Newbie/spyware problems

Hi. I need some technical help, and have not yet tried the Microsoft phone
helpline.

I have had my computer since 2002 but never used the internet until this
recently, so am not up to date with security packs/patches. Do I need packs 1
and 2, or is just 2 enough? Recently I had a big problem with some "spyware"
which appeared to be from Microsoft, but which was not. This displays a
variety of pop up messages, e.g.

"Message from SYSTEM to ALERT on 28/05/2005 09:15:57

Microsoft Windows has encountered an Internal Error. Your Windows Registry
is corrupted. Microsoft recommends an immediate system scan. Visit
www.PCRegFix.com for repair kit."

I have turned on the inbuilt firewall which stopped the pop ups, but I think
the spyware is still on my computer. I worry that someone could be accessing
personal information. Is this a well known piece of spyware? Can I look it up
somewhere? And what package could I use to get rid of it?

Thanks for reading this. If this is a help to anyone, I also kept a note of
all the website addresses this spyware is using - there are a lot of them!

www.spw8e.com
www.spw2f.com
www.errorfixer.com
www.errorfixerdownload.com
http://errorfixer.com/ef/exitpopup.asp
www.PCRegFix.com
www.repairregistrypro.com
www.fixmyreg.com
www.registryfixpro.com
www.updatepatch.info
www.clean-spyware.com
www.regcleanerpro.com
www.ms-repair.com
www.fixed-pc.com
http://isg03.casalemedia.com/V2/40504/42399/eguard_pop_720x300.gif

All the best,
Adrian

Goto Start > Run

Type 'net stop messenger' and they should go away, im guessing your PC is
called ALERT? Its the inbuilt net messenger system, MS just forgot to kill
it on the WAN interfaces - its practically always for LAN usage for network
administratitors.

Think about it... they say a none MS url, and no actual link to click - how
anyone, anywhere, could fall for this is uh.. well... theres always some.

If you dont get any more after the net stop messenger, goto control pannel >
administrative options > services, look for one saying messenger, and
disable it - you will never recieve em again.

--
- Mark Randall
http://zetech.swehli.com

"Ade05" <Ade05@discussions.microsoft.com> wrote in message
news:1F87B854-9344-42CB-8454-2EDF2AC64BAF@microsoft.com...
> Hi. I need some technical help, and have not yet tried the Microsoft phone
> helpline.
>
> I have had my computer since 2002 but never used the internet until this
> recently, so am not up to date with security packs/patches. Do I need
> packs 1
> and 2, or is just 2 enough? Recently I had a big problem with some
> "spyware"
> which appeared to be from Microsoft, but which was not. This displays a
> variety of pop up messages, e.g.
>
> "Message from SYSTEM to ALERT on 28/05/2005 09:15:57
>
> Microsoft Windows has encountered an Internal Error. Your Windows Registry
> is corrupted. Microsoft recommends an immediate system scan. Visit
> www.PCRegFix.com for repair kit."
>
> I have turned on the inbuilt firewall which stopped the pop ups, but I
> think
> the spyware is still on my computer. I worry that someone could be
> accessing
> personal information. Is this a well known piece of spyware? Can I look it
> up
> somewhere? And what package could I use to get rid of it?
>
> Thanks for reading this. If this is a help to anyone, I also kept a note
> of
> all the website addresses this spyware is using - there are a lot of them!
>
> www.spw8e.com
> www.spw2f.com
> www.errorfixer.com

> All the best,
> Adrian
>

Ade05 wrote:

> Hi. I need some technical help, and have not yet tried the Microsoft
> phone helpline.
>
> I have had my computer since 2002 but never used the internet until
> this recently, so am not up to date with security packs/patches. Do I
> need packs 1 and 2, or is just 2 enough? Recently I had a big problem
> with some "spyware" which appeared to be from Microsoft, but which was
> not. This displays a variety of pop up messages, e.g.
>
> "Message from SYSTEM to ALERT on 28/05/2005 09:15:57
>
> Microsoft Windows has encountered an Internal Error. Your Windows
> Registry is corrupted. Microsoft recommends an immediate system scan.
> Visit www.PCRegFix.com for repair kit."
>
> I have turned on the inbuilt firewall which stopped the pop ups, but I
> think the spyware is still on my computer. I worry that someone could
> be accessing personal information. Is this a well known piece of
> spyware? Can I look it up somewhere? And what package could I use to
> get rid of it?

Since you had the Messenger service running, you apparently have Windows
XP and you have not upgraded to Service Pack 2. You were running
without a firewall, and you don't mention what antivirus program you
have. The probability that you have malware on your computer is
*extremely* high. Here are general removal steps - go through them
systematically. It is crucial that you do all work in Safe Mode with
updated tools. If the necessary procedures look too daunting, take the
machine to a professional computer repair shop (not your local
equivalent of BigStoreUSA) and have them clean up and secure your
machine.

