- Spyware Question
- Posted by Sam on December 17th, 2005
Unfortunately my computer got infected with adware/spyware. The virus tries
to start up every time I boot my computer. My desktop and Internet Explorer
settings are affected by the virus. My Symantec software stops the Trojan
virus from spreading but I can't seem to find the correct files to delete.
I've tried to restore my system to an earlier date but an error message says
the files have been changed that will not allow it to restore. I've even
tried to reinstall Windows XP with the Operating System disk but I can't seem
to get the CD to read once it is rebooted. I keep getting an error message
saying my current Windows version is newer than the version on the CD.
Any thoughts on what I can do to restore my computer to its original settings?
Any suggestions are appreciated.
Thanks.
- Posted by David H. Lipman on December 17th, 2005
From: "Sam" <Sam@discussions.microsoft.com>
| Unfortunately my computer got infected with adware/spyware. The virus tries
| to start up every time I boot my computer. My desktop and Internet Explorer
| settings are affected by the virus. My Symantec software stops the Trojan
| virus from spreading but I can't seem to find the correct files to delete.
| I've tried to restore my system to an earlier date but an error message says
| the files have been changed that will not allow it to restore. I've even
| tried to reinstall Windows XP with the Operating System disk but I can't seem
| to get the CD to read once it is rebooted. I keep getting an error message
| saying my current Windows version is newer than the version on the CD.
|
| Any thoughts on what I can do to restore my computer to its original settings?
|
| Any suggestions are appreciated.
|
| Thanks.
Sam:
You are going to have to clean the computers of the infectors or you are going to have to
backup the PC and then wipe it clean prior to reinstalling the OS.
I suggest trying to clean the PC first.
For non-viral malware...
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
After the software is updated, I suggest scanning the system in Safe Mode.
I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm
http://www.majorgeeks.com/downloadge...4332b4b8b8442d
For viral malware...
* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Sam on December 17th, 2005
Sharon, checking the history on Symantec the virus name was
C:\Windows\Web\desktop.html
- Posted by David H. Lipman on December 17th, 2005
From: "Sam" <Sam@discussions.microsoft.com>
| Sharon, checking the history on Symantec the virus name was
| C:\Windows\Web\desktop.html
Two part reply..
Perform Part 1 and then perform Part 2.
Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server
Part 1
-----------
Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click...click.php?id=1
http://www.bleepingcomputer.com/forums/topic36868.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
Alternate:
Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Sharon F on December 17th, 2005
On Fri, 16 Dec 2005 21:25:35 -0800, Sharon F wrote:
> If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or detections
> for Puper or Alemod that can not seem to be removed automatically, please
> try this automated removal tool.
<snip>
From your headers:
From: "Sharon F" <data@datalnk.com>
I would appreciate it if you did not use my newsgroup handle. Didn't know
if I was coming or going for a minute. 
Thanks.
--
Sharon F
MS-MVP ~ Windows Shell/User
- Posted by Sharon F on December 17th, 2005
Sharon F just happens to be my name. I have been posting under it for years
in other groups. I come here under a different name and all I get are
complaints about name shifting. Now I decide to use my real name you
complain about that. You are an MVP I am not. You tell your fellow MVP's
like the P.A Bear and the rest of them to stop telling lies about me and I
will pick a name stick by it. Otherwise John eddy will have a field day
trying to find all my posts. Right now he gets about 1% of them. One other
thing If Leythos the stalker does not stop then I will not stop.
"Sharon F" <sharonfDEL@ETEmvps.org> wrote in message
news:eNoQg%23sAGHA.356@TK2MSFTNGP12.phx.gbl...
> On Fri, 16 Dec 2005 21:25:35 -0800, Sharon F wrote:
>
>> If you have SpyAxe, PSGuard, Smitfraud, Sinnaka Advertisments or
>> detections
>> for Puper or Alemod that can not seem to be removed automatically, please
>> try this automated removal tool.
>
> <snip>
> From your headers:
> From: "Sharon F" <data@datalnk.com>
>
> I would appreciate it if you did not use my newsgroup handle. Didn't know
> if I was coming or going for a minute.
>
> Thanks.
>
> --
> Sharon F
> MS-MVP ~ Windows Shell/User
- Posted by Sharon F on December 17th, 2005
On Sat, 17 Dec 2005 07:54:58 -0800, Sharon F wrote:
> Sharon F just happens to be my name. I have been posting under it for years
> in other groups. I come here under a different name and all I get are
> complaints about name shifting.
Complain? No. A simple and polite request. Normally folks that frequent the
same newsgroups try not to duplicate handles. I will continue to post as
Sharon F. What you decide to do is up to you but again I would *politely*
request that you do not use the handle that I have used in these Microsoft
newsgroups since XP was released.
--
Sharon F
MS-MVP ~ Windows Shell/User
