- "stealth" spyware
- Posted by Hula on December 10th, 2005
I keep receiving a message that my computer has been hijacked by the spyware
"stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
has never been spyware on the computer before and now there are naked ladies
popping up!! HELP!!
- Posted by Kerry Brown on December 10th, 2005
Hula wrote:
> I keep receiving a message that my computer has been hijacked by the
> spyware "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected
> and keeps going to "www.yoursystemupdate.com" instead of the set
> homepage. I tried both the Microsoft Beta scan and Ad-Ware by
> Lavasoft and neither have worked. There has never been spyware on the
> computer before and now there are naked ladies popping up!! HELP!!
Run both programs from safe mode. You may also want to download and run the
following programs.
http://www.ewido.net/en/
http://www.webroot.com/consumer/products/spysweeper/
Both are commercial programs that allow a free trial period to try them out.
Both are better than MS Antispyware and Adaware. If you use either and it
works I encourage you to purchase them to help support legitimate
antispyware companies. Whatever you do do not quit using MSAS and Adaware.
The fight against spyware takes many programs. No one program finds and
removes it all. When using multiple programs make sure only one is running
at any one time.
Kerry
- Posted by David H. Lipman on December 10th, 2005
From: "Hula" <Hula@discussions.microsoft.com>
| I keep receiving a message that my computer has been hijacked by the spyware
| "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
| to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
| Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
| has never been spyware on the computer before and now there are naked ladies
| popping up!! HELP!!
This is a new variation of the SmitFraud Trojan.
Two part reply...
Part 1
-----------
Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click...click.php?id=1
http://www.bleepingcomputer.com/forums/topic36868.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by BobC on December 11th, 2005
I also recieve the same msg when accessing my home page. I was able to run
the latest version of Norton (12-10-2005) and have deleted to trojan.zlob.f.
I was left with the damage from the viris and have tried everything to
repair. The viris changes wont allow me to change the default. Certain
internet addresses are now blocked (ie bank)
"Hula" wrote:
> I keep receiving a message that my computer has been hijacked by the spyware
> "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
> to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
> Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
> has never been spyware on the computer before and now there are naked ladies
> popping up!! HELP!!
- Posted by David H. Lipman on December 11th, 2005
From: "BobC" <BobC@discussions.microsoft.com>
| I also recieve the same msg when accessing my home page. I was able to run
| the latest version of Norton (12-10-2005) and have deleted to trojan.zlob.f.
| I was left with the damage from the viris and have tried everything to
| repair. The viris changes wont allow me to change the default. Certain
| internet addresses are now blocked (ie bank)
| "Hula" wrote:
|
It is not a virus (correct spelling) it is a Trojan and is actually a new variant of the
SmitFraud Trojan.
Two part reply...
Part 1
-----------
Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click...click.php?id=1
http://www.bleepingcomputer.com/forums/topic36868.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
* * Please report back your results * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by david hooley on December 11th, 2005
I have encountered a very similar problem over the past two or three days.
It seems to me that a virus of some kind is being used to try and corner me
into purchasing an anti-viral, anti-popup programme that i dont need and cant
afford. It claims that my computer is affected by several dozen germs and
bacteria of various kinds, especially a trojan called
iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
clean - but still the pesky things popup. PUZZLING!!!
--
gideon fennell
"Hula" wrote:
> I keep receiving a message that my computer has been hijacked by the spyware
> "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
> to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
> Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
> has never been spyware on the computer before and now there are naked ladies
> popping up!! HELP!!
- Posted by David H. Lipman on December 11th, 2005
From: "david hooley" <davidhooley@discussions.microsoft.com>
| I have encountered a very similar problem over the past two or three days.
| It seems to me that a virus of some kind is being used to try and corner me
| into purchasing an anti-viral, anti-popup programme that i dont need and cant
| afford. It claims that my computer is affected by several dozen germs and
| bacteria of various kinds, especially a trojan called
| iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
| clean - but still the pesky things popup. PUZZLING!!!
You are infected with adware/spyware making false claims to get you to purchase other
software most likley a rogue anti spyware aplication.
Are you using Ad-aware SE v1.06 and SpyBot Search and Destory v1.4 ? If they are older
versions you need to remove the older versions and then installed the latest versions and
update them and then scan in Safe Mode.
