|
Posted by news.rcn.com on June 12, 2006, 8:28 am
If you were Registered and logged in, you could reply and use other advanced thread options
Not sure if these two issues are related but on Thursday I installed PC
Relocator and immediately I got some kind of virus demanding that I buy some
annoying spyware program which pops up every few seconds; leaving me in no
doubt that THIS is the very spyware program which has caused the problem.
The popup appears every ten seconds or so from an exclamation mark in a
yellow triangle which has appeared in my systray along with (at the other
end of the tray to give the impression it isn't related!) a red circle with
a line through it which alternates with a green wheel chair.
In addition every few minutes I get a red flashing error message just above
the red circle telling me that have a virus infection and a mock system
warning in the centre of the screen demanding that I buy its virus
protection because it has supposedly found 4 errors.
Tried googling OHPE Ver 4.12_23 'Your computer is infected with spyware
managing popup ads' and all I found was that sometime around last November
lots of people had this hi-jacking problem which no one seemed to be able to
cure. Admittedly since that time I have gone over from NIS to AVG. But I am
a bit surprised that neither Spybot nor Adaware have managed to counter it
yet if it has been around for so long?
I have a very advanced hosts file which blocks out most dangerous sites and
ads and when I try to identify which rogue program has infected my computer,
the IE page is redirected to 127.0.0.1. Sometimes I come back to my
computer after a few hours and find up to 27 IE screens open, all with a
Yahoo toolbar which I never installed and all blank of course. However
clicking on the red Critical System Error which pops up every ten minutes
brings up a Spywarequake page demanding that I buy their product to get rid
of whatever they managed to install on my computer.
I have run Trend, Kaspersky and (I think ) Sophos from AV-CLS and
coincidentally my anti-virus program which helpfully didn't stop this from
coming in (AVG) keeps duly reporting viruses (something called TROJAN HORSE
DIALER.btg) which it says it is healing. This may be just coincidence
although the incidence of detected viruses has increased markedly since
Thursday. Prior to then, virtually none, since then sometimes 5-20 a day and
both supposedly in emails and in my IE Temporary folder when IE hasn't even
been opened.
Is there any way of ridding myself of this and reporting the offending
company to the appropriate authorities?
I am also obviously worried about relocating anything to a new computer with
a virus! This program has also done something to my Outlook which now both
reports untruly that it wasn't closed properly last time and runs a very
slow mini-scanpst on all folders each time I open it AND then goes into
Outlook with the Outlook splash screen still open in the centre of the
window, preventing the whole program from running
|
|
Posted by David W. Hodgins on June 12, 2006, 9:27 am
If you were Registered and logged in, you could reply and use other advanced thread options
On Mon, 12 Jun 2006 08:28:27 -0400, news.rcn.com <news.rnc.com> wrote:
> brings up a Spywarequake page demanding that I buy their product to get rid
See http://www.symantec.com/avcenter/venc/data/spywarequake.html or
http://www.bleepingcomputer.com/forums/topic47826.html
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
|
|
Posted by news.rcn.com on June 12, 2006, 1:03 pm
If you were Registered and logged in, you could reply and use other advanced thread options
with Microsoft (I had THEM on hold) trying to tell them about the fact that
this virus was getting past their much vaunted security analysis site; but
in the end had to go off and take a shower and missed when they actually
answered. But I cant help but also wonder why Trend Micro, AVG, Kaspersky
etc also didn't see this infection there?
"David W. Hodgins"
> http://www.bleepingcomputer.com/forums/topic47826.html
>
> Regards, Dave Hodgins
>
> --
> Change nomail.afraid.org to ody.ca to reply by email.
