Desperation Help!
Denzil Hathway
to me - what with my Mcafee, Spybot, Ad-Aware and the new Microsoft Beta and
all, on top of my XP with SP2.
I'm writing on my laptop because I can't get online with the desktop. After
going online this afternoon my home page in IE6, normally my ISP's, was
replaced by something that gives a URL of www.needupdate.com and purportes
to be a MSIE Security Center telling me that my system is under the control
of a remote computer with an IP address of 227.4.167.118 having access to
the folders WINDOWS/System32; Program Files/Internet Explorer; My Documents;
Drive D: (Second Hard Drive) files.
I am told "Your private info is collected by W32.Sinnika.A@mm" There is also
the directive that the solution is to get Malware Wipe and Spy Trooper, with
links to websites for a "Free" download. Of course, I can't get online -
even though I'm online with the laptop that's part of my wireless network
(pc with wireless ethernet, laptop with wireless card, wireless router and
broadband cable modem).
I haven't got a clue what's going on or what to do about this. Scans by
McAfee Anti virus, Ad-Aware and the MS Beta are all negative. Spybot finds a
problem identified as SmitfraudC that is says it cannot fix.
Where do I go from here - anyone know? I'd sure appreciate some help.
Denzil.
Panda_man
Immediately disconnect the infected computer from internet and from the
network.Get the tools needed from another known to 100% malware free PC
When you clean the infected one,check the others because you say they are in
a network.
First ,delete all temporary files
Start -> Settings- > Control Panel -> Internet Options
There ,on the General Tab you will see where you can delete
• internet temporary files
• cookies
• history
Delete them all.
@ Run Disk clean-up with all checked:
Goto Start -> Programs -> Accessories -> System Tools -> Disc Cleanup
Empty System Restore
(this way you will not be able to get back if something goes wrong but I
think in your case it would be better ,but only you decide.)
>>> Right click on My Computer->Properties->System Restore
Check Turn off system restore.Click OK
>>> Restart the in Normal mode.
Then , Restart with booting in Safe Mode with Command prompt:
How to boot your computer in SAFE MODE WITH COMMAND PROMPT
Do this by repeatedly typing F8 while Windows is starting before
Windows logo appears.
Then you'll open the BIOS menu where you can choose to boot
the hard drive in SAFE MODE WITH COMMAND PROMPT
then type the following :
cd\ [ENTER]
cd "Program files" [ENTER]
cd "Spybot - Search & Destroy" [ENTER]
then you will have opened this:
C:\Program files\Spybot - Search & Destroy"
now type the following and the scan will start
spybotsd.exe /autocheck /autofix
!!! N.B.
[ENTER] means that you have to hit ENTER button on the keyboard
Also note that there is a space between the commands
Now you will have SpyBot started from a clean environment and it will be
able to disinfect the Smithfraud.
You also need another software:
@ Ad-Aware SE Personal
http://www.lavasoftusa.com/software/adaware
Make sure it is updated.When you download Ad-Aware from the clean pc install
it and then just copy the folder called Lavasoft in C:\Program files
Also get :
Trial version of McAfee command line
from here:
http://www.mcafee.com/us/downloads/evals/default.asp
It is called only
McAfee VirusScan Command Line Scanners
Learn how to use it from the file in the ZIP archive
Download the definitions from here:
http://www.mcafee.com/us/downloads/updates/dat.asp
and unzip them in the McAfee Command line scanner where they are placed
Boot in SAfe Mode with command prompt and navigate to the file.Then scan...
Panda_man
--
Let's beat malware black and blue
Panda TruPrevent - the most intelligent technology to combat unknown malware
http://www.pandasoftware.com
http://www.microsoft.com/protect
Malke
Start here:
Use noahdfear's SmitFraud and SpyAxe removal tool.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=8
http://www.bleepingcomputer.com/forums/topic36868.html
http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Jon Phipps
same information as it gave the original poster and I run WOC, Symantec corp
and spybot full time with others reserverd for safe mode scans). The lines
in question are mere text trying to get you to download and or buy the
"spyware" scanner they are selling. This is a quot from the top of their
html:
"Attention! Your system is under control of remote computer with IP
address 227.4.167.118. The remote computer has access to the following
folders on your PC:<br>
- <b>\WINDOWS\System32</b><br>
- <b>\Program Files\Internet Explorer</b><br>
- <b>\My Documents</b><br>
- Drive <b>C:\</b> files<br>
<a href="http://malwarewipe.com/?rid=239">Click here</a> to download
official anti-spyware software
<br>"Personally I would not worry bout the page. The only thing I would
worry bout is why you are sent there try goin to tools, internet options and
set your homepage to blank or default(the lovely MSN page). Most of the
other information on that page is recoverable from the HTTP header
information, in and of itself is not overly dangerous. On searching for the
"virus" in Symantec's db I get the following
Results for: w32.sinnika.a@mm
No results were found for your search.
