T1B

Since my friend knows next to nothing about computers and I happen to know enough to be really dangerous (see the thread about me shorting out my motherboard by moving components from one box to another on the carpet), he asked me to look at his computer.

His problem: No matter what home page he set for IE, it would revert to a security warning page telling him that he had a spyware thing on his pc. The warning came from a page at http://securitywarning.com (warning: do not go there! Not sure what it will do!). Also, when he tried checking his hotmail, the page would just load and refresh over and over.

So, I tried running Spybot. It would find some spyware, but as soon as you tried to remove them, it would close spybot.

Same for Adaware. I ran and removed some spyware with that, but it still didn't get rid of it.

Finally I tried Microsoft's anti-spyware program. It wouldn't even let me finish installation because it was corrupt.

I then realized what was happening. During my attempts to run windows update on his PC, I noticed that I was getting invalid errors. Trying to register the dll's as suggested by the KB article there didn't work. So I tried installing MS Spy Defender again. It was then that I noticed this:
- Clicking on the download windows update link/button opened a small little window that flashed and closed. Then it had a download window that was downloading the invalid Spy Defender program from securitywarning.com!

I got around this by right-clicking and saving as from the microsoft page.

Long story short, it was doing the same thing on the windows update page.

I finally updated all of the security updates from microsoft, but it took two attempts by running Windows Defender again to remove it. He said that he can now check his email, but I'm not sure if we solved the problem (I had to leave at some point).

Anybody know what's going on here? Any solutions?

Did you try restoring from a previous day?

You need to read the 'any port in a storm' instructions.

If the home page is gone and your virus and spyware scans are coming up clean then you probably did get rid of the problem. Obviously there was some spyware on there but are you saying that the update issues and download issues were also being caused by spyware?

As always, its recommended that you update the virus and spyware definitions and then reboot into safe mode in windows (hit F8 when windows is booting) and then run everything from there. You stand a better chance of not starting the virus/spyware while in safe mode because windows will only try to load essential/default windows things in safe mode. If after repeated reboots the PC comes back clean with no signs of the webpage, its probably clean for the time beeing.

So the next question becomes, how do you keep it clean and thats really up to your friend. If he continues to use IE, its recommended that you move up his security settings a tad bit. Make sure that pop up ads are disabled by default, make his Internet security settings high or high medium. Maybe even disable some of the ActiveX features.
Your other option might be to leave him with a different browser that does this automatically, like firefox or maybe even download IE7 which does more of this anyway, but IE7 is in Beta still so be careful. Also make sure he has a firewall, antivirus and at least one spyware program actively checking for rogue installs.

If all that doesn't work you can always try EM's advice or just reinstall.

ElTaco wrote:If all that doesn't work you can always try EM's advice...

Yes, I'm suggesting that the spyware was prompting downloads as if they came from Microsoft.

It sounds like to me that this is a company that is trying to dupe people into buying their anti-spyware product by directing them to their website everytime they open their browser while claiming that they are infected. They then will buy the software to get rid of their own spyware. Why else would the home page be corrupted to the point where you can't make any changes and it always directs you to the site to get rid of it.

My friend is seriously thinking of getting a new computer anyway, but we've got it fixed enough for him to use it.

I ran into the same problem your friend did.

I did my best to get rid of it but finally just reset to another day and everything turned out fine.

Mr T wrote:... finally just reset to another day and everything turned out fine.

SEE?!!! YOU PEOPLE THINK I JUST MAKE THIS SHIT UP!!! BUT IT'S A SCIENTIFIC FACT!! FACE!!!

Ill agree.

Fuck trying to fix shit.

Restore from a previous day is the answer.

ElvisMonster wrote:

Mr T wrote:... finally just reset to another day and everything turned out fine.

SEE?!!! YOU PEOPLE THINK I JUST MAKE THIS SHIT UP!!! BUT IT'S A SCIENTIFIC FACT!! FACE!!!

Then why doesn't it work when I face another thread killed by the Risa worm?

This has been a problem for him for weeks now. I'm not sure if he has System Restore on.

Since I haven't had this type of a problem for a really long time now on my own computer, how do you restore from a previous point again? I literally haven't had to do that for three years.

I should point out that he does have firewall/antivirus/spyware programs from Computer Associates, but he didn't have active spyware detection on, which probably caused the problem since it doesn't seem like a virus.

1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.
7. Click OK.

I just checked with my friend. He said he still has the problem of the homepage sending him to the securitywarning page. He had also tried to restore prior to calling me, but that didn't help.

He can at least function again to be able to check his email, but he's pretty much resolved to get a new student computer from DIT computers in a few months anyway. He got this current one from Computer Renaisance and he's regretted it ever since.

Did you try multiple spyware removers in safe mode?

You could try this site:
http://spywarewarrior.com/sww-help.htm#infested

They have you download HijackThis, which is a program that puts specific information into a log file, then you can post it on their message board and they should be able to give you better advice. The Microsoft Malicious Software Removal tool is new and looks for Trojans, which is what your problem might be. You could try running that to see if it can find the problem files and remove them. You can also try some of the online scanners.

PS: I read on some websites that aren't perhaps the most trustworthy ones, but they stated that this 'spyware' might be closer to a trojan, which could mean that your friend's machine is being used as a zombie in a botnet or even to listen for passwords and credit cards. I haven't seen much on this on the more trustworthy sites, but as a precaution, you might consider wiping the computer and just reinstalling if you can't get rid of the problem. better safe then sorry.

This sounds like a variant of the SpyAxe/SpywareStrike/SpyFalcon/SpywareQuake trojan going around.

It all starts when an icon appears in your system tray resembling a Windows Automatic Update alert, telling you to download one of these programs to fix it. Even if you try to ignore it, it downloads the shit program for you and once its on there, its a bitch to get off.

http://wiki.castlecops.com/Malware_Remo ... xe_Removal

Who knows, it could be ANY form of spyware. But that's the one I've dealt with the most lately.