Author Topic: Vista Anti-Spyware hostile takeover  (Read 13088 times)

0 Members and 1 Guest are viewing this topic.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Vista Anti-Spyware hostile takeover
« on: May 16, 2011, 07:20:59 PM »
Hello, I was referred here by Ravencajun at GardenWeb.

Something called Vista Anti-spyware popped up telling me that I was being hacked and to save myself I needed to buy their product. I tried to ignore it, click out, but it was persistent and would not allow me to access Internet Explorer or even run Malawarebytes Anti-Malware. I was able to run Microsoft Security Essentials which reported no threats.

I shut the computer down and turned it on the next day and finally was able to get to download.com to get Spybot Search & Destroy. I ran that, then was able to run Malawarebytes too. Everything is better except when I start up I get a window which says:

"Error loading C:/users etc. etc.
The specified module could not be found."

I click OK and can go on using the computer with no trouble.

But, a window comes up which reports there are blocked start-up programs, looks like about 24. I looked at the list of blocked start up programs, and some I recognize like itunes, adobe, Intel...but there are others like "iwon toolbar," "Ovaguhakuc," and "Pgilevelecofi" which I question.

There are disable/enable buttons on the list of blocked start-up programs.

Not sure what to do. Computer seems to be working fine, though, except for that start-up window.

I have not followed the directions on "Prepare your computer for analysis and recommendations."  It looks so intimidating--thought I'd ask first.



prepare your computer for analysis and recommendations

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #1 on: May 16, 2011, 09:24:17 PM »
GardenWeb Link:  http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4

Hi, Daisy.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know. 

Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2
  • Double-Click dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2802
  • Laissez les bons temps rouler!
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #2 on: May 16, 2011, 09:44:50 PM »
http://ths.gardenweb.com/forums/load/comphelp/msg051320521716.html?4

link to the GW post.

Don't worry Daisy, one step at a time! You are in very good hands here at LzD.
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #3 on: May 16, 2011, 10:37:01 PM »
It asks Do you want to run or save dds.scr (611KB) from download.bleepingcomputer.com?   So I should click "Save" and put on desktop, right?
(not "Run")


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #4 on: May 16, 2011, 10:37:51 PM »
Hi, Daisy.

Yes, save it to your desktop please.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #5 on: May 16, 2011, 11:11:32 PM »

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #6 on: May 16, 2011, 11:12:22 PM »

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #7 on: May 17, 2011, 12:57:32 AM »
Hi, Daisy.

Did you get the error:  "Error loading C:/users etc. etc. The specified module could not be found." before or after running ARO 2011?  If it was after running ARO 2011, does it have a restore option for the registry edits it performed?  Unless someone is extremely knowledgeable about the registry, I recommend never using registry cleaners/optimizers.  They do more damage than good.

We'll deal with the outdated Adobe Flash Player and Reader later.  First, I want you to take care of Sun Java.  Please go to add/remove programs and uninstall Java(TM) 6 Update 11.

Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment (JRE) 6 Update 25.  

Download the Windows x86 Offline version from: Java SE Runtime Environment 6u25

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.  

While you're in add/remove programs, see if the uninstaller for iWon Toolbar works.

Following all of that, please do the following:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications - Tech Support Forum.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #8 on: May 17, 2011, 01:19:14 PM »
Good morning, Corinne.

I am sorry I do not remember which came first the "Error loading" or running ARO 2011.  Could be error loading came after but that's a bit of a guess. It was the trial version and ARO reports that "2226 registry errors and tweaks remain & junk status was caution after last scan."  On the ARO settings window there is a tab called "Restore Defaults."

As for getting instructions from the Tech Support Forum to disable antivirus and antimalware--would that Forum be here at landzdown?  Should I enable them at the end of your instructions?  I worry about being unprotected for any period.

I have morning appointments and will follow the rest of the instructions when I get back.

Thank you.  Susan

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #9 on: May 17, 2011, 02:03:45 PM »
Hi, Susan.

Something happened (again) to the formatting of the link to Tech Support Forum.  I've fixed it in the instructions above but also copied the instructions for MSE here:

Microsoft Security Essentials

    * Right click on the system tray icon, and select "Open"
    * Click on the "Settings" tab
    * On the left side of the screen, click on "Real-time protection"
    * Uncheck "Turn on Real-time protection"
    * Click on "Save Changes"

After running ComboFix your computer will restart.  At that time, you can reverse the steps to reactivate MSE.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #10 on: May 17, 2011, 09:01:34 PM »
OK, the JavaRa didn't go perfectly.

I saved it, and it went into my documents and I moved it to the desktop.

I do not know how to unzip.

I started the program (was not asked to "Run as Administrator"--never saw that option).

After clicking "Remove Older Versions"--a message came that it "could not find JavaRadef!  Be sure the definition file resides in the same directory JavaRa.exe is in."  I saw JavaRa.def right above JavaRa.exe in that window.

After it finished searching for old versions it said a logfile has been created called JavaRa.log and can be found on your main hard drive.  Said it will "now open log file," but I did not see it and cannot find in the C drive but maybe I'm not looking in the right place.

When I was looking at the C drive listings, I clicked on JavaRa and got a note that I should extract all files for it to run properly. Should I?

I'm sorry.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #11 on: May 17, 2011, 09:57:20 PM »
Yes, you need to extract all of the files. 

If you want to keep things all neat and tidy, create a new folder, JavaRa.
Next, right-click the downloaded zip file.
Select "Extract all"
Follow the instructions to navigate to the folder you created.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #12 on: May 17, 2011, 10:00:26 PM »
There is a ZIP on the JavaRa icon.  When I rt. click and go down to IZArc, I have these choices:

Extract to....
Extract here
Extract to ./JavaRa
Email JavaRa.zip
Convert Archive
Create self-extracting (.EXE) file
Open with IZArc
Test

I'm guessing I should go to "Create self-extracting (.EXE) file.  Right?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15972
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista Anti-Spyware hostile takeover
« Reply #13 on: May 17, 2011, 10:26:33 PM »
No, you do not want to create a self-extracting file.  I'd never heard of IZArc but found the instructions, copied below from http://www.izarc.org/tutorials.html#extract

How to extract files

Step 1: Select an archived file and double-click on it. If IZArc is configured correctly, it will be launched
            and open your archive otherwise first open IZarc and then open the desired archived file.
Step 2: If you want to extract only few files from the archive you can select them in the file list
            (Hold CTRL key to select more than one file).
Step 3: Select "Extract" from the Actions Menu or click on the Extract button.
Step 4: After Extract dialog appeared you can select the folder where your files will be extracted.
Step 5: Click Extract button.
Step 6: Close IZArc.
 
Tips: You can easily extract the content of an archive by right click on it and from the IZArc context menu
        select "Extract Here".
 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Daisy

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Re: Vista Anti-Spyware hostile takeover
« Reply #14 on: May 17, 2011, 11:02:40 PM »
OK I got the JavaRa log after a lot of fiddling around.  It's on the desktop.

Can I delete the unzipped version of JavaRa?  Trying to avoid clutter.

As for Windows x86 offline, I never know whether to click "run" or "save" when downloading.