Try changing some of the words in your query.
This page is trying to scare you, dont fall for it.
Download multi_av(can some one help with the url) install it and run the
scans from safe mode. Also download Spybot Search and Destroy and run that
from safe mode as well. If all comes up clean, and I think it will, take a
deep breath and thank your lucky stars you dodged a bullet.
Jon
David H. Lipman
It is a Rogue web site conning you to but software or to actually get you infected.
I checked the virus libraries of many vendors and "Sinnika" was not found in any of them.
Additionally; Spy Trooper that is recomended on that page is a Rogue anti spyware
application listed on Spyware Warrior. http://www.spywarewarrior.com/rogue_anti-spyware.htm
Two part reply..
Perform Part 1 and then perform Part 2.
Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server
Part 1
-----------
Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
http://www.bleepingcomputer.com/forums/topic36868.html
Part 2
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
Alternate:
Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Denzil Hathway
"Denzil Hathway" <hat...@cox.net> wrote in message
news:e3Q$BkSBG...@TK2MSFTNGP11.phx.gbl...
With the expert help of those that replied my problem is fixed. It took
quite a bit of time and most of the simple removal tools didn't work - even
in safe mode. It took specific win32 removal tools with precautionary
downloading of microsoft files to back up accidental or incidental erasure.
I want to specifically mention Pandaman and David Lipman. Thanks guys.
David H. Lipman
| Could you please be a little more specific with "It took specific win32
| removal tools with precautionary downloading of microsoft files to back up
| accidental or incidental erasure". I would be appreciative. I have tried
| everything including noahdfear and Search & Destroy still says it is on my
| computer. Thanks.
I think it would be best to create a whole new thread indicating what problems you are
having, what you are experiencing and what you have done to-date.
cantrustne1
daysago, about:blank hijacked my browser, pop ups were frequent (not
unbearable though), and That virus message would constantly invade my task
bar. I used Microsoft Antispyware, Spybot Search & Destroy, Ewido, AVG Free,
Ad-Aware SE, and smitRem and they worked to their varying dergrees. And I
have used these all in Safemode as well. The only thing I have been unable to
fully complete is DiskCleanup because my computer always ends up crashing
before it is finished. After completeing these tasks I use Search and Destroy
as one last check, it still tells me that SmitfraudC is still on my computer
and it cannot be destroyed. S&D by the way is the only program that tells me
SmitfraudC is still on my computer. Is there a way to stop it from running,
as I believe that is the reason I cannot destroy it? Thanks for any help.
PS - I am not as computer savvy as some of you so forgive me if my
descriptions are not as crisp as you would like. If I am not giving the
information needed, please let me know what you need from me. Thanks again.
David H. Lipman
| Well, my computer is running better than it was a few days ago. A few
| daysago, about:blank hijacked my browser, pop ups were frequent (not
| unbearable though), and That virus message would constantly invade my task
| bar. I used Microsoft Antispyware, Spybot Search & Destroy, Ewido, AVG Free,
| Ad-Aware SE, and smitRem and they worked to their varying dergrees. And I
| have used these all in Safemode as well. The only thing I have been unable to
| fully complete is DiskCleanup because my computer always ends up crashing
| before it is finished. After completeing these tasks I use Search and Destroy
| as one last check, it still tells me that SmitfraudC is still on my computer
| and it cannot be destroyed. S&D by the way is the only program that tells me
| SmitfraudC is still on my computer. Is there a way to stop it from running,
| as I believe that is the reason I cannot destroy it? Thanks for any help.
|
| PS - I am not as computer savvy as some of you so forgive me if my
| descriptions are not as crisp as you would like. If I am not giving the
| information needed, please let me know what you need from me. Thanks again.
|
Two part reply..
Perform Part 1 then perform Part 2.
It is suggested that you execute each tool in Normal Mode then in Safe Mode.
If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.
Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.
http://www.java.com/en/download/manual.jsp
Part 1
-----------
Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe
Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.
Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.
It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.
Part 2
-----------
Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.
http://secured2k.home.comcast.net/tools/AntiPuper.exe
http://forums.mcafeehelp.com/viewtopic.php?t=65072
Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.
I hope you are using SpyBot S&D v1.4. If you are, make sure it is updated and run it in
Safe Mode.
* * * Please report back your results * * *
SilvrWolf
Malke
> Is ther any way to retrieve the folder that is now missing from my D
> drive?
