For those of you who know, I spend a lot of my time removing Malware from other people's computers.

This clip at UTube gives you an idea of why you should browse cautiously and pay attention to your security.

It shows a typical "Spy Sherriff" install, which is one of the "Smitfraud" family of infections, an extremely common infection, usually contracted by downloading an infected codec.

Enjoy!

http://www.youtube.com/watch?v=MaKv_wv83BU&mode=related&search=


Photoshop. This is an Add for McAfee Site Advisor, which is a tool for giving indication of which sites contain infected links.

McAfee AV funnily enough (though not surprisingly) does not remove this infection.

Nice clip Gary :wink: :thumbsup:

hehe, never had one quite that bad, but close :)

Gary, thanks for the clip -- if it wasn't so scary :eek: :eek: I'd say I enjoyed it. The music really adds to the drama. I hope I never let my poor computer get that sick... :bawling:

I really like McAfee's SiteAdvisor add-on to Firefox -- I like that the free version gives me info about potential threats at a particular website (getting bugged with emails if you sign up on that page, spyware attached to downloads from a site, etc.), and I feel much better when I see that nice green color saying that a site is relatively safe.

Yeah, I like Site Advisor too, though it is not always totally reliable.

Some good sites were recently listed as red because some of the tools there had processes which could be used maliciously, they weren't, but Site Advisor relies on a bot system to gather data, and tends to err on the side of caution.

The good thing is that McAfee responded quickly when their error was pointed out to them, and the site listing was revised.

Full marks therefore to McAfee, now if only they could do something about the over bloated pile of junk they sell as an Anti-Virus.

My sister's computer now looks like the YouTube clip...her's was spysoldier and ultimately Win32.MatrixHasYou. She gave up in defeat tonight and we are going to try to tackle it tomorrow.

Hi T,

Get her to run a HJT (HijackThis) scan and I'll look it over for you, if we know what the infection is, it'll probably save you hours of possibly fruitless endeavour. (Sounds like one of the Smitfraud varients offhand, but I'll be better placed to help her if I can see a HJT log).

Click here (http://downloads.malwareremoval.com/HJTsetup.exe) to download HJTsetup.exe, and save it to your desktop. Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Copy and paste the log here
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Thanks so much Gary! I haven't heard back from her today, but I will let her know about your extremely kind offer!!!!

You're welcome. Just post it in this thread and I'll see it.

Well I just talked to my sister. She ended up purchasing SpyDoctor and I think it found over 600 infected files. She is trying to install HiJackThis right now but gets the following error:

an error occured while trying to rename a file in the destination directory Movefile failed; code 5 Access denied

600! oh my lord. i thought i was in trouble when i found 3 a year ago :)

you might inform your sister that ANY personal data she had on that computer is now public knowledge, including passwords, bank statements, email addresses, pin numbers, credit card numbers and so on. she shld inform the bank if she had a pin number on the computer, credit card companies if she had any credit card numbers on there and so on down the line. many of these modern viruses and spyware do nothing but search such data out on an infected computer and send that data out for thieves to use.

That's not going to make her happy. She still hasn't had any luck installing HJT.

It all happened when she was trying to send me some photos. Her computer came with Adobe Photoshop Album Starter 2.0 and she was having some trouble emailing from the problem so she clicked on the link to go to the software web site and wamm her computer was taken over! Sounds like something is nesting in her computer.

Hi T,

OK, lets try re-naming HJT and then seeing if we can install it and run a scan.

Won't be able to use the version I linked to, as that auto installs.

Try this.

Create a new folder C:\HJT

Download HijackThis.exe (http://downloads.malwareremoval.com/HijackThis.exe) to this folder. (This is a free-standing executable version).

Now rename HijackThis.exe to FredFlintstone.exe then try to run a scan. Post back here if possible, if not let me know, there's other things we can try.


Question: When you say SpyDoctor, do you mean SpywareDoctor by PC Tools?

try gary's method first. but, i also recently ran HJT and went to their web site and noticed that they also recommend, in some instances, using earlier versions of HJT due to some viruses attacking the later versions specifically. so, that might be an option also, if gary's method doesnt work.

Thanks to both of you! I'll pass on the info to my sister. :)

If we can't get a HJT log, there are other analytical tools we can use to try and find out what the problem is, its just that HJT gives an easy to read log that I'm most familiar with.

