windowsxp.general group by accident...)
|
| Err...I have a problem that will sound really stupid ^^; I turned on
| my computer the other day and my desktop wallpaper was replaced with a
| little note stating that I had spyware on my computer and that I should
|
| not use the computer until the spyware was removed. It also wouldn't
| let me change the wallpaper.
|
| So I ran various spyware removers in hope of solving the problem, but
| even after that, the message was still there....Then I did the dumbest
| thing I could do (I was seriously tired by this time), I typed 'spy' in
|
| "Find:" and deleted anything that showed up...yeah, dumb, I know ^^; I
|
| figured I deleted some system files...is there any way to fix this? If
|
| you could help me out, I'd really appreciate it.
|
| Thanks in advance.

Two part reply..

Perform Part 1 and then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

Swandog46's Apropos Adware/RootKit remover
http://swandog46.geekstogo.com/aproposfix.exe


* * * Please report back your results * * *
 
If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.0 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, ect, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee AntiVirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.
 
Hi ^_^;

Sorry for the late reply, but it took longer than expected. I guess
the more files you have, the longer it will take.

It worked! Thank you so much! McAfee is still scanning, but my
computer isn't acting odd anymore--I guess Part 1 did the job.

Thank you again, this really helped.
 
If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
Click to expand...

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

The poster hiding as Joshua is really PCBUTTS1 (also known in real life
as Chris Butts) and has to keep changing his nickname and address in
order to be able to have posts show up on the Microsoft Servers.

Be careful when following directions provide by BUTTS as you never
really know what you are getting.

This is not to imply that Secured2K is butts, he's actually a very nice
chap with good tools that Butts tries to pass off as though he's part of
the solution.
 
From: "Billie Jean" <[email protected]>

| Hi ^_^;
|
| Sorry for the late reply, but it took longer than expected. I guess
| the more files you have, the longer it will take.
|
| It worked! Thank you so much! McAfee is still scanning, but my
| computer isn't acting odd anymore--I guess Part 1 did the job.
|
| Thank you again, this really helped.

YW and happy Holidays.

Thanx for updating the thread.
 
Leythos the stalker is at it again.




Leythos said:
NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

The poster hiding as Joshua is really PCBUTTS1 (also known in real life
as Chris Butts) and has to keep changing his nickname and address in
order to be able to have posts show up on the Microsoft Servers.

Be careful when following directions provide by BUTTS as you never
really know what you are getting.

This is not to imply that Secured2K is butts, he's actually a very nice
chap with good tools that Butts tries to pass off as though he's part of
the solution.
Click to expand...
 
Funny, everytime I see your post, I see Leythos's too ^^;

Happened in the other thread too o_O;
 
Is it possible that this will also work to remove a series of unwanted icons
on my home page that, when the cursor is placed on them, bring up a set of
web links that I would very much like to remove? They appeared one day after
I accidentally clicked on a link in some email spam I received, and I also
began to have performance problems - slow operation, difficult time booting
up, etc.

Thanks!!!
 
From: "Steve" <[email protected]>

| Is it possible that this will also work to remove a series of unwanted icons
| on my home page that, when the cursor is placed on them, bring up a set of
| web links that I would very much like to remove? They appeared one day after
| I accidentally clicked on a link in some email spam I received, and I also
| began to have performance problems - slow operation, difficult time booting
| up, etc.
|
| Thanks!!!

Maybe and maybe not. There are many adware/spyware forms of malware and the symptoms that
you provided are *very* generic.

Start with the following and we can go from there if need be.

For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Leythos the stalker is at it again.
Click to expand...

NNTP-Posting-Host: ppp-69-237-53-123.dsl.bkfd14.pacbell.net
69.237.53.123

Stop trying to pass off other peoples works as what appears to be your
own and I won't have to post.

Anyone that morphs as much as you do really has something to hide about
their actions.
 
Back
Top