Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Spyware Wizard

Posted on 2006-11-30
10
Medium Priority
?
711 Views
Last Modified: 2010-04-12
OK, this is the first time I have found a rogue security program that I could not get rid of. Spyware Wizard as hijacked the MSN home page only (MSN software). It has not affected Internet Explorer which is odd. The following programs were unable to 'see' it: CounterSpy, Spyware Doctor, Panda, AdAware, SuperAntiSpyware, AVG. The MSN home page is re-directed to "theta-main.hosting" and "zeta-main.hosting", which then pulls up the Spyware Wizard home page. There is NO code 10, R0, R1 on HijackThis regarding a hijacker or re-director. There are NO suspicious codes 02 or 03 either. Along with my own knowledge I even ran it through the .de analyzer website which found no problems to speak of. I have uninstalled MSN and reinstalled to find it still there. Any ideas?
0
Comment
Question by:Jeff_Burns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 27

Accepted Solution

by:
David-Howard earned 501 total points
ID: 18049492
You could check your Hosts file for any Spyware Wizard or Thata-Main hosting entries. If found, remove them and save the file.
Hosts file location: C:\WINNT\System32\drivers\etc
You might also check that none of the malicous software is residing in your Startup file.
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
I'm assuming that the anti-malware scans you performed were in Safe Mode. If not you might try that as well.
Please make sure that you have cleared all IE Temp files, etc.
David
0
 

Author Comment

by:Jeff_Burns
ID: 18050335
This machine is running Win 2K...the only entries in the Hosts folder appear to be 'examples'. Nothing refers to any particular website.
There is nothing out of the ordinary in the start up.
I am re-running Counterspy in safe mode now.
All potential probelm temp files, cookies, etc have been removed.
0
 

Author Comment

by:Jeff_Burns
ID: 18050423
I ran CounerSpy and AVG in safe mode...nothing.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:Jeff_Burns
ID: 18050863
Sohos and Root Kit Revealer found nothing!
0
 
LVL 22

Expert Comment

by:p_davis
ID: 18057295
try spybot search and destroy

free from http://www.download.com

nails a lot of bad things -- you can also try ewido.
0
 

Author Comment

by:Jeff_Burns
ID: 18057481
I removed Spybot S&D from this computer since it obviously wasn't doing it's job. I have never found Spybot to be very reliable when it comes to rogue security programs.
0
 

Author Comment

by:Jeff_Burns
ID: 18057493
Ewido is now AVG Anti-Spyware, which unfortunately has not faired too well in the tests I've performed.
0
 
LVL 22

Assisted Solution

by:p_davis
p_davis earned 501 total points
ID: 18058442
maybe s&d isn't reliable for "rouge security programs" but it is one hell of a tool that i have used for many years with great success for spyware/malware/crapware.......

i haven't spent too much time with ewido but i hear great things and have just started using it.--

btw i never use spybot running in the background-- always manual scans.

that being said, good luck
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 498 total points
ID: 18059695
Let's look at your hijackthis log for curiousity, even though you said no suspicous entries present.


Or:
Try smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 

Author Comment

by:Jeff_Burns
ID: 18081634
"Smit" didn't work. After researching for hours, I came to the conclusion that there IS no solution for this bug yet...like the "Winfixer" problem a year ago, it took the anti-spyware community MUCH longer than expected to write code to kill WinFixer and apparently they haven't figured out this one yet.
I appreciate everyone's input.
Jeff
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question