PDA

View Full Version : Cant Remove Spyware- Help



learning
19-05-2008, 04:43 PM
I have got spyware on PC somehow and now i cant get it off.
It is displaying a spalsh screen on desktop saying PC is affected with spyware and to click here for a anti spyware dowload. It keeps popping up balloons every few minutes remind PC has spyware. Seems like a spyware is on PC promoting a anti spyware software to be downloaded.

Ran NAV and it didnt pick up anything.

Ran Spybot with latest update and it come swith warning box that "Command Service hs been shutdown" and Entry name is cmdservice.

Also i cant bring up task manager to see whats running in background, when i do that now by cntrl+alt+delt i get error "The Task Manager has been disabled by administrator"

When I try to update Windows Defender def files it says failed as if the internet connection is not there. i can bring up webpages, although they are extremely slow.

Ca anyone tell me a alternat way of bringing up task manager via CMD or some other way to get rid of this spyware?

Thanks

Speedy Gonzales
19-05-2008, 04:46 PM
Get rogueremover in my sig update it then scan. See if it picks anything up

Post a HJT log

wratterus
19-05-2008, 04:48 PM
NAV won't pick anything up, it's near to useless. Get rid of it if you can, it will make getting rid of this spyware infection easier thats for sure.

Disable system restore, control panel/system properties/system restore.

You have smitfrad, first thing to do is boot up in safe more with networking (by tapping F8 on bootup), download smitfraud fix (http://siri.geekstogo.com/), and run it through, options 1-3.

Then boot up normally, go to www.eset.com/onlinescan in IE, and do a scan with Eset NOD32. make sure you tick both the boxes before running it.

Run CCleaner (http://www.ccleaner.com/) through, do a normal and registry scan.

Then post a HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) log, and take note if there is any files that NOD32 picked up but couldn't delete (not likely though).

learning
19-05-2008, 05:35 PM
Thanks Wratterus, i Downloaded the smitfraudfix file and when i run it in Safe mode with Netwroking , nothing happens when dbl click on it. I tried to "ran as" option and ran as admin , it gave error "this service cannot be started in safe mode"
Any other way to fix this spyware.

I still cannot bring up task manager and get erroe it has been disabled by System Admin.


Thanks for any help

wratterus
19-05-2008, 05:37 PM
You saved http://siri.urz.free.fr/Fix/SmitfraudFix.exe to your desktop, in safe mode with networking, then ran it? I have never had that error message before, and I've used it hundreds of times.

That task manager message is caused by spyware, we can clean it off and fix this problem.

Speedy Gonzales
19-05-2008, 05:43 PM
I would use trojan remover in my sig. Install and update it then click on scan.

Then select all the options under the utilities menu, if task manager, the firewall, or regedit dont open. Its more than spyware.

wratterus
19-05-2008, 05:48 PM
Yer, use Trojan Remover after running SMF through. I know for a fact Trojan Remover doesn't get rid of most of smitfraud.

Speedy Gonzales
19-05-2008, 05:54 PM
Well its got Trojan-Spy.HTML.Smitfraud.c and Trojan.FakeDesktop, b, c, and d in its database. Which says belongs to Trojan-Spy.HTML.Smitfraud.c

It'll probably fix task manager, regedit and the firewall tho (if theyre disabled).

So you can use them

It may work better, IF you scan the hdd, not just click on scan in the program itself

learning
19-05-2008, 06:02 PM
Speeedy so which program should i use? "rogueremover" and what do yo umean "I would use trojan remover in my sig." whats in my sig? you mean dowload rogueremover and update its def files and then run scan?

I tried running smitFraudFix but nothing happens. I dbl click on it and hr glass pops up for 1 sec and goes away and nothing happens.

I tried this in both Safe and normal mode

Speedy Gonzales
19-05-2008, 06:13 PM
Both, rogueremover and trojan remover. Theyre in my sig in this post.

