?
Solved

AntiSpyLab popups

Posted on 2006-05-17
5
Medium Priority
?
335 Views
Last Modified: 2010-04-11
Howdy, I work in the IT department for a decently sized company in Phoenix, AZ and this one is stumping me.  Kinda urgent so quick help is appreciated.

I'm getting these pop up notifications in the bottom right of the tool bar saying that the computer is infected with (insert fictional program here) Click to remove and it keeps taking me to this AntiSpyLab website telling me to pay to download their program and get rid of the virus.  

It seems to have taken over.  The default page for internet explorer is now the antispylab page and it will not let you click to change any of the settings for IE.  

This machine is running XP Pro Service pack 2.  its all updated.

So far I've run Adaware and Symantec AntiVirus from safe mode.  Adaware keeps picking things up and deleting them each time I run it, but proving unsucessful in my issue.

Has anyone else experienced this?  How else can I get rid of this program/virus/trojan whatever it is.  Thanks
0
Comment
Question by:Xaosob1
5 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 16703040
To identify the problem, please do the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 16703168
Hello there,

Try using the following programs...

Ewido - http://www.ewido.net/en/download/

Spybot - http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Before sunning these programs make sure you turn off system restore..

Right click my computer
Properties, System Restore tab
Check the box Turn off System Restore.

Do both programs in Safemode but before scanning with spybot in safemode make sure you update it first in normal windows mode.

Hope this helps
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16704037
Yeah it would be a good idea if we look at a hijackthis log.

Antispylab is a variant of smitfraud family of infections.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
"smitfraudfix.cmd"
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.

0
 
LVL 3

Expert Comment

by:esdxr26
ID: 16706640
Hi,

I've had this before with a couple of customers, it comes in various forms and can be an absolute nightmare to remove.  It sounds like it is similiar to the about:blank hijack, if you check internet properties is the homepage set to about:blank?  

Does sytem restore work?  If so I would seriously recommend using this first.

There are a couple of threads about this hijack already that might help.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21849068.html

http://www.experts-exchange.com/Security/Q_21481544.html

I also found that one customer I spoke to had this virus embeded in a windows media codec which turned out to be completely undetectable by every piece of software I installed and ran, clever.  Fortunatley I found a solution by chance which involves removing the codecs...you will have to re-download them after deletion but I would try the other fixes first.

http://support.microsoft.com/kb/142731/en-us


0
 

Author Comment

by:Xaosob1
ID: 16709569
Howdy upon further research I found that Adaware was able to include this in the latest update (17May06).  I went ahead and updated the program and it was able to clear everything.  Thanks for all your suggestions.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question