adware,trojans,dialers,etc.

  • Thread starter Thread starter Steve Brown and Pat Wehren
  • Start date Start date
S

Steve Brown and Pat Wehren

I recently experienced a blitz of adware, trojans and dialers apparently
from the same site. While Symantec Antivirus seems to have purged all
serious consequences, I'm left with some weird residual stuff that Symantec
doesn't now detect as an active problem (nor does Ad-aware). The most
annoying thing is the large black and red SPYWARE INFECTION notice that has
replaced my wallpaper (formerly a group of bighorn sheep). When I try to
restore this in the Display icon of the Control panel, I find the function
that allows for selection of " background " to be frozen. Pretty much
everything else works, although the Task Manager seems to be disabled. Could
someone steer me in the right direction to undue this invasion? My paltry
technical resources lead me to suspect that a file or registry key was
altered, but I have no clue how to troubleshoot these things. Any help would
be greatly appreciated.

Thanx
Steve Brown
 
Steve Brown and Pat Wehren said:
I recently experienced a blitz of adware, trojans and dialers apparently
from the same site. While Symantec Antivirus seems to have purged all
serious consequences, I'm left with some weird residual stuff that Symantec
doesn't now detect as an active problem (nor does Ad-aware). The most
annoying thing is the large black and red SPYWARE INFECTION notice that has
replaced my wallpaper (formerly a group of bighorn sheep). When I try to
restore this in the Display icon of the Control panel, I find the function
that allows for selection of " background " to be frozen. Pretty much
everything else works, although the Task Manager seems to be disabled.
Could someone steer me in the right direction to undue this invasion? My
paltry technical resources lead me to suspect that a file or registry key
was altered, but I have no clue how to troubleshoot these things. Any help
would be greatly appreciated.
Click to expand...

I'd try
http://www.microsoft.com/athome/security/spyware/software/default.mspx if
that doesn't help

http://www.lavasoft.com/ and both have free tools
http://www.safer-networking.org/en/index.html although I'd only recommend
running one in the background, Microsoft's one seems better at this job.

--
Paul Smith,
Yeovil, UK.
http://www.windowsresource.net/
http://www.xbox360degrees.com/

*Remove 'nospam.' to reply by e-mail*
 
If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
for Puper or Alemod that can not seem to be removed automatically, please
try this automated removal tool.

AntiPuper v1.0 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

What does this tool do?
This tool will attempt to delete several known Trojan files. These files are
modified by the malware authors and encrypted to avoid detection.
Fortunately, many of these tend to use the exact same file names. If the
files are in use, locked, protected, etc, this program will schedule Windows
to remove the files upon restarting.

This program will also remove some common security policies that are changed
by viruses and worms. Policies that lock out your desktop changes, windows
update, Windows Firewall, Explorer Run policies, Registry editing, and more
are all reset.

Finally, if you have an infected Alemod WININET.DLL file, this program will
try to copy a clean version from your Windows File Protection folder and
replace the bad copy on restart. If a backup copy can not be found, the tool
will quickly look for McAfee Antivirus files and attempt to clean a copy of
the file to replace the bad one on reboot. If all of this fails, you will
need to manually replace/clean your WININET.DLL file.
 
Steve,

I've had the exact same problem.... eminating from some program called
"spysherrif". I've run the suggested Microsoft AntiSpyWare Beta program which
found several registry problems but I still have the blue screen blocking my
wallpaper and, like you, I still can't access the background to change it.
How have you gone... any fixes yet?

David Floyd
Adelaide, Australia
 
I got hit with the same thing the other day. After removing all traces I
could find: paytime.exe, winstall.exe, and a bunch of other junk I still had
the hijaacked screen and the hijacked hosts file. So I thought what the
heck...just go back to a restore point, which I did and all seems fine now.
EzTrust does pick up something everynight now, but it gets deletec right
away...maybe something is hiding in the restore files?...dunno, gonna see
what happens tonight.


| Steve,
|
| I've had the exact same problem.... eminating from some program called
| "spysherrif". I've run the suggested Microsoft AntiSpyWare Beta program
which
| found several registry problems but I still have the blue screen blocking
my
| wallpaper and, like you, I still can't access the background to change it.
| How have you gone... any fixes yet?
|
| David Floyd
| Adelaide, Australia
|
|
 
I have the same thing going on. Trojan.Desktophijack. Found this info from
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.html
It was a crazy, pc was going nuts, I believe I have rid of all the other
spycrap,VX2 spysherrif, command, etc.. there were alot.

I am going to try the registry entries when I get home tonight. I created
this reg file to remove alot of it.

Windows Registry Editor Version 5.00



[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{145E6FB1-1256-44ED-A336-8BBA43373BE6}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B599C57E-113A-4488-A5E9-BC552C4F1152}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Typelib\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}]

[-HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL]

[-HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution
Units\{11120607-1001-1111-1000-110199901123}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Uninstall\Internet Connection Update and HomeP KB234087]

[-HKEY_USERS\Software\Microsoft\Internet
Explorer\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}]

[-HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Goodluck to ya.

DTM
 
hey Steve and Pat - I just had the same prob. It is a fake message and hard
to get rid of. You have to start your puter in safe mode and then run the
program that detected it. I have Spyware Doctor and once i did this it
removed the red and black message. Good Luck
 
Back
Top