>
What??? Are you the original poster or are you someone who just tacked
your question onto an old thread?
If you are the OP, you didn't mention anything about missing a folder on
a D drive. If you are a new person trying to ask a question, then
please make a new post and include a lot more details.
It can be very hard for a non-technical person to know what to include
in a post to a tech support newsgroup. Here is a link that will help
you with that - http://www.dts-l.org/goodpost.htm
bryce
montired by W32.Sinnaka.A@mm". I have downloaded the beta 2 anti-spywhere
from the microsoft home page but it seems to be not working. Can u email me
at bryce...@verizon.net and help me?
David H. Lipman
| My computer is infected with spywhere that states," your computer is being
| montired by W32.Sinnaka.A@mm". I have downloaded the beta 2 anti-spywhere
| from the microsoft home page but it seems to be not working. Can u email me
| at bryce...@verizon.net and help me?
|
You need to do what was posted in the thread !
LC
detect the problem or cant fix it. I'm with you, man. If you get it figured
out PLEASE let me know, I will certainly notify you if I have any luck. I
thought I was all alone in this battle, about to go insane.
LC
wouldn't let me type in all commands, said something about a batch & couldn't
find "Spybot". However, when I got back on the internet that page didnt come
up. Instead it says this:
Please try the following:
Install Spy Trooper software to clean your PC.
If you typed the page address in the Address bar, make sure that it is
spelled correctly.
To check your connection settings, click the Tools menu, and then click
Internet Options. On the Connections tab, click Settings. The settings should
match those provided by your local area network (LAN) administrator or
Internet service provider (ISP).
See if your Internet connection settings are being detected. You can set
Microsoft Windows to examine your network and automatically discover network
connection settings (if your network administrator has enabled this setting).
Click the Tools menu, and then click Internet Options.
On the Connections tab, click LAN Settings.
Select Automatically detect settings, and then click OK.
Some sites require 128-bit connection security. Click the Help menu and then
click About Internet Explorer to determine what strength security you have
installed.
If you are trying to reach a secure site, make sure your Security settings
can support it. Click the Tools menu, and then click Internet Options. On the
Advanced tab, scroll to the Security section and check settings for SSL 2.0,
SSL 3.0, TLS 1.0, PCT 1.0.
Visit Spy Trooper website to delete spyware and adware software.
Please tell how to fix this.
Oh yeah, when I start in safe mode do I choose XP Edition or the other one.
(Sorry cant remember what the other said)
Elendil
problem so: Go to the Comprehensive Malware Removal Instructions sections on
the Detailed Malware Removal page of my website: www.stopmalware.tk and
follow the steps provided. While it may take a while, your computer will be
at least 99% clean of malware. Follow up by going to the Safety Tips page to
further secure your computer.
"LC" <L...@discussions.microsoft.com> wrote in message
news:FCC05F82-FB7A-41F9...@microsoft.com...
>> . internet temporary files
>> . cookies
>> . history
Patalac9000
227.4.167.118. The remote computer has access to the following folders on
your PC:
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files
Click here to download official anti-spyware software
Your private info is collected by W32.Sinnaka.A@mm
Your IP address: 69.244.46.49
Your Country: US, United States
They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727)
Operation System: OS Windows
Risk status for futher investigation: VERY HIGH RISK
Time of investigation: Wed Apr 19 2:48:21 PDT 2006
this happened after i had JUST GOT A FUCKING VIRUS OFF OF MY COMPUTER!!!
so i have no clue as to what in the fuck is going on here...
can someone help me?
Tom [Pepper] Willett
"Patalac9000" <Patal...@discussions.microsoft.com> wrote in message
news:81B10C3C-AEA3-4E0A...@microsoft.com...
|i tried everything i saw above...and none of them worked...
|
heLP
"Panda_man" wrote:
- I got mcafee suit 06, my computer has been cleaned and looks spic and
span, all the way, then when i get on ie6 it tells me that stuff, and i get
trojans al over agian. im really getting annoyed, i guess ill have 2 use
another browser than ie6, help me out im a geek also and im stumped.
David H. Lipman
| - I got mcafee suit 06, my computer has been cleaned and looks spic and
| span, all the way, then when i get on ie6 it tells me that stuff, and i get
| trojans al over agian. im really getting annoyed, i guess ill have 2 use
| another browser than ie6, help me out im a geek also and im stumped.
If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.
Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.
http://www.java.com/en/download/manual.jsp
For non-viral malware...
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html
* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html
After the software is updated, I suggest scanning the system in Safe Mode.
I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
For viral malware...
* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *