[Ham-Computers] RE: Need some help - b4 I lose the rest of my hair!!

Hsu, Aaron (NBC Universal) aaron.hsu at nbcuni.com
Fri Jun 27 15:08:15 EDT 2008 

Just this past tuesday, I spent several hours cleaning up a friends PC that got hit with a similar virus/trojan.  Seems the propagation point is with a security flaw in Adobe's Flash Player - all you need to do is visit a website with compromised Flash content and a trojan was installed on your system.

In this case, my friend's PC was infected with iebr.dll (plus several variants), and, unfortunately, she clicked on the banner that installed a fake anti-malware product called "AntiSpyCheck".  ASC put an icon in the system tray that looked quite similar to the  Windows Security Center shield and every 5 minutes, it would flash and generate a bubble message stating that the system was infected and needed to be scanned.  It installed itself as a critical service so it even started in Safe Mode and I was unable to locate the service with the SC utility.  Also, the combo of spyware/trojans also disabled the McAfee Security Suite that was installed on her system allowing more "stuff" to be installed.

After running HiJackThis and doing some Googling, I found the best way to remove this particular "product" was with two programs - SmitFraudFix and Malwarebytes Anti-Malware (MBAM).  Links here:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

http://www.malwarebytes.org/


I used the removal instructions from this site:

http://www.bleepingcomputer.com/malware-removal/antispycheck


You'll find two sections on removal - one for MBAM and one for SmitFraudFix.  I ran SmitFraudFix first as I was still in Safe Mode.  Then after rebooting, I installed and ran MBAM.  MBAM picked-up some additional items that SmitFraudFix left behind.  The last things I did were a full Spybot S&D scan, a final HiJackThis scan, and an TCP/IP stack reset.  Once everything was done, McAfee came back to life and the system ran *MUCH* faster.

Although your particular system might not be infected with AntiSpyCheck, the symptoms are similar and the "SmitFraud" family of virii work the same way.  Try the steps above and see if it gets your system up and running again.  If possible, keep the infected system off-line while disinfecting and use another "clean" system to find removal instructions and download clean-up apps.  Then use a USB flash key to move the apps when needed.

Oh, and make sure to update your Flash Player to v9.0.124.0 or newer!

http://www.adobe.com/go/EN_US-H-GET-FLASH 

If you use both IE and Firefox, make sure you visit the website with both - IE uses an ActiveX plug-in and Firefox/Mozilla use extensions.


Post another message if you need more assistance.

73 and good luck!


  - Aaron Hsu, NN6O (ex-KD6DAE)
    {nn6o}@arrl.net
    {aaron.hsu}@nbcuni.com
    No-QRO Int'l #1,000,006
    . -..- - .-. .-   ".... . .- ...- -.--"
 

-----Original Message-----
Sent: Friday, June 27, 2008 11:05 AM
Subject: [Ham-Computers] Need some help - b4 I lose the rest of my hair!!

Okay - I have tried, read and have done numerous searches
to find out what I can do [besides having to reformat the
HD - but on my other [non-ham pc] on the 20th of this
month I got hit with a XP ANTIVIRUS bug [?] - it keeps
telling me to buy the program to remove it - and what I
cannot figure out is I do not have Windows Security
Suite - I have McAfee Security Suite and it shows where
it caught 'and took care of XP ANTIVIRUS on the 20th'
????? but I have to access my 'accounts' through this
pc because the other one will not let me access the
internet - and at the times it does, when I try to go
pass the home page - it blocks the screens, and then
starts the buy xp ativirus software, etc - - I cannot even
see where I have WINDOWS SECURITY SUITE on 
the other pc anymore - and it keeps telling me that
the ANTI VIRUS option of that suite is not active -
which is correct as I have [as previously stated -
McAfee Suite].  Do I take off a bunch of programs
on the other pc and reformat?  Any and all help
will be appreciated [my son-in-law is the computer
wiz, but he is in Hawaii and busy with his job].
I will answer any/all questions tomorrow [on late
tonight when I get home from work].
Thanks in advance.
73,
JOE W7LPF
EX: W7ZQV/KG6 - W7LPF/DU2 - CT1DKG -
       CR7DKG - HB9IBA
QSL MGR:  4L1DA

More information about the Ham-Computers mailing list