pup/malware removal help
shap17thst
home computer (XP). It redirects my home page to a site advertising virus
protection software. I'm unable to remove any of the pup files and my
spyware and virus software as well as the new MS security software is unable
to remove it. Any suggetions? Thanks.
David H. Lipman
So you can get the most accurate answer...
Please provide the EXACT messages that see Pop-Up and /or the URLs of the "virus protection
software".
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
shap17thst
The url is: http://www.safetyuptodate.com/
Occasionally in addition to this url, there will also be a smaller ms
windows looking alert telling me that my computer may be infected and directs
me to click on the window which sends me to the same site.
I've tried every all the recommended spyware programs and nothing seems to
work.
Malke
> Still getting the redirect of my home page when I open explorer.
>
> The url is: hxxp://xxx.safetyuptodate/
Evil url munged so as to prevent some fool from clicking on it.
> Occasionally in addition to this url, there will also be a smaller ms
> windows looking alert telling me that my computer may be infected and
> directs me to click on the window which sends me to the same site.
>> From: "shap17thst" <shap1...@discussions.microsoft.com>
>>
>> | I opened a link in an email that embedded advertising (pup or
>> | malware?) on my
>> | home computer (XP). It redirects my home page to a site
>> | advertising virus
>> | protection software. I'm unable to remove any of the pup files and
>> | my spyware and virus software as well as the new MS security
>> | software is unable
>> | to remove it. Any suggetions? Thanks.
The url takes you to a alarmist page shilling MalwareWipe, a known rogue
antispyware program. The page carefully tells me (in red letters!) that
my system is Vulnerable!!! So much for their accuracy (I don't run
Windows). You can look up rogue antispyware programs on MVP Eric Howes'
excellent site here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
I would approach this with the Smitfraud/Spyaxe/Spyfalcon fixes, at
least to start with.
Do the preparatory work here:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
Then move on to the Smitfraud fixes:
http://www.elephantboycomputers.com/page2.html#Smitfraud_Trojan
If all else fails, run HijackThis and post your log on one of the
specialty forums listed on my website (not here, please).
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
David H. Lipman
| Still getting the redirect of my home page when I open explorer.
|
| The url is: hxxp://www.safetyuptodate.com/
|
| Occasionally in addition to this url, there will also be a smaller ms
| windows looking alert telling me that my computer may be infected and directs
| me to click on the window which sends me to the same site.
|
| I've tried every all the recommended spyware programs and nothing seems to
| work.
|
The following are pretty much the same...
hxxp://www.securityuptodate.com/
hxxp://www.safetyuptodate.com/
Both are indicative of a ZLob/FakeAlert/SmitFraud Trojan.
Two part reply..
Perform Part 1 then perform Part 2.
If the first two parts don't work, perform the alternate section.
It is suggested that you execute each tool in Normal Mode then in Safe Mode.
If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.
Simple check, look under...
C:\Program Files\Java
The only folder under that folder should be the latest version...
C:\Program Files\Java\jre1.5.0_06
http://www.java.com/en/download/manual.jsp
Part 1
-----------
Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
http://www.bleepingcomputer.com/forums/topic43659.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.
It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.
ALTERNATE:
Part 1
-----------
Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072
Part 2
-----------
S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.
* * * Please report back your results * * *
Panda_man
> So much for their accuracy (I don't run
> Windows).
>
Linux ? Mac ?
Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
Please , rate posts
Malke
> "Malke" wrote in part :
>
>> So much for their accuracy (I don't run
>> Windows).
>
> Linux ? Mac ?
If you used a real newsreader instead of the web interface, you could
read my headers and know. ;-)
(I'm just teasing you, but it's true.)
Malke
(hint - newsreader is KNode)
What's in a Name?
thought,came up with this gem:
> Panda_man wrote:
>
> > "Malke" wrote in part :
> >
> >> So much for their accuracy (I don't run
> >> Windows).
>
> >
> > Linux ? Mac ?
>
> If you used a real newsreader instead of the web interface, you could
> read my headers and know. ;-)
>
lol @ Malke MS-MVP Windows - Shell/User '04'05'06
(I hear ya)
max
--
Virus Removal Instructions http://home.neo.rr.com/manna4u/
Playing Nice on Usenet: http://oakroadsystems.com/genl/unice.htm#xpost
Change nomail.afraid.org to gmail.com to reply by e-mail.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.Registered Linux User #393236
Panda_man
>
> If you used a real newsreader instead of the web interface, you could
> read my headers and know. ;-)
>
> (I'm just teasing you, but it's true.)
>
> Malke
> (hint - newsreader is KNode)
> --
Thanks , Google ! Malke ;) :) ;)