Download HiJack This! -- http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Create a log and post the log in one of the various forums where you can get expert advice
for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/i...hp?showforum=5
{ borrowed from the alt.privacy.spyware News Group }
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Hula on December 11th, 2005
Dave - I tried the first thing you suggested but the problem is still there,
although it did delete 4 unwanted programs. I haven't tried cleaning in safe
mode - I'm not very good with computers - how do I go into safe mode to do
that??
Thanks!
"David H. Lipman" wrote:
> From: "david hooley" <davidhooley@discussions.microsoft.com>
>
> | I have encountered a very similar problem over the past two or three days.
> | It seems to me that a virus of some kind is being used to try and corner me
> | into purchasing an anti-viral, anti-popup programme that i dont need and cant
> | afford. It claims that my computer is affected by several dozen germs and
> | bacteria of various kinds, especially a trojan called
> | iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
> | clean - but still the pesky things popup. PUZZLING!!!
>
> You are infected with adware/spyware making false claims to get you to purchase other
> software most likley a rogue anti spyware aplication.
>
> Are you using Ad-aware SE v1.06 and SpyBot Search and Destory v1.4 ? If they are older
> versions you need to remove the older versions and then installed the latest versions and
> update them and then scan in Safe Mode.
>
> Download HiJack This! -- http://www.spywareinfo.com/~merijn/files/HijackThis.exe
>
> Create a log and post the log in one of the various forums where you can get expert advice
> for HiJack This! (HJT) logs.
> NOTE: Registration is REQUIRED before posting a log
> NOTE: Web sites NOT listed in any particular order
>
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.dslreports.com/forum/security
> http://castlecops.com/forum67.html
> http://www.wilderssecurity.com/forumdisplay.php?f=24
> http://www.cybertechhelp.com/forums/...splay.php?f=25
> http://www.geekstogo.com/forum/Malwa..._Here-f37.html
> http://gladiator-antivirus.com/forum...?showforum=170
> http://forum.iamnotageek.com/f-130.html
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://boards.cexx.org/viewforum.php?f=1
> http://www.malwarebytes.biz/forums/i...hp?showforum=5
>
> { borrowed from the alt.privacy.spyware News Group }
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
- Posted by David H. Lipman on December 11th, 2005
From: "Hula" <Hula@discussions.microsoft.com>
| Dave - I tried the first thing you suggested but the problem is still there,
| although it did delete 4 unwanted programs. I haven't tried cleaning in safe
| mode - I'm not very good with computers - how do I go into safe mode to do
| that??
Like I said it is two phased.
Run both in Normal Mode.
Then run both again in Safe Mode.
Before going into Safe Mode, download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
fter the McAfee AV scan complete then go into Safe Mode. Hit { tap } the F8 key as soon as
the PC begins to boot, immediately after any platform related screens are shown.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by goudelockb@yahoo.com on December 11th, 2005
Hula wrote:
> I keep receiving a message that my computer has been hijacked by the spyware
> "stealthSWs114.h!dll ver.4.442as18a". My homepage is affected and keeps going
> to "www.yoursystemupdate.com" instead of the set homepage. I tried both the
> Microsoft Beta scan and Ad-Ware by Lavasoft and neither have worked. There
> has never been spyware on the computer before and now there are naked ladies
> popping up!! HELP!!
- Posted by goudelockb@yahoo.com on December 11th, 2005
i to am getting "www.yoursystemupdate.com" as my homepage instead of
yahoo or anything else i try. i've run six different spyware programs
and none have fixed this. spysweeper did remove the spyaxe problems
but not the homepage issue. I agree "HELP"
- Posted by Kerry Brown on December 11th, 2005
goudelockb@yahoo.com wrote:
> i to am getting "www.yoursystemupdate.com" as my homepage instead of
> yahoo or anything else i try. i've run six different spyware programs
> and none have fixed this. spysweeper did remove the spyaxe problems
> but not the homepage issue. I agree "HELP"
Follow David H Lipman's instructions earlier in this same thread.
Kerry
- Posted by Hula on December 11th, 2005
Okay - I just did them both again in normal mode and that got rid of the
homepage hijacker!!! Bit I am still getting popups saying that there has been
a security breach and there is spyware on my computer. I was unable to put my
computer into safe mode to do it again - I rebooted the computer and then
tapped F8 as soon as the PC began to boot - But it didn't work. Can you
please give me some more detailed instructions for that part. Thanks so much
you've been such a lifesaver!!
"David H. Lipman" wrote:
> From: "Hula" <Hula@discussions.microsoft.com>
>
> | Dave - I tried the first thing you suggested but the problem is still there,
> | although it did delete 4 unwanted programs. I haven't tried cleaning in safe
> | mode - I'm not very good with computers - how do I go into safe mode to do
> | that??
>
> Like I said it is two phased.
>
> Run both in Normal Mode.
>
> Then run both again in Safe Mode.
>
> Before going into Safe Mode, download SmitFraud.exe from the URL --
> http://www.ik-cs.com/programs/virtools/SmitFraud.exe
>
> Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
> Choose; Unzip
> Choose; Close
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to enable WGET.EXE to download the needed McAfee related files.
>
> Execute; c:\mcafee\clean.bat
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> fter the McAfee AV scan complete then go into Safe Mode. Hit { tap } the F8 key as soon as
> the PC begins to boot, immediately after any platform related screens are shown.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
- Posted by Hula on December 11th, 2005
I followed David's instructions and it WORKED!! My homepage is back to
normal! Give it a shot!
"goudelockb@yahoo.com" wrote:
> i to am getting "www.yoursystemupdate.com" as my homepage instead of
> yahoo or anything else i try. i've run six different spyware programs
> and none have fixed this. spysweeper did remove the spyaxe problems
> but not the homepage issue. I agree "HELP"
>
>
- Posted by David H. Lipman on December 11th, 2005
From: "Hula" <Hula@discussions.microsoft.com>
| Okay - I just did them both again in normal mode and that got rid of the
| homepage hijacker!!! Bit I am still getting popups saying that there has been
| a security breach and there is spyware on my computer. I was unable to put my
| computer into safe mode to do it again - I rebooted the computer and then
| tapped F8 as soon as the PC began to boot - But it didn't work. Can you
| please give me some more detailed instructions for that part. Thanks so much
| you've been such a lifesaver!!
Well, that's basically it.
Your just not hitting [F8] at the right moment. Try to get to the [F8] a bit quicker, an
keep on tapping the key several more times.
An alternate method to get into Safe Mode:
A friend has a malware removal page on his web site with some good, alternative,
directions...
http://harrisonrj.home.comcast.net/s...Gett ing_Help
Go down 2/3 to 3/4 of the page and find...
"Step 6 – Restart into Safe Mode and Scan"
Did you go through a complete McAfee scan ?
Was there anything found showing in; C:\mcafee\ScanReport.HTML ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by nskrepetos@yahoo.com on December 11th, 2005
Dave,
For the users having trouble getting into Safe Mode, remembrer we have
the free BootSafe application:
http://www.superadblocker.com/bootsafe.html
Support all versions of Windows and is free. So far it has been well
received.
Nick Skrepetos
SuperAdBlocker.com
http://www.superadblocker.com
- Posted by David H. Lipman on December 12th, 2005
From: <nskrepetos@yahoo.com>
| Dave,
|
| For the users having trouble getting into Safe Mode, remembrer we have
| the free BootSafe application:
| http://www.superadblocker.com/bootsafe.html
|
| Support all versions of Windows and is free. So far it has been well
| received.
|
| Nick Skrepetos
| SuperAdBlocker.com
| http://www.superadblocker.com
Do'h !
Yes I completely forgot about this -- Thanx Nick !
Hula:
Sorry Hula, I should have suggested Nick's utility. It is new and I forgot all about it.
I do suggest this utility to boot into Safe Mode.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by david hooley on December 12th, 2005
David,
Thank you very much for your last reply - which proved helpful up to a point.
I replaced my earlier versions of SpyBot and Ad-aware with those you
recommended, and ran them both in both modes. In Safe mode SpyBot detected
some five rogues and sucessfully removed four. Unfortunately, one -
Smitfraud-C remains resolutely immoveable.
And:-
I have just received a popup which I suspect, but can not be certain, is a
rogue: what should I do with it? It reads:-
CRITICAL ERROR
Attention! Security module responsible for popup windows blocking has been
deleted by computer virus. To block adware popups you need to download one of
the security patches published by our official partners:
WinAntiSpyware;WinAntiVirus Pro:& Spy Fighter.
Am I correct in being highly suspicious?
I run the Norton Antivirus & Firewall programmes , not the McFee programme
you appear to recommend elsewhere.
Sincerely,
David Hooley
--
gideon fennell
"David H. Lipman" wrote:
> From: "david hooley" <davidhooley@discussions.microsoft.com>
>
> | I have encountered a very similar problem over the past two or three days.
> | It seems to me that a virus of some kind is being used to try and corner me
> | into purchasing an anti-viral, anti-popup programme that i dont need and cant
> | afford. It claims that my computer is affected by several dozen germs and
> | bacteria of various kinds, especially a trojan called
> | iworm-attck-v122.02a.Norton, adaware and spybot alL agree that my computer is
> | clean - but still the pesky things popup. PUZZLING!!!
>
> You are infected with adware/spyware making false claims to get you to purchase other
> software most likley a rogue anti spyware aplication.
>
> Are you using Ad-aware SE v1.06 and SpyBot Search and Destory v1.4 ? If they are older
> versions you need to remove the older versions and then installed the latest versions and
> update them and then scan in Safe Mode.
>
> Download HiJack This! -- http://www.spywareinfo.com/~merijn/files/HijackThis.exe
>
> Create a log and post the log in one of the various forums where you can get expert advice
> for HiJack This! (HJT) logs.
> NOTE: Registration is REQUIRED before posting a log
> NOTE: Web sites NOT listed in any particular order
>
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.dslreports.com/forum/security
> http://castlecops.com/forum67.html
> http://www.wilderssecurity.com/forumdisplay.php?f=24
> http://www.cybertechhelp.com/forums/...splay.php?f=25
> http://www.geekstogo.com/forum/Malwa..._Here-f37.html
> http://gladiator-antivirus.com/forum...?showforum=170
> http://forum.iamnotageek.com/f-130.html
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://boards.cexx.org/viewforum.php?f=1
> http://www.malwarebytes.biz/forums/i...hp?showforum=5
>
> { borrowed from the alt.privacy.spyware News Group }
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
- Posted by David H. Lipman on December 12th, 2005
From: "david hooley" <davidhooley@discussions.microsoft.com>
|
| David,
| Thank you very much for your last reply - which proved helpful up to a point.
| I replaced my earlier versions of SpyBot and Ad-aware with those you
| recommended, and ran them both in both modes. In Safe mode SpyBot detected
| some five rogues and sucessfully removed four. Unfortunately, one -
| Smitfraud-C remains resolutely immoveable.
| And:-
| I have just received a popup which I suspect, but can not be certain, is a
| rogue: what should I do with it? It reads:-
| CRITICAL ERROR
| Attention! Security module responsible for popup windows blocking has been
| deleted by computer virus. To block adware popups you need to download one of
| the security patches published by our official partners:
| WinAntiSpyware;WinAntiVirus Pro:& Spy Fighter.
|
| Am I correct in being highly suspicious?
|
| I run the Norton Antivirus & Firewall programmes , not the McFee programme
| you appear to recommend elsewhere.
|
| Sincerely,
| David Hooley
Use the following two phase approach to remove the SmitFraud and its accomplices.
The solution in Part 2 does use a McAfee command line AV scanner and it does NOT need to
pre-exist on your PC.
All components will be downloaded for your use. Just take a note on the FireWall issue
noted in Part 2.
Run both in Normal Mode and then run them both in Safe Mode.
Part 1
-----------
Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click...click.php?id=1
http://www.bleepingcomputer.com/forums/topic36868.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Fitz on December 12th, 2005
And that is absolutely a neat program!
***
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23VE67or$FHA.216@TK2MSFTNGP15.phx.gbl...
> From: <nskrepetos@yahoo.com>
>
> | Dave,
> |
> | For the users having trouble getting into Safe Mode, remembrer we have
> | the free BootSafe application:
> | http://www.superadblocker.com/bootsafe.html
> |
> | Support all versions of Windows and is free. So far it has been well
> | received.
> |
> | Nick Skrepetos
> | SuperAdBlocker.com
> | http://www.superadblocker.com
>
>
> Do'h !
>
> Yes I completely forgot about this -- Thanx Nick !
>
> Hula:
> Sorry Hula, I should have suggested Nick's utility. It is new and I
> forgot all about it.
>
> I do suggest this utility to boot into Safe Mode.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