Click on the links, download the programs

Install both, click on update (to update both), then click on scan

Then in trojan remover select all of the options under utilities

Then open my computer / highlight c, then right mouse / scan with trojan remover

learning
19-05-2008, 06:14 PM
Ok now i can install rougeremover fine but when i go to update the def files it gives error that it could not update.....seems the spyware is blocking it from dowloading updates.....and i dont think i can download definition files manually? I am using my laptop to dowload and then use a USB flash drive to transfer the install files to the infected desktop PC

This is so frustrating arrrrrr.....i dont wanna end up reinstallign Windows.

wratterus
19-05-2008, 06:22 PM
You are running XP, right?

If so, try running winsockfix (http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml)

Or netsh winsock reset into a command prompt.

And uninstall nortons for now, its gonna be messing with things too.

Speedy Gonzales
19-05-2008, 06:23 PM
Hmm you could be right, I cant see the rogueremover updates on the site

Get trojan remover then (http://www.simplysup.com/download/dl/trsetup.exe) <-- direct link

Install it. Then scan for now, then select all options under utilities. Then click on update. This may at least fix task manager, so you can open it.

I'd be careful since youre using a USB flash drive, depending on whats on this system, if it can infect USB flash drives it will.

Cant u download (by clicking on links) on this computer thats got spyware?

learning
19-05-2008, 06:38 PM
No luck i cant even install trojan remover it says installation directory not found and installed rogue remover fine but unable to update def files.

This has become so frustrating. the smitFraudFix doesnt even work - i dbl click on it and nothing happens ( in safe mode with networking)

There sno info on this from Symantec on this as well.


I might ad well end up clean installing OS - So frustrating arrrgh

But thanks for your help guys

wratterus
19-05-2008, 06:42 PM
Yeah, something is really messed up. :(

Looks like a reinstall may be the best option.

Make sure you do a full format of the HDD before reinstalling, and if you back up data be careful to to get anything infected with spyware/viruses and transferred to other PCs.

And when you reinstall, PLEASE PLEASE don't reinstall nortons, its crap.

If you are happy with paying for an antivirus, get NOD32.

Otherwise, get Avast, thats the best of the free AV software.

And if your transferring data to a PC with nortons installed, expect to get re-infected, nortons won't stop it.

Speedy Gonzales
19-05-2008, 06:45 PM
WHERE in NZ are you??

Umm I could try crossloop to log into you remotely. Thats if the PC thats got spyware can boot into safe mode with networking

(Thats the PC youre talking about right)?? And thats if it'll connect with crossloop. Or if Crossloop installs at all

Did you try installing trojan remover in normal windows and safe mode??

Is ccleaner installed on this PC with spyware?? if it is run it then go to tools / startup. Tell us whats there.

TonyF
19-05-2008, 07:53 PM
In his first message, leaner says "It is displaying a spalsh screen on desktop saying PC is affected with spyware and to click here for a anti spyware dowload."
Maybe leaner has just got a bit of advertising and is not infected at all.
Cheers
Tony

peter pan
19-05-2008, 09:22 PM
Wratterus what's your ***** with Nortons I've being using it for years with no problems.

Speedy Gonzales
19-05-2008, 09:24 PM
Wratterus what's your ***** with Nortons I've being using it for years with no problems.

Look in here and other forums, you'll see whats wrong with it

peter pan
19-05-2008, 09:55 PM
Could you tell me then why I have not had any trouble. I surf the net on average 3 hrs a day, and as I have said no problems I got my first computer 10 years ago and have run the complete Nortons suite.Could it be that mabe the cost is a big problem???

Speedy Gonzales
19-05-2008, 10:02 PM
Some people like using it, good for them. BUT most people I know use something better.

No the cost isnt the prob but why bother getting something expensive, that you have to renew all the time. And installs bloatware.

Can slow a system down, just by running in the background. Hogs resources.

