PDA

View Full Version : Usurped Wallpaper and Pop Up Barrage



gmb283
2008-06-06, 04:24
I would like to know if Spybot can help me out of a pickle I find myself in.

Yesterday I began to experience my first malware attack. I run windows xp pro with avira personal virus protection. My problems in some detail are as follows:

My desktop wallpaper has been replaced with a red screen that contains the following message: "Warning your computer is under attack. Your computer is infected by anonymous spyware program.

Operating system has several fatal errors due to spyware activity. It is strongly recommended to install anti-spyware software to eliminate all security vulnerabilities. Click HERE to protect your PC".

The word HERE in the above statement is a link to http://antispyspider.us/130 When I go to the Desktop tab in the Display Properties Box I find a new background, "index". The mini icon preceding it is an Internet Explorer icon.

I get two types of system warning popups that appear every few minutes although the rate varies. The first is a fairly large box that is centered in the middle of the screen. It will have a title and a text component. There are three versions of the message that are displayed randomly.

Title: "Spyware activity is found on your computer." Text: "Your privacy settings are compromised. It is highly recommended to install antispyware solution."

Title: "Your system is working slowly." Text: "It is recommended to update your antispyware protection to prevent data loss. Please update most up to date antispyware for you.

Title "Your computer is not protected against spyware.: Text: "Somebody trying to access to your PC and collect privacy information. Download antispware applications."

Whenever I click the close box arrow an Internet Explorer window will open that takes me to http://antispyspider.us/130

The other variety of popup is a smaller box just above he small process icons at the far right of the task bar. A new icon appears. A yellow triangle with an black exclamation point. A small box with a drop pointer to the icon presents three messages that are displayed randomly.

Title: "Windows Security Manager." Text: "Your computer is running slow due to malware activity."

Title: "Windows Security Error." Text: "Windows has detected spyware."

Title: "Windows Defender." Text: "Internet attack attempt detected."

When ever I click the close box arrow an Internet Explorer window will open that takes me to http://antispyspider.us/130

One other symptom seems to be that the attacking software will not allow me to download a program called smitfraudfix.exe from any of the sights I found that provide it. I have had no problem in downloading other programs, but I get a message saying something along that Foxfire can not find the file. I have been able to download the program on an uncontaminated computer.

Recently, the Internet Explorer window has seemed to be appearing without a preceding popup of either variety. The links seem to becoming more sophisticated in immitating Microsoft resources.

I have scanned my entire system with my anti virus program Avira Antivir Personal. It found several viruses and I deleted the affected files. I downloaded a program recommended in wikipedia to detect spyware (SpyHunter). It will scan in the form it was downloaded but must be activated to purge spyware. I started a scan with it but stopped when it seemed to be doing the same thing my anti virus program had done.

I am reluctant to experiment with a product as arcane as smitfraudfix.exe. Will Spybot do the job I need done on its own, or do I have to use something like this stand alone producte to clean my system first?

Thanks for any guidance in dealing with this situaion.

drragostea
2008-06-06, 05:29
First of all, please do NOT use SmitFraudFix without supervision! It is crucial that a Experienced Malware Expert gives you the adequate instructions to run it.

From your symptons... you may be infected with the Virtuemonde/SmitFraud trojan. It's possible that it is both. The SmitFraud trojan hijacks IE homepages, installs additional malware, changes the desktop wallpaper. Virtuemonde shows pop-ups.

Do you have a firewall? I'm assuming you are running Windows XP OS. Is it patched? Is AntiVir updated? Have you run a scan with Spybot-Search&Destroy?

-----
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
-----

Sorry to hear about that. The best bet to repair your computer is to visit the Malware Forums.

Read the BEFORE YOU POST first. Following the instructions, post a HIJACK LOG and start your thread. Good luck.

gmb283
2008-06-06, 18:10
I am in the process of collecting information to create an entry in the malware removal forum. I am running the Kaspersky Online scan and it seems like it will take a long time.

I would like advice regarding several new developments:

When I press the cntl/alt/del keys I am told that the Task Manager has been disabled by the System Administrator. (Is there any way to reactivate the Task Manager?)

When I start depressing the F8 key after the first beep during startup, I am presented with the option of choosing the boot device. When I select the C: drive, the system goes directly to normal start up without presenting a menu that includes safe mode. (Is there an alternate way of invoking safe mode?)

After downloading, installing, and updating Spybot, I ran my first scan. The process seemed to be proceeding normally until the status line showed this message: "Running bot check [156787/156787: Firefox - default - bookmarks]. The program seemed to be locked at this point. After more that 15 minutes of no apparent activity, I stopped the scan. The list of critical problem conditions included a couple of dozen critical threats. I hit the Fix selected problems button. The program started to correct the problems but after a brief period locked up. I was told that it was no longer responding.

Is there anything else that I could or should be doing?

drragostea
2008-06-07, 03:11
The disabled Task Manager may be the job of the malware on your computer.

Can you give a few examples of what Spybot found during the scan?
What version are you using? (HELP>ABOUT)
Usually there will be a changed registry key detected by Spybot. If it is found fix it.

Also, are you the only account on the computer?

Go to Mozilla Firefox. Click on the TOOLS Tab and click on CLEAR PRIVATE DATA and press okay. Be sure to "cache" and cookies are checked. Then click OK.

Are you presented with any other actions besides C:\ drive when you tap F8?

gmb283
2008-06-07, 21:01
I figured that the malware was blocking task manger. I was hopeing that I could reverse or overide it's action.

I am using the latest version (1.5.2.20) and I checked for updates before I ran it. I hit a period last evening when it seemed like the popups were letting up, so I ran the Spybot scan again. I encountered the same problem when it was almost complete with it hanging on the Firefox default bookmarks message. This time when I stopped the scan, the report showed 24 critica problems with 161 entries. I again hit the Fix Selected Problems Button. This time the program was able to corrected all the errors. I grabbed the program log and terminated the program. I had hoped that this may have corrected my problems, but no such luck.

Problems identified by Spybot: AdRevolver, Advertising.com, BFast, BurstMedia, CasaleMedia, Commission Junction, CoreMetrics, DoubleClick, Excite, FastClick HitBox LinkSynergy, Matchcraft, MediaPlex, Microsoft.Windows.Security.InternetExplorer, Microsoft.Windows.Security.Center.Registry, Microsoft.Windows.Security.Center.TaskManager, right Media, Statcounter, TargetNet, ValueClick, WebTrends live, WildTangent, Win32.Bancos.zm, Zedo. The three Microsoft problems all refered to registry changes.

I am the administrative user. There are three other user accounts.

The F8 key on startup produced a list of all the various disk drives on the system. The two internal harddrive, the CDR, the floppy, ect.

I have just spent 15 hours doint the Kaspersky scan. It has completed, but there is no "Save as text" button anywhere to be found. When I pass my cursor over the window that the scan ran it, the message "Error on page" appears in the status line. Where should I be looking for the "save as text" button? I will try to keep the Kaspersky window open until I receive a resonse.

gmb283
2008-06-07, 23:39
Regarding the Kaspersky scan problem I mentioned at the end of the last post: The program shows 100% at the far right of the task bar. The "Stop Scan" button is still displayed, even though the scan seems complete. I suspect that that button should become the "Save as text" button.

drragostea
2008-06-08, 02:36
Confirmed.

Microsoft.Windows.Security.InternetExplorer, Microsoft.Windows.Security.Center.Registry, Microsoft.Windows.Security.Center.TaskManager

are all registry changes. This will explain why the TaskManager would not come up. Spybot was able to fix the problems? Can you open TaskManager?

As for the IE and Registry entries as being detected... I'm not so sure what it is. But I'm sure that it signs that something was changed. A majority of other detected entries are tracking cookies, which basically "track" your web browsing like the web pages your visit. Nowadays... cookies may even track what you type in your Search Engine... sadly.

As for the Win32.Bancos.zm I got three different entries. It could be either a malware, trojan, or spyware.

As for the Kaspersky scan... did it find anything?

As for the Safe Mode I've ran out of ideas...:sad: is your primary drive "C:\"? So the PC boots in normal mode if you should use the C drive?
-----
The best I can do is to advise you to get a Hijack log and immediately start your thread. Your computer is infected.

And for a all-in-one remover of... cookies, cache, temp. files, Recycle Bin, I would recommend CCleaner or ATF Cleaner. They both do a good job at removing "gunk".

I wish you best of luck.

gmb283
2008-06-09, 00:33
I'm taking your advice and moving this problem over to the malware removal forum.

The link to my problem over there is:

http://forums.spybot.info/showthread.php?t=29231

Thanks

drragostea
2008-06-09, 00:56
As for the Malware Forums thread you are doing fine.

I would suggest you use CCleaner or ATF Cleaner to clean the temp. files, cookies, and cache out of your browsers. The cookies may be a nuisance. So I usually clear my browsers after every session.

After cleaning, Spybot shouldn't detect any more cookies. Cookies like AdRevolver, Zedo, BurstMedia, etc. can be deleted with ease.

To download either software... you can just Google it (or with your favorite search engine). However, that will be up to user decision.

Best Regards.

Edit: I read your thread in the Malware Forums... 144 infected objects... no so good :sad:.

Is Spybot still detecting anything?