Solved

Spyware Wizard

Posted on 2006-11-30
10
702 Views
Last Modified: 2010-04-12
OK, this is the first time I have found a rogue security program that I could not get rid of. Spyware Wizard as hijacked the MSN home page only (MSN software). It has not affected Internet Explorer which is odd. The following programs were unable to 'see' it: CounterSpy, Spyware Doctor, Panda, AdAware, SuperAntiSpyware, AVG. The MSN home page is re-directed to "theta-main.hosting" and "zeta-main.hosting", which then pulls up the Spyware Wizard home page. There is NO code 10, R0, R1 on HijackThis regarding a hijacker or re-director. There are NO suspicious codes 02 or 03 either. Along with my own knowledge I even ran it through the .de analyzer website which found no problems to speak of. I have uninstalled MSN and reinstalled to find it still there. Any ideas?
0
Comment
Question by:Jeff_Burns
10 Comments
 
LVL 27

Accepted Solution

by:
David-Howard earned 167 total points
ID: 18049492
You could check your Hosts file for any Spyware Wizard or Thata-Main hosting entries. If found, remove them and save the file.
Hosts file location: C:\WINNT\System32\drivers\etc
You might also check that none of the malicous software is residing in your Startup file.
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
I'm assuming that the anti-malware scans you performed were in Safe Mode. If not you might try that as well.
Please make sure that you have cleared all IE Temp files, etc.
David
0
 

Author Comment

by:Jeff_Burns
ID: 18050335
This machine is running Win 2K...the only entries in the Hosts folder appear to be 'examples'. Nothing refers to any particular website.
There is nothing out of the ordinary in the start up.
I am re-running Counterspy in safe mode now.
All potential probelm temp files, cookies, etc have been removed.
0
 

Author Comment

by:Jeff_Burns
ID: 18050423
I ran CounerSpy and AVG in safe mode...nothing.
0
 

Author Comment

by:Jeff_Burns
ID: 18050863
Sohos and Root Kit Revealer found nothing!
0
 
LVL 22

Expert Comment

by:p_davis
ID: 18057295
try spybot search and destroy

free from http://www.download.com

nails a lot of bad things -- you can also try ewido.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Jeff_Burns
ID: 18057481
I removed Spybot S&D from this computer since it obviously wasn't doing it's job. I have never found Spybot to be very reliable when it comes to rogue security programs.
0
 

Author Comment

by:Jeff_Burns
ID: 18057493
Ewido is now AVG Anti-Spyware, which unfortunately has not faired too well in the tests I've performed.
0
 
LVL 22

Assisted Solution

by:p_davis
p_davis earned 167 total points
ID: 18058442
maybe s&d isn't reliable for "rouge security programs" but it is one hell of a tool that i have used for many years with great success for spyware/malware/crapware.......

i haven't spent too much time with ewido but i hear great things and have just started using it.--

btw i never use spybot running in the background-- always manual scans.

that being said, good luck
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 166 total points
ID: 18059695
Let's look at your hijackthis log for curiousity, even though you said no suspicous entries present.


Or:
Try smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 

Author Comment

by:Jeff_Burns
ID: 18081634
"Smit" didn't work. After researching for hours, I came to the conclusion that there IS no solution for this bug yet...like the "Winfixer" problem a year ago, it took the anti-spyware community MUCH longer than expected to write code to kill WinFixer and apparently they haven't figured out this one yet.
I appreciate everyone's input.
Jeff
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now