[Ham-Computers] RE: Need some help - b4 I lose the rest of my hair!!

Joe ottuser at comcast.net
Sat Jun 28 12:57:44 EDT 2008 

All that info you gave me Aaron must of woke up McAfee!!! - I logged onto 
the 'infected' pc and the first thing I saw was that McAfee "has 
automatically blocked and removed a Trojan.  and that it blocked Winfixer 
which was located @ C:/Program files/XP ANTIVIRUS/xpa.exe."  It gave me the 
date of 6/28 of the action although it acknowledged that it had found and 
removed same on 6/20 [[when it first showed up]].  I have both your 
SmitFraudFix and Malwarebytes links on my memory stick and will go through a 
complete ''cleaning of the house I guess'' when I have a break from work.  I 
really do appreaciate your and the other responses - what a group!!  [My 
''mentor'' back when I was talked into getting a C64 system to 'update my 
ham station' while overseas - would have told have asked me first off - have 
you read all the manuals!!!]  But I regress - thanks again so much and will 
let all know what I find when I do the housecleaning on the system.
Take care and have to get ready for work.
73,
Joe W7LPF





----- Original Message ----- 
From: "Hsu, Aaron (NBC Universal)" <aaron.hsu at nbcuni.com>
To: "I>Ham-Computers" <Ham-Computers at mailman.qth.net>
Sent: Friday, June 27, 2008 19:08
Subject: [Ham-Computers] RE: Need some help - b4 I lose the rest of my 
hair!!


Just this past tuesday, I spent several hours cleaning up a friends PC that 
got hit with a similar virus/trojan.  Seems the propagation point is with a 
security flaw in Adobe's Flash Player - all you need to do is visit a 
website with compromised Flash content and a trojan was installed on your 
system.

In this case, my friend's PC was infected with iebr.dll (plus several 
variants), and, unfortunately, she clicked on the banner that installed a 
fake anti-malware product called "AntiSpyCheck".  ASC put an icon in the 
system tray that looked quite similar to the  Windows Security Center shield 
and every 5 minutes, it would flash and generate a bubble message stating 
that the system was infected and needed to be scanned.  It installed itself 
as a critical service so it even started in Safe Mode and I was unable to 
locate the service with the SC utility.  Also, the combo of spyware/trojans 
also disabled the McAfee Security Suite that was installed on her system 
allowing more "stuff" to be installed.

After running HiJackThis and doing some Googling, I found the best way to 
remove this particular "product" was with two programs - SmitFraudFix and 
Malwarebytes Anti-Malware (MBAM).  Links here:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

http://www.malwarebytes.org/


I used the removal instructions from this site:

http://www.bleepingcomputer.com/malware-removal/antispycheck


You'll find two sections on removal - one for MBAM and one for SmitFraudFix. 
I ran SmitFraudFix first as I was still in Safe Mode.  Then after rebooting, 
I installed and ran MBAM.  MBAM picked-up some additional items that 
SmitFraudFix left behind.  The last things I did were a full Spybot S&D 
scan, a final HiJackThis scan, and an TCP/IP stack reset.  Once everything 
was done, McAfee came back to life and the system ran *MUCH* faster.

Although your particular system might not be infected with AntiSpyCheck, the 
symptoms are similar and the "SmitFraud" family of virii work the same way. 
Try the steps above and see if it gets your system up and running again.  If 
possible, keep the infected system off-line while disinfecting and use 
another "clean" system to find removal instructions and download clean-up 
apps.  Then use a USB flash key to move the apps when needed.

Oh, and make sure to update your Flash Player to v9.0.124.0 or newer!

http://www.adobe.com/go/EN_US-H-GET-FLASH

If you use both IE and Firefox, make sure you visit the website with both - 
IE uses an ActiveX plug-in and Firefox/Mozilla use extensions.


Post another message if you need more assistance.

73 and good luck!


  - Aaron Hsu, NN6O (ex-KD6DAE)
    {nn6o}@arrl.net
    {aaron.hsu}@nbcuni.com
    No-QRO Int'l #1,000,006
    . -..- - .-. .-   ".... . .- ...- -.--"


-----Original Message-----
Sent: Friday, June 27, 2008 11:05 AM
Subject: [Ham-Computers] Need some help - b4 I lose the rest of my hair!!

Okay - I have tried, read and have done numerous searches
to find out what I can do [besides having to reformat the
HD - but on my other [non-ham pc] on the 20th of this
month I got hit with a XP ANTIVIRUS bug [?] - it keeps
telling me to buy the program to remove it - and what I
cannot figure out is I do not have Windows Security
Suite - I have McAfee Security Suite and it shows where
it caught 'and took care of XP ANTIVIRUS on the 20th'
????? but I have to access my 'accounts' through this
pc because the other one will not let me access the
internet - and at the times it does, when I try to go
pass the home page - it blocks the screens, and then
starts the buy xp ativirus software, etc - - I cannot even
see where I have WINDOWS SECURITY SUITE on
the other pc anymore - and it keeps telling me that
the ANTI VIRUS option of that suite is not active -
which is correct as I have [as previously stated -
McAfee Suite].  Do I take off a bunch of programs
on the other pc and reformat?  Any and all help
will be appreciated [my son-in-law is the computer
wiz, but he is in Hawaii and busy with his job].
I will answer any/all questions tomorrow [on late
tonight when I get home from work].
Thanks in advance.
73,
JOE W7LPF
EX: W7ZQV/KG6 - W7LPF/DU2 - CT1DKG -
       CR7DKG - HB9IBA
QSL MGR:  4L1DA
______________________________________________________________
Ham-Computers mailing list
Home: http://mailman.qth.net/mailman/listinfo/ham-computers
Help: http://mailman.qth.net/mmfaq.html
Post: mailto:Ham-Computers at mailman.qth.net

More information about the Ham-Computers mailing list