My Anti Spyware

How to remove MBS spyware

Symptoms: pop-ups coming up everytime when you start your computer.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download FileASSASSIN and save to your desktop (this tool is compatible with Win 2000/NT/XP only).

* Start fa-setup.exe for install
* Start FileASSASSIN.
* Select the following file(s) C:\WINDOWS\system32\rtnfs.exe, C:\WINDOWS\system32\mbssm32.exe to delete by dragging it onto the text area or select it using the (…) browse button.
* Select a removal method. Start with “Attempt FileASSASSIN’s method of file removal.”
* Click delete and the removal process will begin.
* If that did not work then, start the program again and this time check “Use delete on reboot function from windows.”.

Note: If you cannot find the file, you may have to Reconfigure Windows XP to show hidden files, folders.
Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O4 – HKLM\..\Run: [Windows_Protect] rtnfs.exe
O4 – HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe
O4 – HKLM\..\RunServices: [Windows_Protect] rtnfs.exe

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Reboot your PC.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Update: If you are still having problems with MBS spyware try Automatic removal MBS Account Manager

Fill your blacklist again, found new rogue antispyware apps

Spyware Warrior reported about new rogue antispyware apps

# Ad Armor
# Fixer AntiSpy
# Spy Analyst
# Spy Officer

VirusTotal added F-Secure Anti-Virus and eTrust-InoculateIT to their lineup of scanners

The team over at VirusTotal has added the F-Secure Anti-Virus and eTrust-InoculateIT to their lineup of scanners. VirusTotal is a free, independent service that analyzes suspicious files using multiple antivirus engines.

From there, you can easily check to see if F-Secure Anti-Virus have detection for something new that you’ve found. In the near future F Secure will also add DeepGuard.

Read more: how to use VirusTotal scanner.

Found vulnerability in the Firefox built-in popup blocker

This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Vulnerable Systems: Firefox version 1.5.0.9

For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having “same origin”, such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.

For protect your PC, upgrade Firefox to Firefox 2.0

Read more: Firefox Popup Blocker Allows Reading Arbitrary Local Files

Mirar Toolbar – Unwanted Tool ? YES

Sunbelt have finished review process.

They concludes that the Mirar Toolbar product does, in fact, satisfy Sunbelt’s objective criteria for a Potentially Unwanted Installation.

Currently Sunbelt classifies the Mirar toolbar as a “moderate risk” “adware toolbar.” Mirar toolbar is marked by a number of problems including:

• poor installation practices resulting in inadequate notice and disclosure
• the display of unrequested, undisclosed advertising on the users’ desktops
• undisclosed addition of NetNucleus sites to the Internet Explorer Trusted sites zone
• poor uninstallation practices, including the use of an uninstaller available only online

Read more here: Our response on the Mirar Toolbar

Found new rogue antispyware apps – SpyMarshal, AntiVermins (AntiVerminser)

Bleepingcomputer team found new rogue antispyware apps: SpyMarshal, AntiVermins (AntiVerminser).

AntiVermins (AntiVerminser)

AntiVermins, like all rogue antispyware apps, uses misleading advertising, false positives, and fake scan reports as a scare tactic for you to purchase the commercial version of their application.

Symptoms in a HijackThis Log:

O4 – HKLM\..\Run: [AntiVermins] C:\Program Files\AntiVermins\AntiVermins.exe /h
O4 – HKLM\..\Run: [AntiVerminser] C:\Program Files\AntiVerminser\AntiVerminser.exe /h
O4 – HKLM\..\Run: [AntiVermeans] C:\Program Files\AntiVermeans\AntiVermeans.exe /h

Current  AntiVermins (AntiVerminser) versions: cvnzie.dll, kuhmk.dll, ownyhr.dll, vwfps.dll, cthkpcv.dll, gwquvw.dll, axlet.dll, nbbrhbd.dll, oksrqqu.dll, vblhanf.dll

SpyMarshal

Also as all rogue antispyware apps uses misleading advertising, false positives, and fake scan reports as a scare tactic for you to purchase the commercial version of their application and also  hijacks  DNS settings.

If you can`t uninstall or remove, ask about help: Spyware Removal Forum