From: Bill Suen on
I have a similar problem:
I work a lot from my home PC for a university and has sophos loaded in it.
The regular daily scan on Monday revealed that I have a Troj/spyaks-B
infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
went in via command prompt and deleted the infected file but the home page
still set to a security centre page. Yesterday I followed the sophos
instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
command prompt via F8 re-start. I am running Window XP 2002 home service
pack 2, and it will not let me get onto safe mode with command prompt at
restart, so I cannot run the fix on my PC.






"benjammin" wrote:

> I tried using your method - in command prompt, i typed sfc.exe, then tried
> scannow, but it said 'error code is 0x000006ba (The RPC server is
> unavailable) and same sort of thing with other scans - what does this mean?
>
> "Eric" wrote:
>
> > Try booting in safe mode/command prompt. The file shouldn't be open then.
> >
> > "benjammin" wrote:
> >
> > > I have a Trojan download in C:\windows\system32\browsela.dll, and can't
> > > delete it.
> > >
> > > Same applies to w32.looksky.A(a)mm in local settings somewhere.
> > >
> > > How can I get rid of these things if my antivirusdoesn't?
From: David H. Lipman on
From: "Bill Suen" <BillSuen(a)discussions.microsoft.com>

| I have a similar problem:
| I work a lot from my home PC for a university and has sophos loaded in it.
| The regular daily scan on Monday revealed that I have a Troj/spyaks-B
| infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
| went in via command prompt and deleted the infected file but the home page
| still set to a security centre page. Yesterday I followed the sophos
| instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
| command prompt via F8 re-start. I am running Window XP 2002 home service
| pack 2, and it will not let me get onto safe mode with command prompt at
| restart, so I cannot run the fix on my PC.



Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: Bill Suen on
David,

Thanks for the advice. I use sophos, not McAfee. Do I need McAfee to
perfrom the fix?

Bill

"David H. Lipman" wrote:

> From: "Bill Suen" <BillSuen(a)discussions.microsoft.com>
>
> | I have a similar problem:
> | I work a lot from my home PC for a university and has sophos loaded in it.
> | The regular daily scan on Monday revealed that I have a Troj/spyaks-B
> | infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
> | went in via command prompt and deleted the infected file but the home page
> | still set to a security centre page. Yesterday I followed the sophos
> | instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
> | command prompt via F8 re-start. I am running Window XP 2002 home service
> | pack 2, and it will not let me get onto safe mode with command prompt at
> | restart, so I cannot run the fix on my PC.
>
>
>
> Download SmitFraud.exe from the URL --
> http://www.ik-cs.com/programs/virtools/SmitFraud.exe
>
> Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
> Choose; Unzip
> Choose; Close
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to enable WGET.EXE to download the needed McAfee related files.
>
> Execute; c:\mcafee\clean.bat
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
>
>
> Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
> reply.
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
From: David H. Lipman on
From: "Bill Suen" <BillSuen(a)discussions.microsoft.com>

| David,
|
| Thanks for the advice. I use sophos, not McAfee. Do I need McAfee to
| perfrom the fix?
|
| Bill

No. It will download the McAfee command line scanner and it does not have to pre-exist on
the PC.

That DLL is associated with a few pieces of malware and tghis uility targets the DLL as well
as the malware associated with it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


From: Bill Suen on
Dave,

I ran the fix and it didn not work. I was watching the scan and there were
a lot of files the fix could not open. Now I cannot even got my explorer
working in my own sign on, so I am using a guest signon to get on here. Hope
you can give me further advice. Here is the log file:


McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4666 created Jan 03 2006
Scanning for 168508 viruses, trojans and variants.

Virus Scan Results




01/04/2006 18:01:54


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\Brendan\Local Settings\Temporary Internet
Files\Content.IE5\A9S3YT65\systemwarning[1].htm ... Found potentially
unwanted program Adware-SpySheriff.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 229892
Clean: ................. 229863
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:50.16

Some pages are now blocked and the message says: block by adware of your pc,
download spy trooper:

http://www.spytrooper.com/?advid=29

Is this geniune?

Many thanks.

Bill Suen

"David H. Lipman" wrote:

> From: "Bill Suen" <BillSuen(a)discussions.microsoft.com>
>
> | I have a similar problem:
> | I work a lot from my home PC for a university and has sophos loaded in it.
> | The regular daily scan on Monday revealed that I have a Troj/spyaks-B
> | infected in c:\windows\system32\wbeconm.dll and it cannot delete the file. I
> | went in via command prompt and deleted the infected file but the home page
> | still set to a security centre page. Yesterday I followed the sophos
> | instruction and downloaded a SAV32CLI fix onto a CD-R and try to run it on
> | command prompt via F8 re-start. I am running Window XP 2002 home service
> | pack 2, and it will not let me get onto safe mode with command prompt at
> | restart, so I cannot run the fix on my PC.
>
>
>
> Download SmitFraud.exe from the URL --
> http://www.ik-cs.com/programs/virtools/SmitFraud.exe
>
> Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
> Choose; Unzip
> Choose; Close
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
> FireWall to enable WGET.EXE to download the needed McAfee related files.
>
> Execute; c:\mcafee\clean.bat
> { or Double-click on 'Clean Link' in c:\mcafee }
>
> A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
> end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
> It is suggested that you move the report out of c:\mcafee before performing another scan.
>
>
> Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
> reply.
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>