"stealth" spyware

[Guest]

I keep receiving a message that my computer has been hijacked by the spyware
"stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
has never been spyware on the computer before and now there are naked ladies
popping up!! HELP!!

 

[Kerry Brown]

I keep receiving a message that my computer has been hijacked by the
spyware "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected
and keeps going to "www.yoursystemupdate.com" instead of the set
homepage. I tried both the Microsoft Beta scan and Ad-Ware by
Lavasoft and neither have worked. There has never been spyware on the
computer before and now there are naked ladies popping up!! HELP!!

Run both programs from safe mode. You may also want to download and run the
following programs.

http://www.ewido.net/en/

http://www.webroot.com/consumer/products/spysweeper/

Both are commercial programs that allow a free trial period to try them out.
Both are better than MS Antispyware and Adaware. If you use either and it
works I encourage you to purchase them to help support legitimate
antispyware companies. Whatever you do do not quit using MSAS and Adaware.
The fight against spyware takes many programs. No one program finds and
removes it all. When using multiple programs make sure only one is running
at any one time.

Kerry

 

[David H. Lipman]

From: "Hula" <[email protected]>

| I keep receiving a message that my computer has been hijacked by the spyware
| "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
| to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
| Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
| has never been spyware on the computer before and now there are naked ladies
| popping up!! HELP!!


This is a new variation of the SmitFraud Trojan.

Two part reply...

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


* * * Please report back your results * * *

 

[Guest]

I also recieve the same msg when accessing my home page. I was able to run
the latest version of Norton (12-10-2005) and have deleted to trojan.zlob.f.
I was left with the damage from the viris and have tried everything to
repair. The viris changes wont allow me to change the default. Certain
internet addresses are now blocked (ie bank)

 

[David H. Lipman]

From: "BobC" <[email protected]>

| I also recieve the same msg when accessing my home page. I was able to run
| the latest version of Norton (12-10-2005) and have deleted to trojan.zlob.f.
| I was left with the damage from the viris and have tried everything to
| repair. The viris changes wont allow me to change the default. Certain
| internet addresses are now blocked (ie bank)
| "Hula" wrote:
|

It is not a virus (correct spelling) it is a Trojan and is actually a new variant of the
SmitFraud Trojan.

Two part reply...

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html

Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

* * Please report back your results * *

 

[Guest]

I have encountered a very similar problem over the past two or three days.
It seems to me that a virus of some kind is being used to try and corner me
into purchasing an anti-viral, anti-popup programme that i dont need and cant
afford. It claims that my computer is affected by several dozen germs and
bacteria of various kinds, especially a trojan called
iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
clean - but still the pesky things popup. PUZZLING!!!

 

[David H. Lipman]

From: "david hooley" <[email protected]>

| I have encountered a very similar problem over the past two or three days.
| It seems to me that a virus of some kind is being used to try and corner me
| into purchasing an anti-viral, anti-popup programme that i dont need and cant
| afford. It claims that my computer is affected by several dozen germs and
| bacteria of various kinds, especially a trojan called
| iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
| clean - but still the pesky things popup. PUZZLING!!!

You are infected with adware/spyware making false claims to get you to purchase other
software most likley a rogue anti spyware aplication.

Are you using Ad-aware SE v1.06 and SpyBot Search and Destory v1.4 ? If they are older
versions you need to remove the older versions and then installed the latest versions and
update them and then scan in Safe Mode.

Download HiJack This! -- http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a log and post the log in one of the various forums where you can get expert advice
for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }

 

[Guest]

Dave - I tried the first thing you suggested but the problem is still there,
although it did delete 4 unwanted programs. I haven't tried cleaning in safe
mode - I'm not very good with computers - how do I go into safe mode to do
that??

Thanks!

 

[David H. Lipman]

From: "Hula" <[email protected]>

| Dave - I tried the first thing you suggested but the problem is still there,
| although it did delete 4 unwanted programs. I haven't tried cleaning in safe
| mode - I'm not very good with computers - how do I go into safe mode to do
| that??

Like I said it is two phased.

Run both in Normal Mode.

Then run both again in Safe Mode.

Before going into Safe Mode, download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

fter the McAfee AV scan complete then go into Safe Mode. Hit { tap } the F8 key as soon as
the PC begins to boot, immediately after any platform related screens are shown.

 

[goudelockb]

I keep receiving a message that my computer has been hijacked by the spyware
"stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
has never been spyware on the computer before and now there are naked ladies
popping up!! HELP!!

 

[goudelockb]

i to am getting "www.yoursystemupdate.com" as my homepage instead of
yahoo or anything else i try. i've run six different spyware programs
and none have fixed this. spysweeper did remove the spyaxe problems
but not the homepage issue. I agree "HELP"

 

[Kerry Brown]

i to am getting "www.yoursystemupdate.com" as my homepage instead of
yahoo or anything else i try. i've run six different spyware programs
and none have fixed this. spysweeper did remove the spyaxe problems
but not the homepage issue. I agree "HELP"

Follow David H Lipman's instructions earlier in this same thread.