Try and follow just one set of instructions, using more than one persons suggestions is a recipe for disaster, as it becomes impossible to know exactly what you're doing.

Okay she is trying it now...fingers crossed.

She gets the same error, even after creating the folder and renaming the file.

Is there a way to generate the log from a site verses installing the application?

Not really, its a binary executable.

OK, lets try doing an online scan and seeing what kind of log (if any) we get back.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases


Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post please.


please note, this scanner will not try to fix anything, it will just give us a log so we can get some sort of idea what's happening.

Also try this.


Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe) by sUBs
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply please.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Last thing,

Download IttyBittyProcessManager (http://www.merijn.org/files/ibprocman.zip)

Run this programme and it will bring up a "Task Manager" like window. Don't ry to stop any processes with it, just list what it finds so I can look and see what's running on her computer. Do this by clicking on the Save button (the one that looks like a floppy disc) and posting the txt file it produces.

She may not get to this until tomorrow, but I'll keep you posted. Thanks again for all the help!!!

OK, no worries.

Kaspersky usually takes a while to run, and may produce a large log, it may need several posts to get it all in.

Unfortunately as you know I'm away skiing on Saturday, so if this turns out to be a difficult infection (won't know until we get some sort of log back) then you may have to seek help at one of the forums, as sometimes it takes a while to get rid of an infection completely.

I've posted links to some of the more reliable in the RetouchPro library http://www.retouchpro.com/library/browselinks.php?c=21, but I'll advise you better after we find out what problems (if any) your sister has running the latest instructions.

Unfortunately as you know I'm away skiing on Saturday...

Must be nice! :)

Must be nice! :)

Hope so, its 2 years since I last strapped my planks on, and I've got withdrawal symptoms pretty bad (I'm a hopeless ski junkie). :nod:

I haven't gotten a chance to really talk to my sister yet, but from a quick email she did run Kaspersky. It did say she was still infected, but hotmail won't let her attached the file to send to me b/c it says it contains a virus.

OK.

I think at this point its going to be easier if she contacts one of the Malware help sites direct, as I said I'm going skiing on Saturday, and I'll be a bit tied up tomorrow with packing and other arrangements.

It's necessary to get her problems resolved quickly as most infections only get worse if left untreated.

Try any of the following sites for help, all are staffed by qualified volunteers and will give advice that can be relied upon. (I help out at all 3, so have personal experience with them).

http://www.spywarewarrior.com/index.php
http://forum.malwareremoval.com/
http://forums.tomcoyote.org/

The first 2 are smaller forums, where the relationship between helper and client tends to be a bit more personal.

The last 2 are both training schools, so its possible you'll get a "trainee", all trainees are supervised, and all information given will have been checked by an instructor before it is allowed to be posted. Because of this replies can sometimes be slower on these forums. When I say "trainee", this does not mean someone who is in the early stages of their training, but someone who is close to qualifying.

Because these forums are set up for Malware removal the post size limits are usually such that she'll be able to post even large logs direct to forum, which should remove problems like those with hotmail.

Good luck, let me know how things go, I'll read up when I get back.

OOPS, almost forgot. She'll have to register to get help, but all information given is kept confidential, she will not be spammed or bothered in any way.

Tell her to post her problem in the HJT forum, explaining her inability to post a HJT log, they'll take it from there.

Thanks so much Gary and have a great time skiing!!

Hope you had a good time skiing! I haven't heard back from my sister yet. Besides the computer woes, she is also in the process of moving so life is hectic!

Hi T,

Had a great time thanks, fresh snow and loads of sun, so I'm feeling much refreshed mentally, (if exhausted physically).

Keep me posted as to your sister's problems, and we should be able to resolve them. I appreciate the disruption a move may cause, so I don't expect anything until she's settled and ready to proceed.

It's 01:20 am here, and I just got home a couple of hours ago, so I'm turning in for the night now, look forward to catching up with all the other things I've missed tomorrow.

Thanks Gary. It may be a month or so before I hear anything. They will be staying with family for a few weeks before the final move, and then they will need time to settle in and unpack all those boxes (smile).

Sounds like fun ......... not! I hate moving, fortunately I haven't had to for quite some time.

Best of luck to her and her family.