Popups in strange shapes

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I've got a persistent adware problem, and the anti-spyware doesn't kill it.

An IE window pops open, but the window is in the shape of an object such as
a cell phone or a house or a person. The website seems to be ad-w-a-r-e.com.

Any suggestions?
 
I've got a persistent adware problem, and the anti-spyware doesn't kill
it.

An IE window pops open, but the window is in the shape of an object such
as
a cell phone or a house or a person. The website seems to be
ad-w-a-r-e.com.

Any suggestions?
Click to expand...

First of all - send a Suspected Spyware Report through the Tools menu of
MSAS to the SpyNet.



Then turn off the System Restore: Start-> right click on My
computer ->Properties -> System restore -> select the box ' Turn off system
restore ' and press Apply, then exit.

(Remember to turn it on - i.e. deselect that box - again after cleaning the
system!!)



Next start the computer in the Safe mode (F8 during boot-up), run Windows
Explorer, go to your profile temporary folders (usually C:\Documents and
Settings\username\local settings\temp and c:\Documents and
Settings\username\local settings\Temporary Internet Files\Content.IE5) and
delete all the files in those directories and subdirectories. Then do a full
system scan with MS AntiSpyware (check the proper option under Scan
settings). Scan the computer with the antivirus software that you use. And
also with some other "cleaning" software such as:



Spybot Search&Destroy http://www.spybot.info/en/index.html

HijackThis http://www.tomcoyote.org/hjt/

CWShredder http://www.majorgeeks.com/download3019.html

Ad-Aware SE Personal http://www.lavasoft.com/software/adaware/

McAfee Stinger http://vil.nai.com/vil/stinger/

Spy Sweeper - http://www.webroot.com

Ccleaner - http://www.ccleaner.com



If you run HijackThis you can check the log it prepares - just copy and
paste it to the http://www.hijackthis.de web page and click analyze button.



Need a free antivirus? Try this one http://www.free-av.com



And protect your system with antispyware, antivirus and firewall software.

Keep this software up to date.

Also KEEP THE SYSTEM UP TO DATE (http://www.windowsupdate.com)
 
Mikolaj said:
First of all - send a Suspected Spyware Report through the Tools menu
of MSAS to the SpyNet.



Then turn off the System Restore: Start-> right click on My
computer ->Properties -> System restore -> select the box ' Turn off
system restore ' and press Apply, then exit.

(Remember to turn it on - i.e. deselect that box - again after
cleaning the system!!)
Click to expand...

Don't turn off System Restore until AFTER removing the spyware. Then turn
it back on.
 
Don't turn off System Restore until AFTER removing the spyware. Then turn
it back on.
Click to expand...

Hi Frank,

I disagree - it sholud be turned off BEFORE removing the spyware, because
some of malware apps profit in being able to be restored by this feature :-)
So first turn SR off, then clean the system, then turn SR on.
 
Mikolaj has brought this to us :
Hi Frank,

I disagree - it sholud be turned off BEFORE removing the spyware, because
some of malware apps profit in being able to be restored by this feature :-)
So first turn SR off, then clean the system, then turn SR on.
Click to expand...

Hi Mikolaj

I disagree beacuse this is a "life boat" if something goes wrong during
malware removal. It´s better then to back a system with malware and
take help from a "HijackThis" forum.

But after a success removal it might be a good idea to flush System
restore and remove hidden malware and start from scratch again with a
*protected* PC.
 
Hi Mikolaj
I disagree beacuse this is a "life boat" if something goes wrong during
malware removal. It´s better then to back a system with malware and
take help from a "HijackThis" forum.

But after a success removal it might be a good idea to flush System
restore and remove hidden malware and start from scratch again with a
*protected* PC.
Click to expand...


Hi plun,

You can always use ntbackup for the system partition before the removal
attempt..

And keep in mind how much stressing might be the situation for non
professional computer user, when he tries to remove malware and it keeps
re-apearing again and again and again (because of SR)..
This usually ends with the "format c:" and "windows sucks" statement, don't
you think?

However, there are always pros and cons - much depends on the situation, I
suppose.
 
Mikolaj laid this down on his screen :
Hi plun,

You can always use ntbackup for the system partition before the removal
attempt..

And keep in mind how much stressing might be the situation for non
professional computer user, when he tries to remove malware and it keeps
re-apearing again and again and again (because of SR)..
This usually ends with the "format c:" and "windows sucks" statement, don't
you think?

However, there are always pros and cons - much depends on the situation, I
suppose.
Click to expand...

Hi

Nope, check every forum dealing with this and of course it is
frustrating.

But "the helper" within a HijackThis forum knows all the time during a
removal procedure that System restore is a option if something fails.
"This went totally wrong so now we back your system and start over with
a new removal procedure".

And this is the same if a user tries this without help, keep SR until
malware is removed, then flush it. IMHO
 
Hi
Nope, check every forum dealing with this and of course it is frustrating.

