AntiSpyLab popups

Posted on 2006-05-17
Last Modified: 2010-04-11
Howdy, I work in the IT department for a decently sized company in Phoenix, AZ and this one is stumping me.  Kinda urgent so quick help is appreciated.

I'm getting these pop up notifications in the bottom right of the tool bar saying that the computer is infected with (insert fictional program here) Click to remove and it keeps taking me to this AntiSpyLab website telling me to pay to download their program and get rid of the virus.  

It seems to have taken over.  The default page for internet explorer is now the antispylab page and it will not let you click to change any of the settings for IE.  

This machine is running XP Pro Service pack 2.  its all updated.

So far I've run Adaware and Symantec AntiVirus from safe mode.  Adaware keeps picking things up and deleting them each time I run it, but proving unsucessful in my issue.

Has anyone else experienced this?  How else can I get rid of this program/virus/trojan whatever it is.  Thanks
Question by:Xaosob1
    LVL 32

    Expert Comment

    To identify the problem, please do the following:

    Download and run HijackThis from
    Copy-and-paste the resulting log back to that same web site (not here)
    Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
    Finally post a link here to the saved analyzed page.
    LVL 53

    Accepted Solution

    Hello there,

    Try using the following programs...

    Ewido -

    Spybot -

    Before sunning these programs make sure you turn off system restore..

    Right click my computer
    Properties, System Restore tab
    Check the box Turn off System Restore.

    Do both programs in Safemode but before scanning with spybot in safemode make sure you update it first in normal windows mode.

    Hope this helps
    LVL 47

    Expert Comment

    Yeah it would be a good idea if we look at a hijackthis log.

    Antispylab is a variant of smitfraud family of infections.

    Please download SmitfraudFix:
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
    the options listed.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    You will be prompted : "Registry cleaning - Do you want to clean the
    registry?" answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.

    LVL 3

    Expert Comment


    I've had this before with a couple of customers, it comes in various forms and can be an absolute nightmare to remove.  It sounds like it is similiar to the about:blank hijack, if you check internet properties is the homepage set to about:blank?  

    Does sytem restore work?  If so I would seriously recommend using this first.

    There are a couple of threads about this hijack already that might help.

    I also found that one customer I spoke to had this virus embeded in a windows media codec which turned out to be completely undetectable by every piece of software I installed and ran, clever.  Fortunatley I found a solution by chance which involves removing the will have to re-download them after deletion but I would try the other fixes first.


    Author Comment

    Howdy upon further research I found that Adaware was able to include this in the latest update (17May06).  I went ahead and updated the program and it was able to clear everything.  Thanks for all your suggestions.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now