And when it dies or gets disabled, thats the end of it, its dead

You may think its working, (when it gets disabled) when in fact its dead, and its doing nothing at all.

When you can get free AV programs and firewalls, that are smaller and do a better job.

Even if I were a millionaire, i wouldnt buy any Nortons / Symantec program

wratterus
19-05-2008, 10:19 PM
I an getting so sick of explaining WHY nortons should never be used.

Do a search for nortons on this forum. You'll find pages and pages of reasons why it is basically a defective product and shouldn't be used.

peter pan
19-05-2008, 10:24 PM
Speedy thanks for your views on Nortons but I will carry on using it as I think it is the best around so tarathenoo .
ps you only get what you pay for,if I win the lotto i will send you the Nortons Package

Speedy Gonzales
19-05-2008, 10:28 PM
No probs, well its not only my views, of what I think of it.

It'd be most of the forum's views

But thanx for the offer, I'll chuck it on trademe :p

wainuitech
19-05-2008, 10:35 PM
You couldn't pay me to run Nortons, like so many other people here that help - its been proven hundreds of times its total rubbish, and misses LOTS of infections.

pctek
20-05-2008, 10:18 AM
Yeah, something is really messed up. :(

Looks like a reinstall may be the best option.


Hey come on, I've never had to reinstall yet to remove malware and I've had some seriously hijacked PCs.

wratterus
20-05-2008, 11:52 AM
Hey come on, I've never had to reinstall yet to remove malware and I've had some seriously hijacked PCs.

Me neither, yet, but this chappy doesn't seem to keen on taking it to a real tech! :lol:

Theres only so much you can do via a forum.

If you wanna have a go, be my (and I'm sure Speedy's) guest! ;)

Pancake
20-05-2008, 12:56 PM
Ok.Lets get you fixed....

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


---------------------------

Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

learning
20-05-2008, 01:49 PM
Ok.Lets get you fixed....

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


---------------------------

Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


Thanks PanCake

Samething happens with ComboFix.

I dbl click on file and nothing happens. This when i boot up in Windows Safe mode with Networking.


Interestingly the spyware error messages and pop up balloons also come up in Safe mode.

I think maybe this SmithFraud is a new revision or something so disables this fix from running.

Pancake
20-05-2008, 02:10 PM
Dont bother with safe mode.....go normal.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.


"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Dont forget the HJT log...

blanco
20-05-2008, 02:44 PM
Learning,
in similar circumstances I have
removed the malware simply by scanning
with Microsoft Malicious Software Extractor
when other tools have failed.
This prog is updated daily with MS Updates
and is available free from MS Downloads.
Worth a try... blanco.

learning
20-05-2008, 09:54 PM
Dont bother with safe mode.....go normal.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.


"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Dont forget the HJT log...

I have tried the Run option and it momentarily flashes and nothing happens.

Same with MS Malicious remover - it starts extracting file and then nothing happens.

Well it was a P4 1.8Ghz so i m just getting a new one now as i was gonna replce it anyway and i cant be bothered sitting hrs trying to reinstall OS on the infected

BTW whats the best Antivirus & ANti Spyware Software available.
I dont want my brand new PC to be fckd again


thanks for your help

Speedy Gonzales
20-05-2008, 10:18 PM
Get Avast Home, it now includes antispyware / AV and Anti-rootkit

And its free.

Only other thing you could do then, is remove this hdd, and put it in a working system. Then scan it

SPARTAN 860
20-05-2008, 10:30 PM
Partition the drive if you can, then install XP with your disk on the new partition. Then you can install Avast and scan the infected partition. If the term 'partition' makes you go all dizzy, don't bother, just follow speedy's advice

Oh and this is addressed to the peter pan guy, He LIKES Norton, I used Norton once too, way back in 2002. It got infected (the Norton folder in program files). Got Avast and never looked back. NAV just cripples a system totally, its like trying to run 5 games at once! (Well maybe not that bad, but you get what I mean.)