Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Spyware Wizard

Posted on 2006-11-30
10
Medium Priority
?
712 Views
Last Modified: 2010-04-12
OK, this is the first time I have found a rogue security program that I could not get rid of. Spyware Wizard as hijacked the MSN home page only (MSN software). It has not affected Internet Explorer which is odd. The following programs were unable to 'see' it: CounterSpy, Spyware Doctor, Panda, AdAware, SuperAntiSpyware, AVG. The MSN home page is re-directed to "theta-main.hosting" and "zeta-main.hosting", which then pulls up the Spyware Wizard home page. There is NO code 10, R0, R1 on HijackThis regarding a hijacker or re-director. There are NO suspicious codes 02 or 03 either. Along with my own knowledge I even ran it through the .de analyzer website which found no problems to speak of. I have uninstalled MSN and reinstalled to find it still there. Any ideas?
0
Comment
Question by:Jeff_Burns
10 Comments
 
LVL 27

Accepted Solution

by:
David-Howard earned 501 total points
ID: 18049492
You could check your Hosts file for any Spyware Wizard or Thata-Main hosting entries. If found, remove them and save the file.
Hosts file location: C:\WINNT\System32\drivers\etc
You might also check that none of the malicous software is residing in your Startup file.
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
I'm assuming that the anti-malware scans you performed were in Safe Mode. If not you might try that as well.
Please make sure that you have cleared all IE Temp files, etc.
David
0
 

Author Comment

by:Jeff_Burns
ID: 18050335
This machine is running Win 2K...the only entries in the Hosts folder appear to be 'examples'. Nothing refers to any particular website.
There is nothing out of the ordinary in the start up.
I am re-running Counterspy in safe mode now.
All potential probelm temp files, cookies, etc have been removed.
0
 

Author Comment

by:Jeff_Burns
ID: 18050423
I ran CounerSpy and AVG in safe mode...nothing.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:Jeff_Burns
ID: 18050863
Sohos and Root Kit Revealer found nothing!
0
 
LVL 22

Expert Comment

by:p_davis
ID: 18057295
try spybot search and destroy

free from http://www.download.com

nails a lot of bad things -- you can also try ewido.
0
 

Author Comment

by:Jeff_Burns
ID: 18057481
I removed Spybot S&D from this computer since it obviously wasn't doing it's job. I have never found Spybot to be very reliable when it comes to rogue security programs.
0
 

Author Comment

by:Jeff_Burns
ID: 18057493
Ewido is now AVG Anti-Spyware, which unfortunately has not faired too well in the tests I've performed.
0
 
LVL 22

Assisted Solution

by:p_davis
p_davis earned 501 total points
ID: 18058442
maybe s&d isn't reliable for "rouge security programs" but it is one hell of a tool that i have used for many years with great success for spyware/malware/crapware.......

i haven't spent too much time with ewido but i hear great things and have just started using it.--

btw i never use spybot running in the background-- always manual scans.

that being said, good luck
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 498 total points
ID: 18059695
Let's look at your hijackthis log for curiousity, even though you said no suspicous entries present.


Or:
Try smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 

Author Comment

by:Jeff_Burns
ID: 18081634
"Smit" didn't work. After researching for hours, I came to the conclusion that there IS no solution for this bug yet...like the "Winfixer" problem a year ago, it took the anti-spyware community MUCH longer than expected to write code to kill WinFixer and apparently they haven't figured out this one yet.
I appreciate everyone's input.
Jeff
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question