Spywareno (Problem Solved)

Hello,

I am having a spyware detected by Ad-Aware SE Personal as Spywareno and when I remove it using Ad-Aware upon the next scan it will detect it again. System reboot or not. I have tried Ewido, Spybot, Ad-Aware, and Microsoft Antispyware. They all do not detect except for Ad-Aware and Ad-Aware cannot seem to fix it. Does anyone have any tips for me to try and maybe remove this program.

Thanks,

Justin1278

Hi Justin,

The Lavasoft web site says this about Spywareno:

Once the SpywareNo! And SpySherifff applications are installed, they can be uninstalled using the add/remove programs feature in Windows and the uninstallers work correctly. Further installations of the applications (as reported) are not initiated by these applications, but through the original application dropper (Win32.TrojanDownloader.Small.awa) that first installed them if it is not removed properly<<

The full text is here:

http://www.lavasoftresearch.com/spywareno1.shtml

Have you tried disabling system restore prior to scanning with Ewido to remove the possible trojan, then removing Spywareno with Ad-Aware?

If Ewido doesn’t get the trojan I think A-Squared has a detection for it.

Hello,

The program is not in my add or remove programs list. Will disable system restore now and try to see if it works.

If Ewido doesn't get the trojan I think A-Squared has a detection for it.
Use extreme caution when using A-Squared. There are some serious problems with false positives in the latest update. See the following thread for more information: [url]http://forum.avast.com/index.php?topic=19240.0[/url]

Hello,

I did a system restore and removed multilple infections ewido found and yet Ad-Aware still detects this piece of malware and my computer seems to have no symptoms. I am beginning to think that this detection is a false positive.

~Justin1278

:slight_smile: Hi Justin :

  Spywareno is REAL; it's listed as a rogue/suspect program
  on spywarewarrior.com . There are detailed instructions
  in my next post .

INSTRUCTIONS:

A. Download and/or update the following programs. Install them but do NOT run them yet.

Please download smitRem.exe ©noahdfear. Save it to your desktop, then double-click the file and click Start to extract the files to their own folder.

Alternate download site for smitRem© fix:
www.downloads.subratam.org/smitRem.exe

Place a shortcut to Panda ActiveScan on your desktop.
(www.pandasoftware.com/products/activescan.htm)

Check Ad-Aware for definition file updates. Don’t run it yet!

You will need to update Ewido to the latest definition files.

B. Please reboot your computer in SafeMode by doing the following:

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.

Instead of Windows loading as normal, a menu should appear

Select the first option, to run Windows in Safe Mode.

C. Run smitRem

Open the smitRem folder

Double-click the RunThis.bat file to start the tool

Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

D. Launch Ad-Aware SE and do a full scan. Remove all it finds.

E. Shutdown/Restart in SafeMode as instructed above. Run Ewido:

Open Ewido and click on scanner

Click on Complete System Scan and the scan will begin.

While the scan is in progress you will be prompted to clean files, click OK

When it asks if you want to clean the first file, put a check in the lower left corner of the box that says “Perform action on all infections” then choose clean and click OK.

Once the scan has completed, close Ewido security suite .

F. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck “Security Info” or anything similar if present.

G. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

H. Launch Ad-Aware SE and run a full system scan.

Thanks for the added information, Spritsongs.

Just a couple quick questions for Justin:

Did you restore, or did you disable system restore?

Was Win32.TrojanDownloader.Small.awa one of those removed?

If Ewido was able to remove Win32.TrojanDownloader.Small.awa and then AdAware removed SpywareNo, is it still coming back now?

Hello,

I did a system restore. No Win32.TrojanDownloader.Small.awa was not found with ewido.

Hi Justin,

Based on the information at the Lavasoft web site my original thought was that Win32.TrojanDownloader.Small.awa was hiding in one of your system restore points and downloading fresh copies of Spywareno whenever you deleted it. That’s why I suggested disabling system restore in order to delete the restore points and, theoretically, the trojan with them.

After additional research, however, I believe Spritsongs’ advice is more on track and suggest you try that approach to the problem.

Hello,

Ok I did as instructed by Spirit songs and I still have the same results from Ad-Aware. Oh and Panda did not detect spywareno.

Justin1278

I’ve had the same issue since downloading the last Ad-Aware update yesterday. A register key is being detected. Ad-Aware doesn’t detect it when the program is run in safe mode, but does detect it after every restart. Nothing with Spybot.

I suspect it has to do with Ad-Aware’s update. Personally, since I’m “happy” to see someone else has the problem, I think I’ll wait to see what happens after the next Ad-Aware update.

There are several posts on other forums regarding AdAware false positives or, as OrangeCrate said, orphaned registry entries from a cleaned infection causing continued AdAware alerts. Often these are posts from people who’ve done multiple scans with various programs and get nothing other than the AdAware alert.

One post that particularly caught my eye:

This F/P is to do with ActiveDesktop. Many of spywareno / SpySherrif’s downloaders (and other rogues) mess around with the desktop settings… especially the background (“Your computer is infected with blah blah blah”) so this key has been flagged, although it should be flagging for those only infected with SpySherrif / spywareno. This should only affect users who have ActiveDesktop enabled. We will adjust our definitions accordingly… thanks guys! <<

Full text is here: http://www.dslreports.com/forum/remark,15434829?hilite=spywareno

The consensus seems to be that if your pc is not showing signs of infection (not sluggish, no Spywareno popups, etc) then you are probably ok.

Here’s another interesting thread regarding this issue:

http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=155938&messageID=1732340

I shut down system restore, but it still came back. No slowdown here.

False positive? Probably. Maybe Ad-Aware will catch it with the next update. I’m not going to worry about it for now.

Regards to all…

:slight_smile: The antispyware forum from which I posted the
“Instructions” has the following follow-up :

"I’ve learned that this could be a false positive. If you have “active desktop” activated on your PC, then it is most likely a f/p.

Before following the instructions above, please do the following:

Go to Start > Control Panel > Folder Options > General > Active Desktop > click “Use Windows classic desktop” > Apply > Ok.

If “Use Windows classic desktop” is already checked, go through the steps above. If you had “Enable web content on my desktop” checked, it is a “false/postive”. Just add those objects to your “ignore list”.

Add objects to ignore list

  1. Run a scan with Ad-Aware
  2. Select the objects you want to add to the ignore list in the Scan Summary, Critical Objects, or Negligible Objects lists on the Scanning Results screen.
  3. Right click and select “Add selected to ignore list”
  4. A pop-up window showing the number of objects that will be added to the ignore list opens. Click “OK” to continue.
    The object is now added to the Ignore List, "

Since the likelyhood of someone having “Active Desktop”
activated on their desktop seems remote, it appears
GENERALLY that the cleaning “instructions” should be
followed .

Hello,

Spiritsongs I do not have active desktop. But I use the windows style tool that comes with Tune-Up utilities 2006, could this be the problem? Also I went out and purchased McAfee Antispyware 2006.

Hello,

Here is a screenshot of what McAfee found.

Hello,

Problem Fixed! I was right in the beginning it was indeed a false positive. I also found the program that was making the false positive. In the Styler utility in Tuneup Utilities 2006 you can change the way Microsoft Windows XP looks. I used it and changed the way Windows looks. When I went back to the original look of XP the Spywareno was gone. When I changed the way windows looked again using the Winstyler spywareno was back. So this is a false positive the Ad-Aware needs to fix.

Thanks everyone who was helping me with my little problem.

~Justin1278

Hi Justin and the others…
I’m new at forum; actually I saw this topic while I was looking for a solution about my problem on Google; then I registered at the forum.

I have exactly the same problems as Justin had told. But I don’t have “Tune-up Utilities” or sth like that. and I don’t agree the F/P idea or the problem is about Adaware. Because when I check this Registry Key via “regedit”, I can see that key is over there. After I remove it with Adaware or I manually delete the key from Regedit, it refreshes itself and it appears again on Regedit.

This problem doesn’t seem on the Safe Mode, so that means this registry key refreshes itself using one of the Windows Exe files which we don’t see on Task manager during Safe Mode. Which are probably:

wuauclt.exe
wdfmgr.exe
alg.exe
spoolsv.exe
svchost.exe(one of them)

I’m longing to hear all your opinions and advices. Thanks!!

Hello,

Please follow Spiritsongs advice on the previous page.

Good Luck,

~Justin1278