Results 1 to 9 of 9

Thread: Usurped Wallpaper and Pop Up Barrage

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    25

    Default Usurped Wallpaper and Pop Up Barrage

    I would like to know if Spybot can help me out of a pickle I find myself in.

    Yesterday I began to experience my first malware attack. I run windows xp pro with avira personal virus protection. My problems in some detail are as follows:

    My desktop wallpaper has been replaced with a red screen that contains the following message: "Warning your computer is under attack. Your computer is infected by anonymous spyware program.

    Operating system has several fatal errors due to spyware activity. It is strongly recommended to install anti-spyware software to eliminate all security vulnerabilities. Click HERE to protect your PC".

    The word HERE in the above statement is a link to http://antispyspider.us/130 When I go to the Desktop tab in the Display Properties Box I find a new background, "index". The mini icon preceding it is an Internet Explorer icon.

    I get two types of system warning popups that appear every few minutes although the rate varies. The first is a fairly large box that is centered in the middle of the screen. It will have a title and a text component. There are three versions of the message that are displayed randomly.

    Title: "Spyware activity is found on your computer." Text: "Your privacy settings are compromised. It is highly recommended to install antispyware solution."

    Title: "Your system is working slowly." Text: "It is recommended to update your antispyware protection to prevent data loss. Please update most up to date antispyware for you.

    Title "Your computer is not protected against spyware.: Text: "Somebody trying to access to your PC and collect privacy information. Download antispware applications."

    Whenever I click the close box arrow an Internet Explorer window will open that takes me to http://antispyspider.us/130

    The other variety of popup is a smaller box just above he small process icons at the far right of the task bar. A new icon appears. A yellow triangle with an black exclamation point. A small box with a drop pointer to the icon presents three messages that are displayed randomly.

    Title: "Windows Security Manager." Text: "Your computer is running slow due to malware activity."

    Title: "Windows Security Error." Text: "Windows has detected spyware."

    Title: "Windows Defender." Text: "Internet attack attempt detected."

    When ever I click the close box arrow an Internet Explorer window will open that takes me to http://antispyspider.us/130

    One other symptom seems to be that the attacking software will not allow me to download a program called smitfraudfix.exe from any of the sights I found that provide it. I have had no problem in downloading other programs, but I get a message saying something along that Foxfire can not find the file. I have been able to download the program on an uncontaminated computer.

    Recently, the Internet Explorer window has seemed to be appearing without a preceding popup of either variety. The links seem to becoming more sophisticated in immitating Microsoft resources.

    I have scanned my entire system with my anti virus program Avira Antivir Personal. It found several viruses and I deleted the affected files. I downloaded a program recommended in wikipedia to detect spyware (SpyHunter). It will scan in the form it was downloaded but must be activated to purge spyware. I started a scan with it but stopped when it seemed to be doing the same thing my anti virus program had done.

    I am reluctant to experiment with a product as arcane as smitfraudfix.exe. Will Spybot do the job I need done on its own, or do I have to use something like this stand alone producte to clean my system first?

    Thanks for any guidance in dealing with this situaion.

  2. #2
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    First of all, please do NOT use SmitFraudFix without supervision! It is crucial that a Experienced Malware Expert gives you the adequate instructions to run it.

    From your symptons... you may be infected with the Virtuemonde/SmitFraud trojan. It's possible that it is both. The SmitFraud trojan hijacks IE homepages, installs additional malware, changes the desktop wallpaper. Virtuemonde shows pop-ups.

    Do you have a firewall? I'm assuming you are running Windows XP OS. Is it patched? Is AntiVir updated? Have you run a scan with Spybot-Search&Destroy?

    -----
    Consider posting in the Malware Removal forum and having someone take a look at your system.

    If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:
    -----

    Sorry to hear about that. The best bet to repair your computer is to visit the Malware Forums.

    Read the BEFORE YOU POST first. Following the instructions, post a HIJACK LOG and start your thread. Good luck.

  3. #3
    Junior Member
    Join Date
    Jun 2008
    Posts
    25

    Default Further developments

    I am in the process of collecting information to create an entry in the malware removal forum. I am running the Kaspersky Online scan and it seems like it will take a long time.

    I would like advice regarding several new developments:

    When I press the cntl/alt/del keys I am told that the Task Manager has been disabled by the System Administrator. (Is there any way to reactivate the Task Manager?)

    When I start depressing the F8 key after the first beep during startup, I am presented with the option of choosing the boot device. When I select the C: drive, the system goes directly to normal start up without presenting a menu that includes safe mode. (Is there an alternate way of invoking safe mode?)

