| Author |
Topic: Spyware Infection |
Jim Cohen
From:
Philadelphia, PA
|
Posted 13 Oct 2008 4:53 am |
|
I keep getting a suspicious popup saying: "Windows Has Detected Spyware Infection! It is recommended to use special antispyware tools to pervent [sic] data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware!"
I should have noticed the mis-spelling of 'prevent' as 'pervent' and the awkward English ('It is recommended to...') but I did click on the box to install the antispyware. But upon doing that, I get another popup saying 'XP Antispyware Module' and saying it has encountered a problem and needs to close and do I want to tell Microsoft about this problem (click Yes or No). I think the whole deal is a sham. I'm not sure whether clicking the box actually did, or didn't, install anything at all.
My AVG (free version 7.5) reported some stuff last night and it was healed and then deleted. But the popup boxes described above continue unabated. I downloaded the latest AVG definitions update and 'm re-running AVG. So far it says 'no threats detected' but it is listing 'shell32.dll' in the results box with 'change' listed in the 'Result/Infection' column (yet it still says 'no threats detected'... so why is this file listed at all and what does 'change' mean?)
I've also run AOL's 'Spyware Protection' program with the latest updates, and it found nothing. Yet the popups continue.
What's a mother to do?
_________________
www.JimCohen.com
www.RonstadtRevue.com
www.BeatsWalkin.com |
|
|
|
John Roche
From:
England
|
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 13 Oct 2008 8:13 am
|
|
Jim;
You are infected with rogue anti-spyware (fraudware). It itself is the infection it refers to. One part displays notices about your computer being compromised, while the other part pretends to remove the infections. SUPERAntiSpyware should detect and remove it, but update it first, in case this is a new variant of the threat.
Unfortunately, if you have paid to use the recommended anti spyware, your credit card is now in the hands of Russian criminals and will be used to it's limit, or sold to other criminals, or wannabe's.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Jim Cohen
From:
Philadelphia, PA
|
|
|
|
Jim Cohen
From:
Philadelphia, PA
|
Posted 13 Oct 2008 6:11 pm
|
|
John, Wiz, I downloaded the free version of SuperAntiSpyware, updated it and ran it and it seems to have cured the problem (it found hundreds of tainted files, mostly adware). Many thanks for your help.
Jim
_________________
www.JimCohen.com
www.RonstadtRevue.com
www.BeatsWalkin.com |
|
|
|
Ron Page
From:
Penn Yan, NY USA
|
Posted 18 Oct 2008 5:17 am
|
|
This morning I have the same problem. Only I can't seem to get the SuperAntiSpyware to strartup. The infection seems to have it blocked. I had to download it to my laptop and then transfer it with a USB stick. Is there a trick to getting the infection out of the way to do the repair.
It also won't let me run System Restore and seems to have disabled Norton AV.
_________________
HagFan
Emmons Lashley LeGrande II |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 18 Oct 2008 7:53 am
|
|
This infection (rogue anti-spyware) requires a specialized tool named MalwareBytes Anti-Malware. You should download, install, update and scan all drives with MalwareBytes Anti-Malware. There are free and paid versions of the program. For one time use the free one will do. For realtime protection the paid version is a fine product and is often recommended by spyware removal forums.
I will be telling you more about MalWareBytes Anti-Malware soon, after testing the product on my own computers. I would appreciate feedback about its effectiveness in removing the above mentioned fraudulant antispyware infections and any others it targets.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Ron Page
From:
Penn Yan, NY USA
|
Posted 19 Oct 2008 3:41 am
|
|
I was able to get the SuperAntiSypware to load and run after checking their FAQ's. You have to rename the installer executable and then after the install you also rename the executable.
However, before I could check for updates I had use there SafeBoot option to boot in Safe Mode with the network.
Even after that I noticed some lingering effects, such as it wanted to change my home page to a site probably spoofing Google; System Restore would not work, and the Control Panels would not give me the option to switch to the newer XP mode instead of Classic. So I backed up MyDocuments to an 2nd drive and did a complete reinstall from my Automated System Recovery diskette and external backup.
My only mistake was I should have backed up "Documents and Settings" instead of just MyDocuments. That's where a lot of the application data and e-mail is. I've lost a couple months of e-mail, my backup being from August.
So hopefully the MalWare package can more fully reset things if yours gets as far gone as mine seemed.
Thanks for all the help. With your help my recovery would have been 100% if I hadn't gotten distracted when setting up the backup of my data files.
_________________
HagFan
Emmons Lashley LeGrande II |
|
|
|
