Is this system clean?
March 10, 2008 8:53 AM Subscribe
Exposed to spy ware. Is system now clean or are there further steps to be taken? If clean how to remove windows alert icon in tray and accompanying pop up?
XP SP2
Browser = Firefox
Here is the scenario. Click on link on web site, system loads and slows. AVG pops up informing of spyware infection. Windows pops up with alert icon in tray and message that computer is infected and will now download most up-to-date antispyware and to click on icon to protect computer from spyware, ( which does nothing). AVG pops windows informing that it is healing infections.
User continues using computer ignoring windows popups, Computer is turned off overnight.
Upon starting in AM windows icon still present and popping up with same message. AVG does it's thing and downloads normal updates then pops same window as night before a couple of few times, finishes scan too.
User checks for critical updates from MS non found.
User checks AVG scan results. Scan from night before, 3/9, shows four threats. Scan from this AM , 3/10, shows no threats
User checks AVG virus vault. Six items present in list, three from night before three from this morning. In the “S” column all are shown with a red crossed circle, “infected/suspect objects”. In the “T” column five are blue fields, “object's backup created in Virus Vault before healing”, with the exception of one with a red field, “object moved to Virus Vault” The five files with blue fields in the “T” column are named, “Trojan horse Downloader. Agent ACAC”. The one with the red field in column “T” is named, “Virus identified Java/Byte Verify”
What to do now if anything? How to get rid of the windows pop up and icon? Bonus question explain what happened, significance of the one file in vault being different and how much risk is/was involved here. Thank you.
XP SP2
Browser = Firefox
Here is the scenario. Click on link on web site, system loads and slows. AVG pops up informing of spyware infection. Windows pops up with alert icon in tray and message that computer is infected and will now download most up-to-date antispyware and to click on icon to protect computer from spyware, ( which does nothing). AVG pops windows informing that it is healing infections.
User continues using computer ignoring windows popups, Computer is turned off overnight.
Upon starting in AM windows icon still present and popping up with same message. AVG does it's thing and downloads normal updates then pops same window as night before a couple of few times, finishes scan too.
User checks for critical updates from MS non found.
User checks AVG scan results. Scan from night before, 3/9, shows four threats. Scan from this AM , 3/10, shows no threats
User checks AVG virus vault. Six items present in list, three from night before three from this morning. In the “S” column all are shown with a red crossed circle, “infected/suspect objects”. In the “T” column five are blue fields, “object's backup created in Virus Vault before healing”, with the exception of one with a red field, “object moved to Virus Vault” The five files with blue fields in the “T” column are named, “Trojan horse Downloader. Agent ACAC”. The one with the red field in column “T” is named, “Virus identified Java/Byte Verify”
What to do now if anything? How to get rid of the windows pop up and icon? Bonus question explain what happened, significance of the one file in vault being different and how much risk is/was involved here. Thank you.
Don't reformat your PC yet. If you have a simple infection, which is how this looks, try the forums at SpywareInfo.
They'll have you post a HijackThis log and give you step-by-step instructions on how to clean the machine. Try this first... most malware can be removed this way, and do not require a restore.
posted by Psionic_Tim at 9:26 AM on March 10, 2008
They'll have you post a HijackThis log and give you step-by-step instructions on how to clean the machine. Try this first... most malware can be removed this way, and do not require a restore.
posted by Psionic_Tim at 9:26 AM on March 10, 2008
It sounds from your description that this machine is infected with the Spywaresherrif/Smitfraud type of spyware:
Windows pops up with alert icon in tray and message that computer is infected and will now download most up-to-date antispyware and to click on icon to protect computer from spyware, ( which does nothing).
This is the classic symptom: that pop-up message is not generated by Windows, but by the spyware program itself. I have dealt with this on a dozen different PCs, and the Combofix.exe cleaner has worked wonders. Download and run Combofix, and follow up with a scan by Spybot S&D. I'll wager that will fix your problem.
posted by BigLankyBastard at 9:51 AM on March 10, 2008
Windows pops up with alert icon in tray and message that computer is infected and will now download most up-to-date antispyware and to click on icon to protect computer from spyware, ( which does nothing).
This is the classic symptom: that pop-up message is not generated by Windows, but by the spyware program itself. I have dealt with this on a dozen different PCs, and the Combofix.exe cleaner has worked wonders. Download and run Combofix, and follow up with a scan by Spybot S&D. I'll wager that will fix your problem.
posted by BigLankyBastard at 9:51 AM on March 10, 2008
It used to be that you could often excise a specific virus or two from your system, but nowadays there are countless variants and extra malware downloaded post-infection. Unless you're an expert, I'd suggest the Lt. Ripley approach: "...nuke the entire site from orbit. It's the only way to be sure."
(Also try to understand why it happened in the first place. Was your software out of date? Did you say OK to running something? Do you have settings that aren't as secure as they could be? etc.)
posted by malevolent at 9:56 AM on March 10, 2008
(Also try to understand why it happened in the first place. Was your software out of date? Did you say OK to running something? Do you have settings that aren't as secure as they could be? etc.)
posted by malevolent at 9:56 AM on March 10, 2008
Windows pops up with alert icon in tray and message that computer is infected and will now download most up-to-date antispyware and to click on icon to protect computer from spyware, ( which does nothing).
The smitfraud spyware does this. Not windows. Google smitfraud removal.
posted by damn dirty ape at 10:17 AM on March 10, 2008
The smitfraud spyware does this. Not windows. Google smitfraud removal.
posted by damn dirty ape at 10:17 AM on March 10, 2008
YMMV, but I've had success cleaning a Smitfraud variant with the free version of SUPERAntiSpyware.
Cheesy name, sure, but it seems to work, and I've seen it recommended on various tech help forums.
posted by anthom at 12:52 PM on March 10, 2008
Cheesy name, sure, but it seems to work, and I've seen it recommended on various tech help forums.
posted by anthom at 12:52 PM on March 10, 2008
« Older No more bounce! Damn ye, Mac dock! | A Bluetooth headset that won't redial in my pocket... Newer »
This thread is closed to new comments.
Option One: Give 'er the good ol' reformat. Yep. Backup all your crap, start from scratch, reinstall everything. Make sure you have all your drivers, etc backed up too.
Option Two: Manually remove the spyware with the vast array of sysinternals tools. This is not for the faint of heart, and takes a whole lot of deep windows knowledge, but you can clean a system. The tools to use are Process Explorer, Autoruns, and RootkitRevealer.
posted by Mach5 at 9:05 AM on March 10, 2008