> (nomail.afraid.org has been set up specifically for
> use in usenet. Feel free to use it yourself.)
|
|
Posted by news.rcn.com on June 12, 2006, 4:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
run Trend, Kaspersky, AVG, etc and found nothing:
Could not open c:\WINDOWS\SYSTEM32\config\system.LOG
>>> Virus 'Troj/Nebuler-B' found in file c:\WINDOWS\SYSTEM32\winayt32.dll
Removal failed
Could not open c:\WINDOWS\temp\win22.tmp.exe
Could not open c:\WINDOWS\temp\win23.tmp
>>> Virus 'Troj/Schk-Gen' found in file c:\WINDOWS\bundles\cbwau.exe
Removal successful
>>> Virus 'Troj/FakeVir-Q' found in file c:\System Volume
>>> Information\_restore\RP342\A0057467.dll
Removal successful
>>> Virus 'Troj/FakeVir-Q' found in file c:\System Volume
>>> Information\_restore\RP343\A0058578.dll
Removal successful
>>> Virus 'Troj/Zlob-NN' found in file c:\System Volume
>>> Information\_restore\RP344\A0058629.exe
Removal successful
>>> Virus 'Troj/Schk-Gen' found in file c:\System Volume
>>> Information\_restore\RP344\A0058724.exe
Removal successful
|
|
Posted by David H. Lipman on June 12, 2006, 7:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Are these real viruses? This is an extract of what Sophos found, my having
| run Trend, Kaspersky, AVG, etc and found nothing:
|
| Could not open c:\WINDOWS\SYSTEM32\config\system.LOG
>>>> Virus 'Troj/Nebuler-B' found in file c:\WINDOWS\SYSTEM32\winayt32.dll
| Removal failed
| Could not open c:\WINDOWS\temp\win22.tmp.exe
| Could not open c:\WINDOWS\temp\win23.tmp
>>>> Virus 'Troj/Schk-Gen' found in file c:\WINDOWS\bundles\cbwau.exe
| Removal successful
>>>> Virus 'Troj/FakeVir-Q' found in file c:\System Volume
>>>>
Information\_restore\RP342\A0057467.dll
| Removal successful
>>>> Virus 'Troj/FakeVir-Q' found in file c:\System Volume
>>>>
Information\_restore\RP343\A0058578.dll
| Removal successful
>>>> Virus 'Troj/Zlob-NN' found in file c:\System Volume
>>>>
Information\_restore\RP344\A0058629.exe
| Removal successful
>>>> Virus 'Troj/Schk-Gen' found in file c:\System Volume
>>>>
Information\_restore\RP344\A0058724.exe
| Removal successful
|
Oh yeah their real. many found in ther System Restore cache.
C:\System Volume Information\_restore
'Troj/FakeVir-Q' and 'Troj/Zlob-NN' are why you were subsequently infected with
the
SpywareQuake malware.
Two part reply..
Perform Part 1 then perform Part 2.
If the first two parts don't work, perform the alternate section.
It is suggested that you execute each tool in Normal Mode then in Safe Mode.
If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being
exploited.
This is most likely why you got infected with malware.
Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0
Update 7
be installed ASAP.
Simple check, look under...
C:\Program Files\Java
The only folder under that folder should be the latest version...
C:\Program Files\Java\jre1.5.0_07
http://www.java.com/en/download/manual.jsp
Part 1
-----------
Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
http://www.bleepingcomputer.com/forums/topic43659.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it
will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if
you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have
to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in
your bowser
but your PC will automatically be shutdown. It is suggested that you move the
report out of
c:\mcafee before performing another scan.
It would be best to scan in both Safe Mode and in Normal Mode and save a copy of
the HTML
report for each session.
ALTERNATE:
Part 1
-----------
Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072
Part 2
-----------
S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | Warning! Spyware detected on your computer? Install an antivirus or spyware remover to clean your computer. Bugs crawling on desktop | June 4, 2008, 2:59 pm |
| I get the message: Your Computer may be infected | June 19, 2005, 12:52 am |
| How to clean an infected computer? | October 30, 2007, 2:25 am |
| The Difference Between Adware, Spyware and Anti-virus.(spyware blockers) | April 4, 2008, 5:53 am |
| Am i infected | February 8, 2006, 10:40 am |
| IE infected? | October 9, 2006, 1:54 am |
| HAVE I BEEN INFECTED? | August 18, 2007, 12:14 pm |
| NOD32 popup | August 9, 2005, 7:20 pm |
| Annoying popup | September 25, 2005, 6:02 am |
| Re: Annoying popup | October 3, 2005, 8:00 am |
|
XML site map