Kerry

 

[Guest]

Okay - I just did them both again in normal mode and that got rid of the
homepage hijacker!!! Bit I am still getting popups saying that there has been
a security breach and there is spyware on my computer. I was unable to put my
computer into safe mode to do it again - I rebooted the computer and then
tapped F8 as soon as the PC began to boot - But it didn't work. Can you
please give me some more detailed instructions for that part. Thanks so much
you've been such a lifesaver!!

 

[Guest]

I followed David's instructions and it WORKED!! My homepage is back to
normal! Give it a shot!

 

[David H. Lipman]

From: "Hula" <[email protected]>

| Okay - I just did them both again in normal mode and that got rid of the
| homepage hijacker!!! Bit I am still getting popups saying that there has been
| a security breach and there is spyware on my computer. I was unable to put my
| computer into safe mode to do it again - I rebooted the computer and then
| tapped F8 as soon as the PC began to boot - But it didn't work. Can you
| please give me some more detailed instructions for that part. Thanks so much
| you've been such a lifesaver!!

Well, that's basically it.
Your just not hitting [F8] at the right moment. Try to get to the [F8] a bit quicker, an
keep on tapping the key several more times.

An alternate method to get into Safe Mode:
A friend has a malware removal page on his web site with some good, alternative,
directions...
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_–_Getting_Help

Go down 2/3 to 3/4 of the page and find...
"Step 6 – Restart into Safe Mode and Scan"


Did you go through a complete McAfee scan ?
Was there anything found showing in; C:\mcafee\ScanReport.HTML ?

 

[nskrepetos]

Dave,

For the users having trouble getting into Safe Mode, remembrer we have
the free BootSafe application:
http://www.superadblocker.com/bootsafe.html

Support all versions of Windows and is free. So far it has been well
received.

Nick Skrepetos
SuperAdBlocker.com
http://www.superadblocker.com

 

[David H. Lipman]

From: <[email protected]>

| Dave,
|
| For the users having trouble getting into Safe Mode, remembrer we have
| the free BootSafe application:
| http://www.superadblocker.com/bootsafe.html
|
| Support all versions of Windows and is free. So far it has been well
| received.
|
| Nick Skrepetos
| SuperAdBlocker.com
| http://www.superadblocker.com


Do'h !

Yes I completely forgot about this -- Thanx Nick !

Hula:
Sorry Hula, I should have suggested Nick's utility. It is new and I forgot all about it.

I do suggest this utility to boot into Safe Mode.

 

[Guest]

David,
Thank you very much for your last reply - which proved helpful up to a point.
I replaced my earlier versions of SpyBot and Ad-aware with those you
recommended, and ran them both in both modes. In Safe mode SpyBot detected
some five rogues and sucessfully removed four. Unfortunately, one -
Smitfraud-C remains resolutely immoveable.
And:-
I have just received a popup which I suspect, but can not be certain, is a
rogue: what should I do with it? It reads:-
CRITICAL ERROR
Attention! Security module responsible for popup windows blocking has been
deleted by computer virus. To block adware popups you need to download one of
the security patches published by our official partners:
WinAntiSpyware;WinAntiVirus Pro:& Spy Fighter.

Am I correct in being highly suspicious?


I run the Norton Antivirus & Firewall programmes , not the McFee programme
you appear to recommend elsewhere.

Sincerely,
David Hooley

 

[David H. Lipman]

From: "david hooley" <[email protected]>

|
| David,
| Thank you very much for your last reply - which proved helpful up to a point.
| I replaced my earlier versions of SpyBot and Ad-aware with those you
| recommended, and ran them both in both modes. In Safe mode SpyBot detected
| some five rogues and sucessfully removed four. Unfortunately, one -
| Smitfraud-C remains resolutely immoveable.
| And:-
| I have just received a popup which I suspect, but can not be certain, is a
| rogue: what should I do with it? It reads:-
| CRITICAL ERROR
| Attention! Security module responsible for popup windows blocking has been
| deleted by computer virus. To block adware popups you need to download one of
| the security patches published by our official partners:
| WinAntiSpyware;WinAntiVirus Pro:& Spy Fighter.
|
| Am I correct in being highly suspicious?
|
| I run the Norton Antivirus & Firewall programmes , not the McFee programme
| you appear to recommend elsewhere.
|
| Sincerely,
| David Hooley

Use the following two phase approach to remove the SmitFraud and its accomplices.

The solution in Part 2 does use a McAfee command line AV scanner and it does NOT need to
pre-exist on your PC.
All components will be downloaded for your use. Just take a note on the FireWall issue
noted in Part 2.

Run both in Normal Mode and then run them both in Safe Mode.

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html

Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

* * * Please report back your results * * *

 

[Fitz]

And that is absolutely a neat program!
***