First delete all Temporary and Temporary Internet Files. For IE's
Temporary Files, go to Control Panel>Internet Options>General tab.
You'll see where you can delete cookies and files. For Firefox, clear
its cache by going to Tools>Options>Privacy>Cache> Clear. For Windows
Temporary files, Start>Run cleanmgr [enter]. Then follow these detailed
malware removal steps, doing everything with updated tools in Safe
Mode. You can find all the links to referenced programs and sites on
my website here:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See the links on my
website for a HijackThis tutorial and places where you can post your
HJT log. Again, this is an expert tool and novices should get help
with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Hi Malke, thanks very much for your detailed explanation. It does seem a bit
much for me to do on my own. I am not sure where I can take my computer in
Cardiff, or which company is reliable. I could copy out your instructions and
tell them to follow them. Also I am a graduate from Cardiff university, so
the university computer centre might help. Any ideas would be appreciated.
Thanks again, Adrian


"Malke" wrote:

> Ade05 wrote:
>
> > Hi. I need some technical help, and have not yet tried the Microsoft
> > phone helpline.
> >
> > I have had my computer since 2002 but never used the internet until
> > this recently, so am not up to date with security packs/patches. Do I
> > need packs 1 and 2, or is just 2 enough? Recently I had a big problem
> > with some "spyware" which appeared to be from Microsoft, but which was
> > not. This displays a variety of pop up messages, e.g.
> >
> > "Message from SYSTEM to ALERT on 28/05/2005 09:15:57
> >
> > Microsoft Windows has encountered an Internal Error. Your Windows
> > Registry is corrupted. Microsoft recommends an immediate system scan.
> > Visit www.PCRegFix.com for repair kit."
> >
> > I have turned on the inbuilt firewall which stopped the pop ups, but I
> > think the spyware is still on my computer. I worry that someone could
> > be accessing personal information. Is this a well known piece of
> > spyware? Can I look it up somewhere? And what package could I use to
> > get rid of it?
>
> Since you had the Messenger service running, you apparently have Windows
> XP and you have not upgraded to Service Pack 2. You were running
> without a firewall, and you don't mention what antivirus program you
> have. The probability that you have malware on your computer is
> *extremely* high. Here are general removal steps - go through them
> systematically. It is crucial that you do all work in Safe Mode with
> updated tools. If the necessary procedures look too daunting, take the
> machine to a professional computer repair shop (not your local
> equivalent of BigStoreUSA) and have them clean up and secure your
> machine.
>
> First delete all Temporary and Temporary Internet Files. For IE's
> Temporary Files, go to Control Panel>Internet Options>General tab.
> You'll see where you can delete cookies and files. For Firefox, clear
> its cache by going to Tools>Options>Privacy>Cache> Clear. For Windows
> Temporary files, Start>Run cleanmgr [enter]. Then follow these detailed
> malware removal steps, doing everything with updated tools in Safe
> Mode. You can find all the links to referenced programs and sites on
> my website here:
>
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> 1) Scan in Safe Mode with current version (not earlier than 2004)
> antivirus using updated definitions.
>
> Before you remove malware, get LSPFix or WinSockFix for XP - see links
> below.
>
> 2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
> programs are free, so use them both since they complement each other.
> There is a new version of CWShredder from Intermute. I would not
> install the other Intermute programs, however. Alternately, there are
> CoolWebSearch malware removal steps at SilentRunners.
>
> Be sure to update these programs before running, and it is a good idea
> to do virus/spyware scans in Safe Mode. Make sure you are able to see
> all hidden files and extensions (View tab in Folder Options).
>
> If the malware remains even after you used Ad-aware and Spybot, you can
> scan with HijackThis. HijackThis is an excellent tool to discover and
> disable hijackers, but it requires expert skill. See the links on my
> website for a HijackThis tutorial and places where you can post your
> HJT log. Again, this is an expert tool and novices should get help
> with it.
>
> 3) If you are running Windows ME or XP, you should disable/enable System
> Restore after the system is clean because malware will be in the
> Restore Points. With ME, you must disable System Restore completely.
> With XP, you can delete all but the most recent (presumably clean)
> System Restore point from the More Options section of Disk Cleanup
> (Run>cleanmgr).
>
> 4) Make sure you've visited Windows Update and applied all security
> patches. Do not install driver updates from Windows Update.
>
> 5) Run a firewall.
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Hi. Just writing to say thank you, as my other reply didn't come up on the
main menu! Adrian

Ade05 wrote:

> Hi. Just writing to say thank you, as my other reply didn't come up on
> the main menu! Adrian

Your post came up fine. The reason you are having difficulties posting
is because your are using the web interface, which is awful. You should
learn to use a newsreader. I'll give you information as to how to do
that (very easy), but first let me address where to take your computer.
There must be some computer professionals in Cardiff. It isn't that
small a city, after all. Starting with your university's IT people
sounds like a good idea. And here is the information about newsgroups:

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlookexpressnewreader.htm
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/default.aspx?scid=/support/news/howto/default.asp
- Set Up Newsreader

http://www.dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly
http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
crossposting

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Hi Malke, thanks very much. I'll let you know how I get on. Adrian


"Malke" wrote:

> Ade05 wrote:
>
> > Hi. Just writing to say thank you, as my other reply didn't come up on
> > the main menu! Adrian
>
> Your post came up fine. The reason you are having difficulties posting
> is because your are using the web interface, which is awful. You should
> learn to use a newsreader. I'll give you information as to how to do
> that (very easy), but first let me address where to take your computer.
> There must be some computer professionals in Cardiff. It isn't that
> small a city, after all. Starting with your university's IT people
> sounds like a good idea. And here is the information about newsgroups:
>
> Since you are using the web interface, you may not realize that this is
> really a newsgroup. You will get far more out of this resource if you
> learn to use a newsreader. There are many good newsreaders for Windows,
> but you can use Outlook Express since you already have it. Here are
> some links to information about newsgroups:
>
> http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
> explanation of newsgroups
> http://michaelstevenstech.com/outlookexpressnewreader.htm
> http://rickrogers.org/setupoe.htm
> http://support.microsoft.com/default.aspx?scid=/support/news/howto/default.asp
> - Set Up Newsreader
>
> http://www.dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
> http://aumha.org/nntp.htm - list of MS newsgroups
> microsoft.public.test.here - MS group to test if your newsreader is
> working properly
> http://www.mailmsg.com/SPAM_munging.htm - how to munge email address
> http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs.
> crossposting
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>