But "the helper" within a HijackThis forum knows all the time during a
removal procedure that System restore is a option if something fails.
"This went totally wrong so now we back your system and start over with a
new removal procedure".

And this is the same if a user tries this without help, keep SR until
malware is removed, then flush it. IMHO
Click to expand...


Hi again,

OK, I will modify the procedure to flush SR after the successfull removal,
due to your reasonable arguments :-D
 
It happens that Mikolaj formulated :
Hi again,

OK, I will modify the procedure to flush SR after the successfull removal,
due to your reasonable arguments :-D
Click to expand...

Hi again Mikolaj

Nevertheless with this type of forum it is no mening with "good
practises". Everything will be a mess until MS understands that
unknown removals must be handled with "best practise" solutions.

Scan with MSAS in safe mode ;) ;) ;)

So I have my standard with CCleaner, Adaware and MSAS in safe mode
and writes nothing about System restore ;)

Every modern antivirus app hopefully then cleans SR if a user
understands that a good antivirus protection also is needed.

But the temporaily "junk/graveyard" is more important to clean out
then SR. IMHO ;)
 
The site ad-w-a-r-e.com is a front for the infection 'look2me', I have an
installer coming from that site which I use for testing and if this is what
you have on your system its one of the hardest variants of malware to remove
as it changes permissions plus rewrites its entries, its dll files are also
hooked to explorer, rundll32 and winlogon so its a nasty piece of junk to
remove which can involve many different fix tools such as Hijack This,
CWShredder, L2MFix, Killbox and possibly even Process Explorer to unhook the
dll's.

The good news is that the new version of SpySweeper will remove it as they
have a feature called 'Early File Remover' will can detect it running in
memory and then remove it on reboot before it has a chance to load.

Download the Free Trial Of Spysweeper Here.

http://www.webroot.com/downloads/

Install and update the definitions and then run a complete system scan, If
you have any problems then reboot into safe mode and run a scan from there
(Reboot and keep tapping F8 and choose safe mode from the list)

For the system restore debate :) Deal with it this way once the system is
clean.

Clear System Restore, First Create a New Restore Point when the system is
clean.

Goto Start Menu > Run > And copy & paste this in


%SystemRoot%\System32\restore\rstrui.exe


Press Enter, Choose create a restore point and Next , Name it and press
Create

Next clear the infected Restore Points


Goto Start Menu and Run and type

cleanmgr

Press Enter, Goto the "More Options" tab and press Clean up on the System
Restore area to remove all the restore points except the one we just created

Regards

Andy
 
Hi wrhmo;
Please let us know how SpySweeper 4.5 worked for you with "look2me", as the
product is new, and we'd all like to know how effective it is. Their last
version 4.0, got outstanding reviews, so this upgrade should only make it more
effective. Thanks.
 
Hi Andy,
Though I have the retail version of SpySweeper 4.5, I can't find the reference
to "Early File Remover", though I do see a reference to:

Using Additional Tools to Remove Threats
Some spyware, adware, or unwanted programs require that you download and use
an additional tool to completely remove them. After you run a sweep, if the
Additional Threat Removal Tools Required window displays, you must use an
additional tool to ensure that you completely remove a threat that Spy Sweeper
found.

Note: You must connect to the Internet to use an additional tool.

To use additional tools to remove threats:

a.. From the Additional Threat Removal Tools Required window, click Download
to download the tool to your computer.
a.. Spy Sweeper opens your Internet browser and takes you to the Webroot
Web site.
b.. Follow the instructions on the Web site to download the file that
contains the tool.
a.. Be sure you remember where you download the file on your computer.
c.. Follow the instructions on the Web page to install and use the tool.
d.. From the Additional Threat Removal Tools Required window, click Finish.
a.. The Home panel displays. If you are using the TRIAL version or if your
subscription is within 30 days of expiring, a panel reminding you to purchase or
renew displays.
So the question for me is, are these "Additional Tools" the same as "Early File
Remover", and are they available using the trial downloaded versions? Do you
know? TIA
 
Hi Dave

Sorry for the delay, Just got home from work :)

The Early File Remover is built into the new version of Spy Sweeper, Ive got
SpySweeper on myown system and have tried it with Look2me and it removed the
infection without problems,

Here's a write up on look2me :

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42385

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=43322

Regarding the Early File Remover, Goto search and choose all files and
folders and search for this file :

ssiefr.exe

It will be found in system32 and when you move your mouse over the entry it
will display Spy Sweeper Early File Remover :)

Chat to you later

Regards

Andy
 
Spot on Andy... Now there's some functionality for Beta2 to duplicate...
Interesting what $108 million in Venture Capital money can accomplish ;).
http://www.eweek.com/article2/0,1895,1760974,00.asp\

Unless Beta2 achieves the ability to clean in a delayed bootup mode (like Check
Disk, and now Early File Remover), this is going to be hard to beat. How many
times have we spelled out RUN IN SAFE MODE to people frustrated with failed MSAS
removals?
 
Back
Top