Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 714
  • Last Modified:

Spyware Wizard

OK, this is the first time I have found a rogue security program that I could not get rid of. Spyware Wizard as hijacked the MSN home page only (MSN software). It has not affected Internet Explorer which is odd. The following programs were unable to 'see' it: CounterSpy, Spyware Doctor, Panda, AdAware, SuperAntiSpyware, AVG. The MSN home page is re-directed to "theta-main.hosting" and "zeta-main.hosting", which then pulls up the Spyware Wizard home page. There is NO code 10, R0, R1 on HijackThis regarding a hijacker or re-director. There are NO suspicious codes 02 or 03 either. Along with my own knowledge I even ran it through the .de analyzer website which found no problems to speak of. I have uninstalled MSN and reinstalled to find it still there. Any ideas?
0
Jeff_Burns
Asked:
Jeff_Burns
3 Solutions
 
David-HowardCommented:
You could check your Hosts file for any Spyware Wizard or Thata-Main hosting entries. If found, remove them and save the file.
Hosts file location: C:\WINNT\System32\drivers\etc
You might also check that none of the malicous software is residing in your Startup file.
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
I'm assuming that the anti-malware scans you performed were in Safe Mode. If not you might try that as well.
Please make sure that you have cleared all IE Temp files, etc.
David
0
 
Jeff_BurnsAuthor Commented:
This machine is running Win 2K...the only entries in the Hosts folder appear to be 'examples'. Nothing refers to any particular website.
There is nothing out of the ordinary in the start up.
I am re-running Counterspy in safe mode now.
All potential probelm temp files, cookies, etc have been removed.
0
 
Jeff_BurnsAuthor Commented:
I ran CounerSpy and AVG in safe mode...nothing.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Jeff_BurnsAuthor Commented:
Sohos and Root Kit Revealer found nothing!
0
 
p_davisCommented:
try spybot search and destroy

free from http://www.download.com

nails a lot of bad things -- you can also try ewido.
0
 
Jeff_BurnsAuthor Commented:
I removed Spybot S&D from this computer since it obviously wasn't doing it's job. I have never found Spybot to be very reliable when it comes to rogue security programs.
0
 
Jeff_BurnsAuthor Commented:
Ewido is now AVG Anti-Spyware, which unfortunately has not faired too well in the tests I've performed.
0
 
p_davisCommented:
maybe s&d isn't reliable for "rouge security programs" but it is one hell of a tool that i have used for many years with great success for spyware/malware/crapware.......

i haven't spent too much time with ewido but i hear great things and have just started using it.--

btw i never use spybot running in the background-- always manual scans.

that being said, good luck
0
 
rpggamergirlCommented:
Let's look at your hijackthis log for curiousity, even though you said no suspicous entries present.


Or:
Try smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
Jeff_BurnsAuthor Commented:
"Smit" didn't work. After researching for hours, I came to the conclusion that there IS no solution for this bug yet...like the "Winfixer" problem a year ago, it took the anti-spyware community MUCH longer than expected to write code to kill WinFixer and apparently they haven't figured out this one yet.
I appreciate everyone's input.
Jeff
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now