Tricky spyware

Menalaus

Member
Nov 28, 2007
86
0
61
So I start up windows today and I had a little dialogue box pop up from the tray and tell me Windows had detected spyware. Here's an image to be more specific:

http://img.photobucket.com/alb...Random%202/spyware.jpg

If I click on the icon or the text the spyware automatically installs on my computer, which acts like it is anti-spyware software. I uninstalled as quickly as possible, so I don't even remember the name, and then proceed to run Spybot, AVG, and Symantec. Spybot/AVG came up with a lot of garbage, all of which it deleted. Symantec didn't come back with anything. I restarted my computer and the dialogue box popped up once more. In the past, after I had installed it, clicking the 'x' button would close the message and not install the spyware, but doing so would only then encourage it to pop up again with the message and that annoying Windows pop up message would play (like when you have a Windows update available). This time when I closed it out it didn't pop up again. Either way, it shouldn't be showing up at all.

Any help/suggestions?
 

CalvinHobbes

Diamond Member
Feb 27, 2004
3,524
0
0
Scan and remove it in Safe mode and make sure you disable Windows system restore. There is more info in the security forum.
 

Slowlearner

Senior member
Mar 20, 2000
873
0
0
The whole drive has to be scanned a couple of times. So:

1. Start>All Programs>Accessories>System Tools> Disk Cleanup 10 min to 30 min

2. Download Startup from : http://www.mlin.net/files/StartupCPL_EXE.zip
save in a new folder, unzip it and run it to see what programs are running
Normally only the Anti Virus should be running at idle. Uncheck (dont delete)
any programs you dont recognize.

3. Download Spybot - Search and Destroy from http://www.spybotupdates.com/files/spybotsd152.exe
Install it > Skip all intermediate steps by clicking on Next Next
At the Main Screen Click on Check for Updates and select their Safer-Networking Europe site - Chose Only Detection rules (there are whole bunch of these) and the Main Immunization database - Nothing else specially TCP/IP helper etc Run Spybot - can take up to 30 min+
When it finds all the malware - Click on Fix selected problems - it may require a re-start if malware is already loaded

3. Re-start the computer in Safe mode with networking << keep pressing the F8 key after the bios loads

4. Start Internet Explorer, go to http://www.kaspersky.com/virusscanner - Accept the license The low resolution graphics can make it difficult to view the full screen. Also you may need to allow temporarily Active X controls - a little bar will appear on top - right click to install

Kaspersky Online scanner will down load up dates - can take long 30 -40 min
Then click on Next- Choose Folder and and select the C drive
and run - will take anything from 1 hour to 4 hours (<<if the hard drive is large)
After it finishes - it does not clean anything - save the report on the hard drive and print it out

5. Then try to delete all the files it has listed as "suspicious" or Adware manually -specially any in the Windows\System32 sub folder. Look out for oddly named files like ahjkld.dll - Ignore any files quarantined by the Anti Virus program

6. Once that's done, Turn System Restore off Start>Right click on My Computer> Properties>System Restore>check Turn off System restore on all drives - otherwise it will bring back everything deleted/fixed in the previous steps

7. Re-start the computer normally - if everything works - Create a new Restore Point
Start >All programs> Accessories>System Tools> System Restore

Note: some spyware embed themselves in the operating system and if you try to delete them manually in Step 5, you will get an error message stating - File in use - Access Denied - write down the names of those files on a sheet of paper - You may need to boot off a Bart PE or UBCD4Ein CD to delete them.

This is a sure fire method that works every time, it just takes time.
 

xgsound

Golden Member
Jan 22, 2002
1,374
8
81
"Startup Control panel" mentioned above is an excellent way to temporarily keep some of the Malware (or whatever you wish) from autostarting. You still need to remove it.

Be sure to get a copy of "winsockfix.exe" from somewhere before you start removing the Malware in case the removal of the Malware breaks your internet connection.

I have had great luck with "Superantispyware" recently with the relatives machines. It and your A/V will be most effective when run from safe mode.


Jim



 

daveybrat

Elite Member
Super Moderator
Jan 31, 2000
5,831
1,044
126
That is a smitfraud trojan infection you have. You need to go into safe mode and run the program below:

http://siri.geekstogo.com/SmitfraudFix.php


Then download and run this:

http://www.superantispyware.com/

(click on the blue free version)

These 2 programs will remove that fakealert and most of the zlob trojan causing it. Then you can run the usual programs for extra cleanup such as Ccleaner, Spybot, Adaware, etc.

Good luck! :)