    After downloading, installing, and updating Spybot, I ran my first scan. The process seemed to be proceeding normally until the status line showed this message: "Running bot check [156787/156787: Firefox - default - bookmarks]. The program seemed to be locked at this point. After more that 15 minutes of no apparent activity, I stopped the scan. The list of critical problem conditions included a couple of dozen critical threats. I hit the Fix selected problems button. The program started to correct the problems but after a brief period locked up. I was told that it was no longer responding.

    Is there anything else that I could or should be doing?

  4. #4
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    The disabled Task Manager may be the job of the malware on your computer.

    Can you give a few examples of what Spybot found during the scan?
    What version are you using? (HELP>ABOUT)
    Usually there will be a changed registry key detected by Spybot. If it is found fix it.

    Also, are you the only account on the computer?

    Go to Mozilla Firefox. Click on the TOOLS Tab and click on CLEAR PRIVATE DATA and press okay. Be sure to "cache" and cookies are checked. Then click OK.

    Are you presented with any other actions besides C:\ drive when you tap F8?

  5. #5
    Junior Member
    Join Date
    Jun 2008
    Posts
    25

    Default Followup Answers and New Developments

    I figured that the malware was blocking task manger. I was hopeing that I could reverse or overide it's action.

    I am using the latest version (1.5.2.20) and I checked for updates before I ran it. I hit a period last evening when it seemed like the popups were letting up, so I ran the Spybot scan again. I encountered the same problem when it was almost complete with it hanging on the Firefox default bookmarks message. This time when I stopped the scan, the report showed 24 critica problems with 161 entries. I again hit the Fix Selected Problems Button. This time the program was able to corrected all the errors. I grabbed the program log and terminated the program. I had hoped that this may have corrected my problems, but no such luck.

    Problems identified by Spybot: AdRevolver, Advertising.com, BFast, BurstMedia, CasaleMedia, Commission Junction, CoreMetrics, DoubleClick, Excite, FastClick HitBox LinkSynergy, Matchcraft, MediaPlex, Microsoft.Windows.Security.InternetExplorer, Microsoft.Windows.Security.Center.Registry, Microsoft.Windows.Security.Center.TaskManager, right Media, Statcounter, TargetNet, ValueClick, WebTrends live, WildTangent, Win32.Bancos.zm, Zedo. The three Microsoft problems all refered to registry changes.

    I am the administrative user. There are three other user accounts.

    The F8 key on startup produced a list of all the various disk drives on the system. The two internal harddrive, the CDR, the floppy, ect.

    I have just spent 15 hours doint the Kaspersky scan. It has completed, but there is no "Save as text" button anywhere to be found. When I pass my cursor over the window that the scan ran it, the message "Error on page" appears in the status line. Where should I be looking for the "save as text" button? I will try to keep the Kaspersky window open until I receive a resonse.
    Last edited by gmb283; 2008-06-07 at 21:05.

  6. #6
    Junior Member
    Join Date
    Jun 2008
    Posts
    25

    Default One additional word of clarification

    Regarding the Kaspersky scan problem I mentioned at the end of the last post: The program shows 100% at the far right of the task bar. The "Stop Scan" button is still displayed, even though the scan seems complete. I suspect that that button should become the "Save as text" button.

  7. #7
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Confirmed.

    Microsoft.Windows.Security.InternetExplorer, Microsoft.Windows.Security.Center.Registry, Microsoft.Windows.Security.Center.TaskManager

    are all registry changes. This will explain why the TaskManager would not come up. Spybot was able to fix the problems? Can you open TaskManager?

    As for the IE and Registry entries as being detected... I'm not so sure what it is. But I'm sure that it signs that something was changed. A majority of other detected entries are tracking cookies, which basically "track" your web browsing like the web pages your visit. Nowadays... cookies may even track what you type in your Search Engine... sadly.

    As for the Win32.Bancos.zm I got three different entries. It could be either a malware, trojan, or spyware.

    As for the Kaspersky scan... did it find anything?

    As for the Safe Mode I've ran out of ideas... is your primary drive "C:\"? So the PC boots in normal mode if you should use the C drive?
    -----
    The best I can do is to advise you to get a Hijack log and immediately start your thread. Your computer is infected.

    And for a all-in-one remover of... cookies, cache, temp. files, Recycle Bin, I would recommend CCleaner or ATF Cleaner. They both do a good job at removing "gunk".

    I wish you best of luck.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •