Standard response material re Spyware, Adware, BHOs, and other Malware

Hi, Cd& ... feel free to edit/delete this comment, but wanted to point you here which is one of 2 I posted, the other is in Expert Input area.  Sunray also had a good thought about free viruscanners, but for some reason I thought we already had that.  
https://www.experts-exchange.com/Applications/Viruses/Q_20988241.html

These are cut/paste input from the Q in Virus TA I mentioned yesterday.

Comment from Lobo
Date: 05/14/2004 12:07AM PDT
ID: 11065874
 Comment  


Hi Asta,

Excellent work!  I hope the thread can be updated regularly as new tools and methods appear.

The best thing we can do is educate users into proper use and maintenance of antivirus software, firewalls, and Windows Update. The basic stuff. It's incredible the amount of people who surf the Net daily with outdated antivirus or no antivirus at all; or who has never ran Windows Update.

Re: the Microsoft Reward Program; what MS should do is reward people who identify a security threat. A common beef in the undergroound security community is that when a security hole is found and reported these reports are generally ignored. Some progressive companies hire hackers to test the security of their networks and systems, yet the largest part of the knowledge that community has is not exploited... and it should. The knowledge is already there.

Good Vibes!

Lobo
 
Comment from acmp
Date: 05/14/2004 03:39AM PDT
ID: 11066862
 Comment  


Hear Hear!

If more people had up to date AV/firewall and used Windows Update then viruses would not be a big a problem as they are.

When the kornakova virus was around I received 12 copies in a 30 minute period and thought it was a lot. I now get around 300-400 a day. Around 12000 in the last 4 weeks.

The best prevention tool is education.

acmp<><

Great news, Cd&, thanks.  

There have been quite a number of new assaults with various iterations such as Roings and various different URLs, but primary redirects something like this:
 http://www.errorplace.com/red.php?c=&aff=&q=doubleclick  or many others, some are registry keys, etc.  Definite Spyware and some had no problems removing using updated AdAware and Spybot S&D, others said their Email was also infected/problematic and found they could only solve these two issues using
Spyware Remover 8.2 from bulletproof.com.
http://spyware.syncprod.com/dir2/bulletproof_spyware_remover.html

I noticed some end-users stating that they Spybot S&D wasn't updating with new information and saw that as well; few updates and had version 1.2 installed for some time.  I then found another version 1.3 and it has TONS more entries and went from 512 known problems and exploits in the Immunize function to over 1700; so was a good upgrade.  Here's that updated link.  For some reason the standard "check for updates" on the older version 1.2 just wasn't doing it.

Get SpybotS&D 1.3 Final here...  http://www.majorgeeks.com/download2471.html

Also, for Experts to get updates here, as links and info changes; hopefully they 'subscribe' rather than adding comments if nothing new to add or changes to alert us to.

Thanks,
Asta

Thank you so very much from all of you who answered my very simple question.......using your help it now seems that I've been able to solve my (most probably) self inflicted problem.
Thank you again.
LeeTree

Asta suggested it and I believe it can be useful:

Two cleanup utilities against a persistent  kijacker, trojan, nasty, whatever you want to call it: look2me.com.

These were quite difficult to locate as the usual downloads were obsolete.

I hope no one needs them but, just in case:

VX2.BetterInternet Finder (List & Log)
http://download.broadbandmedic.com/cgi-bin/download.cgi?action=redirect&id=1

KillBox:
http://download.broadbandmedic.com/cgi-bin/download.cgi?action=redirect&id=0

Zee

Thanks, Zee, you're terrific; AND right on because I had one heck of a time trying to find a solution which you did find here.  Thanks for posting.  COBOLdinosaur, please feel free to remove/edit any of my comments not pertinent to this topic and thanks again for all your help in coordinating this.

Is there a way to make this Q TIMELESS (with Jan or Brian's help) to keep it at the top of the Queue?

Thanks Cd&.... you're GREAT!  But then I tell you that all the time.  Nothing new here.

I've sent Austin a number of links; one of which is my open Q in Math & Science (no response) .... looking for a new TA on "homeland security" regardless of where on this planet we live, any hope?  Sorry for off topic query, again... feel free to delete.  

Hi Cd,

Great work. I noticed online antivirus scanners missing from the list. Here's a few ones worth mentioning (and using!):

Symantec:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro:
http://housecall.antivirus.com/housecall/start_corp.asp

Panda ActiveScan:
http://www.pandasoftware.com/activescan/

PC PitStop:
http://www.pcpitstop.com/antivirus/default.asp

Good Vibes!

Lobo

also

www.pestpatrol.com

It scans but doesn't clean.  It gives you the name and registry entries where you can manually remove the spyware.

Just wondering if you want this fixed:

http:Q_20975384.html#10973796

++  Spychecker:
http://www.spychecker.com/download/download_coolwebshredder.html

----------------------------------------------------------

Also http:Q_20975384.html#10973789 might be edited:

http://sysinfo.org/ to http://www.sysinfo.org/startuplist.php

As the BHO list is allready listed above it.

----------------------------------------------------------

http:Q_20975384.html#10973787

++ merijn.org is being blasted by a massive DDoS, that's why it now resolves to localhost.
You can still reach it by adding "209.133.47.200 www.merijn.org" to your hosts file.
Mirror is still available at:
http://www.spywareinfo.com/~merijn/

That was true when I first posted that message in the Lounge, but at this moment it's more off-line than online when you use the IP, so I think it would be better to just use the mirror only.

Also from the same part:

++ Hijack This Tutorial: http://www.TomCoyote.org

Doesn't exist anymore :(
Try http://www.spywareinfo.com/~merijn/htlogtutorial.html

Feel free to delete or edit this comment after the changes have been made as it only takes a lot of room on the site...

(I thought it would be better to post it here then to e-mail one of you, as it's more visuable)

Thanks for all your efford Cd& and asta

LucF

I have gotten a bit of the nasty. Whenever I try and run the detection tools such as pqremove (Panda) and Stinger (McAfee) I receive the error -- "filename" is not a valid win32 application

So what do I do next. I have been reading the threads for quite awhile and have been unable to find an answer to fixing this problem.

Cheers!

Sorry, thanks for the instruction.

Spyblaster is suppose to protect your browser from hijacking.  They have a new version.

http://www.javacoolsoftware.com/spywareblaster.html

This is a very good/informative link at HP about Worms/Trojans/Viruses and how to protect yourself.
http://h10025.www1.hp.com/ewfrf/wc/famiDocument?product=12455&lc=en&cc=us&dlc=en&docname=bph07130

Ran into something the other day with spyware.  Had a client, Windows XP.  Had two profiles on box.

I disabled System Restore.  Disabled startup items. Loaded the spyware cleaners, updated them.

Rebooted into safe mode - choose Administrator as profile.

Cleaned PC of spyware.  Rebooted and logged in as one of the users.  Scanned again - was clean.  So, I thought the box was clean.

Then, I logged off as this user and logged on the other profile.  Did a scan - and guess what?  This profile was infected with Spyware!  I had to clean off the spyware from this profile as well.

The conclusion I'm drawing here is that the spyware cleaners are only staying within the profile you are logged on instead of the whole box......  

If you have multiple profiles, you have to run the cleaners on each one???  Does this seem logical?  

If you clean spyware off a box with multiple profiles, see if you get the same result.

CrazyOne's AnswerBase has 6000+ EE solutions including 100's of security and virus related answers.  It's available thru the drop down menu at his recovery support webpage.  You can use 'Find in Page' with keywords to search the topic areas.

http://cityofangels.com/experts/crazyone/ 

tituba2,

Just for your information (and it could be included in this question for information) all those tools need to be ran by a local administrator or a domain administrator, so all files will be scanned (make sure the administrator has rights to all files, otherwise you'll have to give the rights before scanning.

LucF

Doesn't apply.  I had used the Admin profile when I scanned and it didn't clean spyware off the entire box.

Besides, all users on this home machine have administrator rights.

Only a small comment, but I thought we were not to comment here. With most of the scanners, they have the directory, of the admin, and users, I have noticed that with some, you have to scroll threw the Dir's, and hit each one. It's rather amazing that the spyware can drill into so many files, but it does. They change the file names, and some of the code, but if you can read code, then it becomes apparent that they are there. One thing that I have found is that to use X, and Ada, then to clean up with a good registry cleaner, then finally cleanse with a antivirus (my wife will kill me, as a nurse practitioner, she doesn't like the overuse of antibiotics.)(just a joke). You can put most into a sleep, if not get them off the system. Some of the most recent I have seen, use more then one file to do what they do. That makes it harder for the online freebies to cleanse. Nothing beats a clean boot, reinstallation. But with all the files we have, that makes it a rather messy job. CDR all the exe.installs that you want to keep. Back up all the PST files, and make sure you have kept some of the most recent on the web servers. If you have domains, then use some of the extra disk space for you own for file saveing. Just protect it, with a good generated password. When in trouble, when I had a box that was partly operational, I would upload all the pertainent system files, clean reinstall, then pick and chose the downloads that we needed to make the system whole again. Then dump my online files, don't forget to make a disk of all the updates for XP, and then some of the other pluses that are out there. Don't forget to check out GRC.com. Some of the most quick updates for new installs, and some other twicking tools if your into it. Not to mention an online port scanner that can show your customer what you have done, before and after. Ok,, sorry to have pitched here, but not selling for anyone. Just read the updates. Later all,,, summer is here, watch the waves,,, and think.
Drew.

I would like to suggest Bazooka Spyware Scanner be considered for the malware utility list.  Bazooka detects what Spybot or Lavasoft doesn't completely remove or doesn't detect.  Case-in-point -- I knew a pc was communicating to zuvio.com from the adware OpenSite from the entries in the proxy log.  Ran Spybot - it detected nothing.  Ran Bazooka, it not only identified OpenSite but also remnants of two other adwares that Spybot failed to completely remove.  Bazooka doesprovides manual removal instructions to malware detected.  I have yet to find one free utility that 100% removes malware; I don't think it is possible.

Some may encounter IE disable script debugger problems not fixed with the normal solutions.

I just thought it might help others that encountered the same problem I had with IE script debugger.  Please use any way you see fit, just wanted to get the info out there.

I am running on Win XP and had a problem with IE's script debugger not turning off.  I unchecked the display errors and checked disable but IE ignored it.  Ran Spybot s/d and Hijack and couldn't find the problem then tried bazooka it seems the problem was a trojan horse (MSOPT.dll).  

http://www.kephyr.com/spywarescanner/library/msopt/index.phtml?source=alerts

once I manually removed it everything was back to normal. So if someone is asking a question and none of the normal Tools/Advanced Options solutions are working for them you might suggest they look for that trojan.

Quick update FIY:

New version of HijackThis released (1.98.0):

http://aumha.org/downloads/hijackthis.zip
http://aumha.org/downloads/hijackthis.exe

Full details: http://forum.aumha.org/viewtopic.php?t=6228

Zee

I have some links that I put into an email template that I send out to the customers that I install some or most of these programs on their boxes.  My template also has Download links, but you've taken care of those.  Please feel free to integrate these with your original document.  All of these programs (unless noted) are freeware or donation ware for personal use.

Hoping this is useful,
Marc Erickson


Spybot - Search & Destroy v1.3
About (tells you a bit about what it does):
http://www.safer-networking.org/index.php?page=spybotsd
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43&

SpywareGuard v2.2
About:
http://www.javacoolsoftware.com/spywareguard.html
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=50

SpywareBlaster v3.1
About:
http://www.javacoolsoftware.com/spywareblaster.html
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

AntiVirus:

avast! 4
About:
http://www.avast.com/i_idt_153.html
Download:
http://www.avast.com/i_idt_1016.html
Tutorial:
A general antivirus/firewall tutorial - the section about Internet Explorer can be done with SpywareBlaster by "Enabling All Protection" in SpywareBlaster's settings - see the SpywareBlaster tutorial:
http://netsecurity.about.com/cs/compsecurity101/a/aa072303.htm
Computer Knowledge Virus Tutorial:
Starts with a general view and gets progressively more detailed.  Look at the tutorial map on the left to go to a specific page.
http://cknow.com/vtutor/index.htm

TDS-3 (Trojan Defence Suite)
About:
http://tds.diamondcs.com.au/
Download:
http://tds.diamondcs.com.au/index.php?page=download
Tutorial:
First try the Help included with the program.  Online Help:
http://radified.com/Articles/trojan.htm
Support via Online Forum:
http://tds.diamondcs.com.au/index.php?page=forum

Software Firewalls - these are better than the commercial products:
ZoneAlarm is what I recommend to non-technical folks.  The tutorial and help file are among the best I've ever seen.  Sygate Personal Firewall is the one to use if you're knowledgeable about networking and/or need to create special rules and exceptions (most people don't).  I have no experience with Tiny Personal Firewall (I will be trying it on a computer soon), but it has a small impact on the computer's resources and supports multiprocessor computers and the other two don't (if you don't know if you have a multiprocessor computer or not - you probably don't).  At one time Tiny Personal Firewall was free for personal use - I don't know if that is still so.

ZoneAlarm v5.0.590.015
About:
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=nav_za
Download:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Tutorial:
See the tutorial under Start/Programs or All Programs/ZoneAlarm
User Manual:
http://download.zonelabs.com/bin/media/pdf/zaclient50_user_manual.pdf
>>Plugin:
VisualZone v5.7
This is a nifty add on for ZoneAlarm and ZoneAlarm Pro that allows you to visually trace an attack back to the general geographic area it came from - among other things.  You can use the information you get from the plugin to possibly help track them down - useful for the authorities, but you don't need it to use ZoneAlarm.  Norton Personal Firewall and Norton Internet Security do the same thing - but they're not as good of a firewall as ZoneAlarm is  *and* cost money!
About:
http://visualize.phenominet.com/visualzone/visualzone.htm
Download:
http://visualize.phenominet.com/visualzone/visualzone_download.htm
Frequently Asked Questions:
http://visualize.phenominet.com/visualzone/visualzone_faq.htm

Sygate Personal Firewall v5.5
About:
http://smb.sygate.com/buy/download_buy.htm
Download:
http://www.simtel.net/product.download.mirrors.php?id=53687
Tutorials:
http://smb.sygate.com/support/documents/spf/default.htm
http://www.pcplus.co.uk/tutorials/default.asp?pagetypeid=2&articleid=11202&subsectionid=376&subsubsectionid=73
User Manual:
http://smb.sygate.com/support/userguides/spf/spf55_userguide.pdf
Support via Online Forums:
http://forums.sygate.com/vb/forumdisplay.php?s=&forumid=8

Tiny Personal Firewall v5.5.1332
About:
http://www.tinysoftware.com/home/tiny2?s=4089603232020560690A0&offer=standard&pg=tpf5_home
Download:
http://www.tinysoftware.com/home/tiny2?s=4089603232020560701A2&offer=standard&pg=tpf5_download
Tutorial:
See the Help file included in the program.
User Manual:
http://www.tinysoftware.com/home/tiny2/tpf5_manual
Support via Online Forum:
http://www.tinysoftware.com/forum/

Antispam solutions
For all of these solutions, you need to save some spam to train the program.  They learn and eventually tag as spam what you consider to be spam - nobody else.  This is based on Bayesian statistical analysis of the incoming mail (named after Reverend Thomas Bayes) which is currently the leading edge principle used in spam filters.  The original idea for a Bayesian spam filter was in this paper:
http://www.paulgraham.com/spam.html
The heavy statistical math explanation of Bayes' Theorem is here:
http://en.wikipedia.org/wiki/Bayes'_theorem 

For Outlook:
SpamBayes for Outlook v0.81
About the project:
http://spambayes.sourceforge.net/
Download:
http://prdownloads.sourceforge.net/spambayes/spambayes-1.0rc1.exe?download
Documentation:
http://spambayes.sourceforge.net/docs.html
Frequently Asked Questions
http://spambayes.sourceforge.net/faq.html

For Outlook Express:
For Outlook Express, you have to (or the program has to, when it's installed) create a mail rule in OE to move your spam from your Inbox to another folder.

K9  v1.28
About and download:
http://www.keir.net/k9.html
Usually the program configures the mail rule, but occasionally it doesn't.
Documentation:
http://www.keir.net/k9_begin.html

Thanks for trying your best but i found that the problem was my Download Manager - Internet Download manager. I had Adavanced browser intergration and somehow i turned it off and went to the websiteand all was ok !

I wonder if i am entitled a refund og the points alloted !

Thanks once again !

Pceasy !

News article July 5, 2004:

http://www.cbsnews.com/stories/2004/07/05/scitech/pcanswer/main627500.shtml

"Last week, there were two separate reported of flaws in Microsoft Internet Explorer that could jeopardize your security. .."

".. the U.S. government's Computer Emergency Readiness Team, or "CERT" (www.cert.org) published a warning that included, among other suggestions, the advice to “use a different browser" -- suggesting that PC users look to sources other than Microsoft for a web browser."

(thanks to brunobear for posting here: http:Q_21043408.html#11477197)

Looks like the hackers have disabled merijn.org (cwshredder tool).

Merijn.org has been down for a few months now, spywareinfo.com/~merijn is probably getting blasted at the moment, sometimes it can be reached though... it's very slow at the moment if the pages even open. I just hope those problems will get solved soon. Other download links are still working: http:#10973796

LucF

Mozilla.org has posted a patch as a result of security issues reported here:

http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=738&e=6&u=/nf/20040709/tc_nf/25807

To obtain the Mozilla/Firefox security patch:

http://mozilla.org/security/shell.html  (scroll down for patch)

..and follow the instructions. I am impressed by Mozillla's fast response to this security issue. If you download a new version of Mozillla or Firefox it will include this patch.

I.m not sure if this is the proper space to make the following comment (question). I gather that 'free' members cannot ask a question in Community Support which appears to be the link to the moderators or whoever that respond to problems with closing questions.  HELP!  Jobox11.

You can just ask your question at http:/Community_Support/ it's not limited for paying users. The moderators should be helping you as soon as they can.

LucF

Anyone run into this variant of CoolSearch:

http://www.pchell.com/support/onlythebest.shtml

Was not able to get rid of this thing.  CWShredder etc. don't clean it.  Registry edits listed on pchell didn't work either.

Since 27/06 Adaware is able of handling it, just set it to scan everything instead of just the standard run and let it unload processes while scanning, but I agree, it is a horrible hijack.

This variant of CoolSearch also deleted shell.dll and grabbed ahold of Windows installer.  See

http://www.lavasoftsupport.com/index.php?showtopic=34050

I recently found a utility that I haven't seen mentioned here. It is called StartUpMonitor and it was created by Mike Lin, a student at MIT. In his words, "StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents those utterly useless tray applications from registering themselves behind your back, and it acts as a security tool against trojans like BackOrifice or Netbus."

I run spywareblaster as well, yet the other day I got a popup from StartUpMonitor that spywareblaster didn't detect, and I was able to stop the install of some little nasty thingy that I'm sure I didn't want.

So...I'm not an expert but I've cleaned up a number of machines using all the standard tools mentioned here.

Mike Lin's tool may be one you would consider adding to the list. It can be found at http://www.mlin.net/
I'd be interested in your comments. They've rescued me in the past.

What,s wron with Win Patrol which does a very good job of notifying of new startup apps.  Jobox 11

Re: comment from LucF on asking questions in Community Support.  http:/community support/ does not appear to be a valid address. Pls correct or comment.  Tks.   Jobox11

jobox11,

Just click the link I gave above, it works just fine for me (don't use a space between Community and Support, but a "_"
The full url is https://www.experts-exchange.com/Community_Support/ or you can reach it by clicking "Support" at the top of every page.

LucF

The 'StartUpMonitor" that I mentioned above advises you BEFORE any new apps install (register) themselves. You have to say okay before they can complete their install.

Don't get me wrong. WinPatrol is an excellent too. I just thought this new thing was pretty cool.

just sharing...

douglasfur

Some of the spyware cleaners are actually vehicles to deposit more spyware.

Here is a good site that lists suspects:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

FYI - Lavasoft just came out with a new version of Ad-Aware called Ad-Aware se.

This piece of spyware, SearchForIt - is ugly.

First of all, I'm not sure how it gets on the box.  Had a brand new PC, right out of the box.  Got it on the internet, updated Norton, put on Microsoft patches.

Scanned with Spybot and found SearchForIt already on box.

But here is the really issue - SearchForIt also drops a Trojan Keylogger virus.

So, if you ever find SearchForIt spyware, also look in
C:\Windows for setup1.exe

Setup1.exe is a keylogger trojan.

Hi tituba,

It sounds like one of those rogue crawlers that ping random IPs looking for machines to infect.

Good Vibes!

Lobo

Someone explain to me how spyware is getting by the firewall.  I get how spyware gets on a box if you click on popups or have no protection.

But how is spyware getting on a new box, firewall in place and updated?

Is it because IE is so vulnerable for those 15 min or so before you get all the patches on?

And, more importantly, why aren't Trojans (keyloggers and such) found by Symantec/McAfee?  I discovered the Trojan by scanning with Pest Patrol.  Symantec showed a clean box.  

>> Is it because IE is so vulnerable for those 15 min or so before you get all the patches on?

Yup!!!

One of the many reasons I don't use IE. Give FireFox a test ride.

Good Vibes!

Lobo

I had even loaded Spyblaster, updated it and enabled all protection.  So this piece of Spyware slipped by.

I have been using Firefox, however, have to use IE to put on patches.

Very disheartening having spyware slip through in the short time IE was used - especially one that also drops Trojans.

Hi Tituba,

What I normally do in a new installation is to install Norton Internet Security and Go Back before running Windows Update.  That way, if any MS patch crashes the machine I'm working on, I can use Go Back to restore it.

Good Vibes!

Lobo

Since this is a valuable thread for Stopping Spyware, I would like to add a couple of batch files that my help keep your hosts file clean.  Copy and paste them to Notepad, then save with a .bat extension.  The first one 'locks' your host file as Read Only, and the second one Unlocks it for editing...

Lock your Hosts file

========Start Copy=========

@echo off
cls
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
      echo.
      echo  ++++++++++++++++++++++++++++++++++
      echo  +                                                                +
      echo  + HOSTS FILE IS NOW UNLOCKED!                +
      echo  +                                                                +
      echo. ++++++++++++++++++++++++++++++++++
      echo.

pause
exit

==========End Copy=========

For Unlocking the Hosts file:

==========Start Copy========

@echo off
cls
attrib +r +h +s %SystemRoot%\system32\drivers\etc\HOSTS
      echo.
      echo  +++++++++++++++++++++++++++++++++++
      echo  +                                                                  +
      echo  + HOSTS FILE IS NOW READ ONLY!                 +
      echo  +                                                                  +        
      echo  +++++++++++++++++++++++++++++++++++
      echo.

pause
exit

Although CoolWebSearch has been covered rather extensively in many tools noted here, one user wants deeper information in terms of registry keys to modify and so on and this is the Q still open today in which the steps are again defined (if needed).
https://www.experts-exchange.com/Web/Browser_Issues/Q_21116362.html#12013638

A quick word of caution, even if I do agree with your comments regarding the HJT log posts:

The "auto" analysis in http://www.hijackthis.de/index.php?langselect=english is not that good and can, in certain cases, be dangerous.

Worse than not flagging some nasties, it flags legitimate entries as nasty!!

And if users "fix" them with HJT can end up with serious problems.

I suspect this problem is specific to WinME scans, but...

Zee


P.S.:
Asta: Thanks for the reminder!

The entry being incorrectly flagged in WinME scans:

C:\Windows\Rundll32.exe

Because it should be run from C:\Windows\System32 !!!
~8-|

Zee

Hi! All!

Don't think I saw this above.
Someone has provided a mirror site for Merijn's
Located at:
http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

>ZEE
Issues with automatic analysis are showing up.
The notable one being that 2 or 3 of the latest variants of CWS
cannot be dealt with by using HijackThis, by itself.

Regards...
RF

Hi Ross!

>>The notable one being that 2 or 3 of the latest variants of CWS
cannot be dealt with by using HijackThis, by itself.

Some "experts" are insisting in recommending HijackThis as a cure for everything and encourage askers to post several HT logs making the Questions unusable as PAQs. In the Viruses TA we're already seeing Askers including entire HT logs as part of the Question itself.

http:Q_21119781.html

Good Vibes

Lobo

COBOLdinosaur and other Page Editors have tried to encourage Experts to post the Analysis link instead and only post the results they're unclear about for further guidance, which helps in terms of cluttering the PAQ, IMHO.  Frequently, from what I've seen, the experts who encourage the posting of these logs in their entirety end up going to the Analysis site and doing what the end-user (Asker) can do directly in terms of make some initial assessments and changes, as needed.
http://www.hijackthis.de/index.php?langselect=english

Personally, haven't had any downside results from the information which is returned for my own 'issues', but also have read others who took cleanup actions and sat with huge problems.  The good news/bad news scenario, very real.

Hi Cd,

http:Q_21129167.html

for the current discussion at Experts Input. I'm sure there's one or two suggestions that can be of value to the discussion you guys are having.

Good Vibes!

Lobo

COBOLdinosaur

This link is an excellent procedure on how to kill off Cool Web Search - that most unpleasant of scumware:
http://www.silentrunners.org/sr_cwsremoval.html

The link was orginally published via NTBUGTRAQ (www.ntbugtraq.com) and I have included the whole text of the post below. (I hope I have satisfied IPR here!)

Cheers

JamesDS

Start Post-----------------------------
Hello,

CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I have collaborated to develop a simple procedure to remove it from an NT4-W2K-WXP box.

CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS comes in a variety of flavors. This post will only consider the most insidious, which involves two components: a shield-DLL and a BHO (Browser Helper Object).

Shield-DLL
----------

The shield-DLL installs itself to the following registry value in NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.

Here's what the CWS shield-DLL manages to do:

1. It prevents almost all registry editors from displaying it as an
   AppInit_Dlls value. This list includes, but is not limited to:
   Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
   HijackThis, and, my favorite (because I wrote it), the "Silent
   Runners.vbs" script. The _only_ program known to display it, for
   unknown reasons, is the freeware Registrar Lite 2.0, available
   here: http://www.resplendence.com/reglite/

2. It prevents all GUI and command line tools from listing it or
   deleting it. This list includes, but is not limited to: Windows
   Explorer, DIR, ATTRIB, CACLS, and DEL.

3. The .DLL file has eccentric security permissions (SYNCHRONIZE
   and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
   from memory, an Admin must reset security to delete the file.

4. It has a unique name on every system it infects.

5. It ensures that a BHO starts up with IE at every boot.

6. If the BHO is deleted, it restores the BHO under a new name at
   the next boot.

This combination of features makes it a formidable adversary.

BHO
---

This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

The BHO is responsible for the ad-ware symptoms: change of home page, profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be deleted. The BHO will simply be reloaded under a new name at the next boot.

To eliminate CWS, we have developed a relatively simple procedure (compared to everything else that's out there) that involves using Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script to remove it from AppInit_Dlls, the "Silent Runners" script to identify the BHO, and, after reboot, a second VBS script to delete the shield-DLL and BHO files. The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html

MS please take note:

AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed ASAP from NT4/W2K/WXP.

regards, Andrew Aronoff & Rossano Ferraris

                                *****
 Want to know every program (well, almost every program -- CWS being
             the exception) that starts up with Windows?
                    Download "Silent Runners.vbs":
                    http://www.silentrunners.org/
                                *****

End Post-----------------------------

This, IMHO, is excellent... deals with important steps and prerequisites prior to dealing with Spyware removal processes and some OS specifics.
DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal
http://forums.majorgeeks.com/showthread.php?t=35407

Very good astaec..  I especially like the idea of removing the VM Java from MS..  and installing Sun's version.  

THanks, agree.  Especially since it's MS Java is no longer supported and phasing out so more and more of us will need to find alternatives and migrate.  I've been very pleased with the Sun Java VM and keep it updated.
http://www.java.com/en/download/

NEW TOOL:

MWAV - Created by Microworld Technologies (www.mwti.net)

it will detect over 100,000 malwares! recently it stopped removing it though. It only detects the probelm.

http://www.mwti.net/antivirus/free_utilities.asp

For full protection that does remove the threat try eScan.

I may have missed it mentioned in EE, but there is a new version of CoolWebShredder, version 2.0:

http://www.intermute.com/spysubtract/cwshredder_download.html

Also installable via CWS update feature.

Zee

COBOL..  thanks for the heads up..  First thing I did was drill into my webserver to ck it out.  We need to stay on top of this, so if anyone finds any details, please post..!!

FE

That's frightening; this may help.
Report a Security Vulnerability
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it.
https://s.microsoft.com/technet/security/bulletin/alertus.aspx

Excellent and useful:

Rogue/Suspect Anti-Spyware Products & Web Sites
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

Zee

Run Pest Patrol software and removed spyware and Trojans.  Ran Ad-aware, spybot and cwshredder.  Removed items in msconfig.  Reboot PC and it now makes a sound effect when you open IE.  (no sounds are enabled).

I rescanned (with several scanners) and no viruses, spyware etc. on box.

This has happened three times now.  I'm assuming that one of the spyware/Trojans is still talking to IE.  Some registry tag left over?  Anyone else run into this?  Weird sound effect when you open IE after removing spyware/Trojans?

tituba2, you should post this problem as a seperate question.

P.S. Try running a scan with MWAV

After I posted this, I put it up as a question.  Couldn't figure out how to delete my entry.  Once I get the answer, I'll post it here as this appears to be something that is happening when you remove spyware.

http://www.eweek.com/article2/0,1759,1731474,00.asp
Study: Tools Let Spyware Slip Through Cracks
By Ryan Naraine
November 23, 2004       

Damn...

Zee

Banner ad iframe exploit: experts suggest using browser other than IE:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1027844,00.html?track=NL-34&ad=498096

"Security experts are urging Internet Explorer users to switch to another browser or disable Active Scripting to guard against a new exploit for the IFRAME vulnerability that hides in Web site ad banners."

"A Microsoft spokeswoman has acknowledged the vulnerability in interviews with SearchSecurity.com and other media sites. But the software giant has yet to issue a statement on its Web site with potential workarounds or word on when a patch will be made available. The company's next patch release is scheduled for Dec. 14."


http://www.technewsworld.com/story/news/38393.html

"..Microsoft has known about the iFrame vulnerability since it was published earlier this month, but has not yet released a patch..."

"My hope is that people will embrace the idea that there are other browsers that are safer and better than IE. I'm not a Microsoft basher. IE has great possibilities, but it's just not safe at this time.. ..It's security doesn't appear to be enough of a priority for Microsoft. I wholly recommend using another browser for general Internet browsing and saving IE to use only for the things it's required for." (Matt Jonkman, senior security  consultant with Infotex, an information security firm).



http://www.internetnews.com/dev-news/article.php/3439701

"John Pescatore, security analyst and vice president and research fellow at research firm Gartner said unless users are running Windows XP Service Pack 2 (SP2), which is immune to the IFRAME vulnerability, they should consider running an alternate browser to IE."

To Home Users: Do you want free security programs that really works?
http://msmvps.com/donna/archive/2004/12/06/22450.aspx

Zee

WOW, I'm really impressed with the new Microsoft AntiSpyware Beta1 tool.  Just installed it and ran it (deep scanning all drives) and despite the fact that I did a full updated Viruscan last night, along with Spybot S&D (Immunized) and AdAware SE Pro then a HijackThis run and log check was "clean" ..... BUT then ran this beta software from Microsoft this morning and found 8 threats (high risk), 7 files and 11 registry keys.  Very very impressive.  I love it.  Links here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.microsoft.com/athome/security/spyware/software/faq.mspx
Download link follows:
http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

Asta

I like it because it is controlable also (has lots of options) and so far has done a great job, with no ill affects on the machine I have been running it on
A buddy of mine set it up, and then wanted to really test it, so he went to a lot of crack/serialz sites, and not one ill affect (blocked all the nasties), ran a scan after and didn't find anything, so the proactive part seems to work as well

It seems like a good tool. Kudos to the guys at Giant Software who created it. Let's hope MS doesn't screw it up.

http://giantcompany.com/

Amen!  They did recommend uninstalling any prior Giant related software to circumvent problems.  LucF is also testing it on various systems and hope he pops by here as well.  At the cost of sounding redundant, had what I thought to be a totally clean test system last night and unplugged/offline with HW router, blah blah blah, and found significant issues using the MS AntiSpyware tool so quite pleased (so far).  Though, I did over-ride the recommendations of the results some were quaranteen recommendations, which I know I didn't want/need to changed to delete.  Overall top notch!  Hope it keeps growing, stays current and stays FREE.  LOL  Asta

If MS sticks to its usual business practice, the Tool will remain free and it may even be built right into the next release of Windows. When the lawsuits come it'll be too late since AdAware and other good tools will be dead by then.

Don't worry Asta, I'll update as soon as I find something :o)
I have it running on 11 systems now, of which 8 in our business network (especially at systems of users I know try to circumvent all security measures) and will see how it performs in the next few weeks.

Take good care,

LucF

YIKES!  All gone, deleted, and back.  The recurring culprit is eXact.Downloader Trojan Downloader.... running another series of scans (SysRestrOff) .... WT... heck?

Cool, thanks, LucF.  ":0) Asta

astaec  - scan from www.pandasoftware.com.  Panda usually catches and deletes these spyware trojans.

As for Microsoft's spyware cleaner, I had mixed results.  Had a customer with the variant of CW Coolsearch from hell (see http://www.pchell.com/support/onlythebest.shtml)

anyways, CWShredder (the new one) didn't fix.  Microsoft's scanner didn't even identify it as a problem.

So, I don't think that the Microsoft tool will replace our current scanners.  Just supplement them.

Asta,

Nope, thank you! :) I still remember http:Q_20924179.html and appreciate it.

All downloader.trojan versions are a hell to remove :(
Mainly running tools from safe mode will fix them, but sometimes...
Check your running services and you'll find the culprit (if any)

LucF

Here's someone who manually claims to have found the fix, and interacting with Giant to get it added....
http://www.iamnotageek.com/history/topic.php/78896-1.html
Will see after this rescan and multiple reboots.  Never went to anything related to Bargain Buddies, have XP SP2, Router with HW firewall and all the known protections..... the only thing I can imagine is that I clicked some bugger link in doing EE research 'coz I'd never willingly go anywhere that bopped my and mine like this, let alone a bargain buddy.  

Cd&, feel free to edit delete my tirade, LOL.

":0) Asta

More to read, will check things out and thanks so much, all.  

Just spoke to a County Administrator who said that they've tested tons of Spyware tools and choose Aluria Spyware (never heard of it) and that it caught 3X more than any other tools they've tested over the past many months.  Also checking it out.  

LucF  ... yeppers, that link was a thing I'll always also remember.  You were a main contributor to getting this boat to float....   teamwork works!

":0) Asta

tituba2 -> Thanks, will reboot a few times and test that link as well.  Interesting to see if the problem recurred and Panda catches it.

>>teamwork works!<<
No kiddin' *big grin* :o)
It's what EE is all about, everyone knows something about something. Together we know a lot, and with all added value every day we all learn from it.

Thanks,

Luc

Well said, Luc.

BEFUDDLED.... ran everything again in Safe Mode, continuously removed eXact.Downloader Trojan Downloader on the test machine, consistenly found again and again... More to be done.  WHAA

I think there is no one tool that gets them all, the complete toolbox contains a bunch of the removers :-)
I try and take a positve slant, this will always put some $ in my pocket, as my clients will always get some, and i'll have to clean it LOL

True, spyware has been paying my rent for the last several months.  However, it does get to be a drag spending so much time watching scanners.

IMO - By far, the hardest to get rid of is the Cool Search variants.

There comes a point in cleaning off spyware when you've invested so much time that it becomes a toss up of spending more time or formatting the thing and being done with it.  More and more, formatting seems to be a good alternative as it fixes all the issues, gives the client back a faster machine and they do a happy dance.  Plus, you don't have to deal with little orphan problems that didn't get cleaned by any of the scanners.

Well, here I am.... did it all, still persists....  go figure!
https://www.experts-exchange.com/Security/Win_Security/Q_21275441.html
Asta

Amen!!

astaec - you should post your problem in the Virus section.  This thread really is suppose to be used to list spyware programs and solutions.  Questions need to go in the Virus area.

I placed it in WindowsSecurity, but if no help, will repost there, tituba2 (thanks) ....

As regards reformatting and starting anew YEP, the way to go.... but not for this system; it carries ancient apps that just manage to work and are on a test system for many reasons and manage to work in the XP SP2 environment.... wouldn't dream of reformatting and blowing 20+ years of 'magic'.... so to speak, though it's all kind of a pain where you sit.  LOL  If/when the various projects are complete, that's exactly what I'd do.  But for now, gotta fight the buggers and "maintain" what I can to keep things moving.  I should have just been smarter and not used this system and access levels to do EE work and research, where I'm quite sure I got all of this "helping others" and "clicking links'.... Doh on me.

Hey astaec, I had a machine a while back that was giving me heck and I pulled the drive and placed it in as a secondary in another machine and ran the various programs.  Found a bunch of stuff that way also, just an idea if you have not already thought to do it.

The reason some spyware keeps coming back is due to some insidious dll's that are placed on your system, and this could be the case with this one, Astaec...  I ran across the about:blank problem a few weeks ago (client's system), and had to really dig to get rid of it.  Not sure this is your problem, but it could be the same type of problem...  Here is the page I used to kill it, just for reference on what may be happening in this case:

http://www.pchell.com/support/aboutblank.shtml

Lots of good links on the page also..

FE

Hats off to your hard work here and all who have contributed...   This is a growing plague for us all, and a central link with resources is the way to go!  It cuts redundancy, helps expedite solutions, gives us a central repository link to which to point and with your hard work, COBOLdinosaur, to continue to trim it and keep it updates helps everyone.

This can ensure 2005 processes, since it's (as I said) a growing plague where we can continue to contribute and share solutions.

Thank you also for your input, FE, Stardostar and all else who keep this updated with news.

RE. the ongoing fiasco of the bundle.exe, the BargainsBuddy, ZESOFT and related Iseng*, cashback, eXact.Downloader Trojan Downloader, BullseyeNetwork Adware and other invasions, more to be done on this, but do have a current link on this noted above to track.

Asta

Thanks, and ditto to both Cobol, Astaec, and everyone else who had joined in!

Quotiong Asta above:

>>WOW, I'm really impressed with the new Microsoft AntiSpyware Beta1 tool.  Just installed it and ran it (deep scanning all drives) and despite the fact that I did a full updated Viruscan last night, along with Spybot S&D (Immunized) and AdAware SE Pro then a HijackThis run and log check was "clean" ..... BUT then ran this beta software from Microsoft this morning and found 8 threats (high risk), 7 files and 11 registry keys.  Very very impressive.  I love it.<<

I have not been so impressed with it, and I'm starting to feel I'm right not to be.

This is worth as much as you want it to be, but considering who posted it...

On the use that MS AntiSpyware:

Quote:

Don't unless you're ready to format your hard drive and re-install everything.  It's a beta, which means it has problems.  It also delivers false positives and if you remove everything it "identifies" your machine may not work anymore.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only.  Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

Unquote.

This is found in the MS newsgroups.

Zee

Unofficial bugs list and FAQ's on MSAS Beta:

http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Zee

Thanks for adding these alerts, Zee.  I've had no problems as identified here whatsoever, but appreciate the "heads up" and link; I don't only use this, I also use the Spybot S&D Tool (with Immunize function) as well as the AdAware SE Pro (newest paid version) and the combo has worked well to purge the majority of intrusions found.  If/when DSO Exploits or some other known issues remain, rebooting in SAFE MODE and rerunning works well to purge.  Anything that the MS Beta product IDs I judge in terms of validity and always send the reports to Spynet.  "Beta" is always risky and I'm rarely one to run beta code, but have had good results on this one.  

Again, your alerts here are appreciated and will include this link as a reference point if/when I provide my opinion in Qs in the future and appreciate your input here.

Asta

Also noted that some problems reported had IE 5 installed and/or other OSs, and are not supported; it helps to check the Systems Requirements (as always)...
Microsoft Windows AntiSpyware (Beta): System requirements

Minimum system requirements for Windows AntiSpyware (Beta):
• Microsoft Internet Explorer 6.0 or higher
• A 300 MHz or faster processor with at least 64 MB of RAM
• Microsoft Windows 2000, Windows XP, or Windows Server™ 2003
• At least 10 MB of available free space on your hard disk
• Internet access with at least a 28.8 Kbps connection to use SpyNet™

Other problem noted, where users may 'remove' vs. 'quarantine' results, this:

 Windows AntiSpyware (Beta) displays detailed information about every spyware program detected, including a description of the threat, where it is located on your computer, a risk rating, and a recommended action to take. This information enables you to make informed decisions regarding removal. Detected spyware can be either temporarily disabled using Spyware Quarantine or permanently removed from your computer. If you inadvertently remove any programs, you can easily get them back.

More here....  http://www.microsoft.com/athome/security/spyware/software/faq.mspx

Also curious if you've see this....
Malicious Software Removal Tool
Published: January 11, 2005 | Updated: January 12, 2005
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers
 
Virus and Worm Families Cleaned
This tool scans for and cleans malicious software associated with the following security threats:

• Berbew
• Blaster
• DoomJuice
• Gaobot
• Mydoom
• Nachi
• Sasser
• Zindos
 
http://www.microsoft.com/security/malwareremove/default.mspx

Asta,

The Removal tool looks good, but for the moment I will go for Stinger first, with the advantage of running with older Windows.

The alerts on the MSAS Beta bugs had the intention of reminding people it IS a Beta and it's starting to show.
;-)

And, of course, thanks for the other tips and comments.

Zee

It just found autotbar.exe trying to load on my machine!!!

Anyone know about this one?

Thanks, Zee.  Wanted to note that when running MS AntiSpyware tool, check File and updates, new definition files were just added.

I could be mistaken, Stardotstar, but think it has to do with HP systems and internet keyboarding.  But would recommend that you open a question to handle this, since this is a central repository link to share information on Spyware/Malware/Malicious BHO links and tools vs. actually working specific questions.

Asta

Thanks will do and report back.

SDS

And to follow up on astaec comment about a central repository...   Had an interesting time today with another About:Blank page hijack...  None of the standard utilities helped me at all..  Hacking the registry would not work, nor would HijackThis help at all...  Almost thought I would have to reimage the PC, but as a last resort dnloaded Adware Away in its trial version...  60 seconds later the hijack was solved and fixed..  They will try to sell it to you, but the trial version worked like a charm....!!!  The only link for download is here (with a list of spyware it will remove):

http://www.adwareaway.com/list.htm

I cannot say how highly recommended this utility comes (ME)...  Download it while you can, as I am sure they will lock it down sooner or later..

FE

That looks really good, FE, thanks.  Downloaded/installed and testing on some systems here.  ":0) Asta

Welcome, of course!

Support at HP said it had to do with imaging?  Funny I have had this running for a week and it has never caught it before.  I reactivated it and it did not catch it again.

FYI,

SDS

FYI,

Been working on a machine for 2 days now.  Love a good challenge!  Owner for the last year has been running an XP machine no Antivirus or Spy protection, so you can imagine.

My point is: after running many of the programs in the post along with 3 on line virus scanners, I installed the MS Beta Anti-Spy.  It found more things that the others did not pick up.

The fight continues!!!!!

Remember it still is a Beta.

Unofficial bugs list and FAQ's on MSAS Beta:

http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Zee

Well like my experience on other machines with multiple user accounts, I have found that running MS Beta has produced same and more spy stuff under each different user.

Go Figure!  or maybe false positives?

Just a note for computer techs who remove spyware all day like me:

MWAV - A cool spyware / virus scanner from Micro World Technologies (the makers of eScan)
http://www.mwti.net/antivirus/free_utilities.asp

It only detects though

MWAV cleaner - A program i wrote that deletes all the files that MWAV detects.
http://www.paulscomputerservice.net/index.php?body=downloads.php

just copy the list of detected viruses and then paste into MWAV cleaner. it deletes files and kill processes when needed.

Other sypware links:
http://www.paulscomputerservice.net/index.php?body=./software/malwareinstructions.php
http://www.paulscomputerservice.net/index.php?body=spyware/Techniques.php

Well after 3 days of working on this machine. I believe I have it as clean as it is going to be short of a format.  It was not until yesterday when trend micro sent out their notice of update.  I rand their online scanner and right away, something it missed before, it caught agobot on startup.

From that point on I ran everything else under the sun and even NAV online would run for the first time.

I fully realize I put way to much time in this machine, but like others here, love an occassional chanllenge!

A question I would like to put forward regarding an issue I have been debating elsewhere and that I got so flamed by a few MS MVP's I can still smell the smoke:

   Turn off System Restore before malware/spyware/virus cleansing.

- Yes or no?

I was flamed defending the yes.

Your opinion on this?

Thank you.




Cd&,

If you feel this is OT in here, please feel free to delete or move elsewhere.

Zee

I always turn off to delete all old points before I statr everything in safemode.  Then upon completion, turn it back on.

>The_Computer_Guru_777

RE. mwav cleaner -
Very good!

Thanks!

>Stardotstar
Congrats!
"I fully realize I put way to much time in this machine, but like others here, love an occassional chanllenge!"
The law of diminishing returns!  :)
However, in a time when many users don't back up adequately:
sometimes a reformat/reinstall is not really an option!
Oh well!!

Regards...

RF

Yes, CG777...  If you don't mind, I will be linking to your site from mine!

Thanks..!!

FE

Anyone seen a "search the Web" bar that hides behind the menu bar, lower right hand side of screen?

Adaware and Spybot havce not removed it.

Never seen that one..  assume you cked the Add/Remove list..  Can you pull up a context menu on it and identify the bar?

Don't forget to check IE's "trusted sites" as spyware puts itself on the trusted list.

Also, check the host file and make sure it hasn't been tampered with.  Then change attribute to "read only."

I also use Spyblaster, update it and run it.  It puts known spyware sites into "restricted sites" in IE.

As for System Restore, if a machine is in sad shape, then I disable before cleaning.  However, if a client tells me it was working just great last week, then I try the restore point first to save myself hours of grief cleaning a pest.

Had "interesting" spyware the other day that I couldn't identify or remove.  I kept creating internet shortcut icons on the desktop.  Fun is.

Regarding "search the web" - yup lots of times.  I carry the full version of Pest Patrol with me.  Install it, clean the box and then remove the product.  Pest Patrol finds and kills this spyware.  Lately have been finding "viewpoint" on alot of boxes.  You use to be able to go to pestpatrol.com and do an online scan.  It wouldn't clean but would show you the reg tags you had to pull.  Pest Patrol has been sold and have had problems getting it to scan now.

Context menu?  it may be ffisearch.exe which is loading in the startup.  Going to delete it and see what happens.

Interesting: ffis, won't let me delete its setting in the registry.  Will trya safe mode.

And whenn I try to turn it off in msconfig, it reboots to normal.

Had to remove and edit it in safe mode,

FYI

I believe that "search the web" is related to lop.com intrusions....

Always turn off system restore first and never regretted it, though regretted the wasted time when I didn't.  Baffled why you'd be flamed about this or what realistic downside others have stated as facts in their experience when first turning off system restore (which deleted restore points) .... but then do backup critical files first.

":0) Asta

One hint on the "search the web" issue here...  http://www.spywareinfo.com/~merijn/cwschronicles.html
another here... on google query:
http://www.google.com/search?hl=en&lr=&q=lop+%22search+the+web%22&btnG=Search

>>Baffled why you'd be flamed about this<<

Small sample of what I got from one of the MS MVP's posting:

Common on practice is not BEST practice.  This is a perfect example of
very bad advice and something not countenanced by anyone who has given the
subject any thought whatsoever.

I'm sorry but it is totally asinine to disable system restore until the
system is back up and running OK and to advise otherwise is simply bad if
not also stupid however well intentioned.

Unquote.

I was so damn suprised that I just needed double checking with more experienced EE experts.

Thanks and looking forward to other opinions for or against turning off SR.

Zee

GADS, Zee, I'm blown away and not in a good way by this response!!!!    Malware and many other intrusions can mess restore points anyway and numerous conditions can make the restore a headache, brief samplings in this FAQ but many others come to mind....
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

Spyware solutions: Technology and leadership
Microsoft's strategy for addressing spyware and other potentially unwanted software - Updated: January 6, 2005
http://www.microsoft.com/athome/security/spyware/strategy.mspx

If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.
Much more here..... but the issue on "best practices" that the MVP addressed makes some assumptions, the least of which is that "most" would know if their restore points are infested.... it boggles the mind to think that you'd be flamed in this manner by anyone, but then ..... anyway, enough ranting on my end.  The source for more here:
How antivirus software and System Restore work together  (Which does not address the full gamut of other intrusions like malicious BHOs, malware, spyware) ....
http://support.microsoft.com/default.aspx?scid=kb;en-us;831829

Sorry to see, Zee, that you've had to endure such stuff.

Best wishes all, logging off for a spell.

Asta

Cd&,

It was not in EE, it was in a NG.

Topic: reoccurring viruses. My suggestion: turn off SR before cleansing.

The discussion turned so sour I doubted myself... Maybe I was wrong, maybe other people, like EE experts and others were also wrong...

Most people suggest turning off SR before cleansing. I understand why and also advise that.

The intention of my post was, exactly, understanding what the right approacxh should be...

SR before cleansing: Off? ... On?

Zee

Anyone seen Hijackthis ID Symantec file as agobot infected?  Have scanned with everything imaginable and can't find it or remove it?

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE

Hi!

Some comments concerning System Restore from the Langalist:
http://langa.com/newsletters/2005/2005-01-27.htm
http://langa.com/newsletters/2001/2001-12-03.htm#1

For some reason: it's hard to clean a user's computer when something
has been designed to place a copy of itself in System Restore -
you do this, you do that - nothing works!?!

IMHO: usually - OFF!

Regards...  :)

RF

OFF

I turn it off.  My customers want this stuff removed in the shortest possible time (= less $) and anything that is programmed to hide in files backed up by System Restore will merely return after a reboot if it's not turned off.

Question: how long do you find yourself troubleshooting a machine that has spyware problems?

Well, that's the question now isn't it?  When does troubleshooting spyware become such a long process that it makes more sense to backup their files and format the box?  Last year, I was putting in the good fight and spending, on average, two to three hours.  

Now, I usually put in a good hour with all the standard tools.  Then I give the customer the option.  Tell them on average, two to three hours to clean up the mess, put on the patches etc.  Or, just about the same amount of $ I can backup their stuff and format the thing and be done with it.  I explain the pros and cons of both options.  Of course, if they have "borrowed" software and no CDs, then formatting isn't an option because I don't provide any illegal software/os.

The strongest argument for formatting is that you get rid of any of those unexpected orphan trojans and damage that have been left behind.

The other day, I had a box that had several viruses (including Netsky and Sdbot) as well as a piece of spyware I've never run into that actually kept creating desktop icons every five minutes or so.  

My personal nemesis is
http://www.pchell.com/support/onlythebest.shtml

When I run into this one, formatting is my main advice.  I have not been able to get rid of this Cool Search variant no matter what.

I usually bill for about 3 minimum hours, but put in easily 5-6, or more.

Well have this machine down to this entry found by Spybot: UNKNWON  RAS Profile 2 entries, HK_Users\default\remoteaccess\dialup01.

Just need to figure out what these are.

Question: how long do you find yourself troubleshooting a machine that has spyware problems?

Answer- Not long.  Furthurmore, spyware can cause such weirdness on a machine, that if the complaint is 'I can't do <whatever>', I look for spyware first and remove it.  That cures a lot of problems that I would otherwise spend hours on - fix the crappy software first and it makes your job SO much simpler.

The first thing I do is run msconfig - if I see anything unknown to me I look at that file's properties.  It won't show any details if it's spyware so at that point I can show the customer 'see, all these legitimate files have all of this info in the Properties and these don't.'  I assume that if I see a couple of spyware progs there will be more I can't see so I install the big four and a firewall, update, disable System Restore, boot into Safe Mode, and start scans.  Remove everything possible with the tools I installed and boot up normally to see if anything comes back - of course if I see evidence of CoolWebSearch I run CWShredder before booting normally.  If anything comes back, I use Startup List (merijin) to see what's running and where it's starting from.  Back into Safe Mode - delete anything required and regedits as required.  Total time: 2 - 2.5 hours (usually - unless it's my stepfather.  :-(  He seems to pick up some really persistent stuff...).

If I see too much in msconfig and some appear to be viral I urge a format and reinstall on my customers - including data backup and restore it takes around four hours unless they have a lot of data and it's scattered all over the place.  That's just to get Windows on and updated, a firewall and an AV program on the box.  (I don't consider my job done until it has the firewall and AV - I will not allow a box out of my care without doing the Windows Updates and the other two - if the customer whines about the cost, I do it for free.  Hopefully they will remember that and recommend me - if not, I have the inner satisfaction of knowing I did the job RIGHT!)

What I do is install the AV and Firewall FIRST, then plug the machine to the Net, Update AV and Firewall services, and only then run Windows update.

Speaking of CWShredder.  The last couple of times I downloaded the latest Shredder and ran it (even in safe mode), it got to the cleaning of CWSGoogle and threw a error and stopped.  I had disabled System Restore and items in msconfig.  Ran Hijack and removed items in Registry.   I had to remove Cool Search variants using Pest Patrol, Spy Sweeper, Ad-aware and Spybot.  Even scanned with Housecall to get the random Trojans.  Then ran Shredder again and all was fine.  So either the Shredder tool isn't as good as it use to be, or there is some variant out there that is really messing with it.

If you are having problems with Home Search, I finally found  a program called Home Search remover.  Once I removed it and also ran a registry program to permanently delete winnings (something or other) .com from continually loading in IE trusted zone, I began to make some serious headway on this machine that I have been working on for 3 days.

Once these two were stopped, I was then able to run Trend Micro online and it found over 100 virus problems in the C:\windows\system32 folder.  Something that Panda, NAV and even Trend Micro would not find.

Now when I get home today, I'll turn the machine back on and check it again.  The only remaing problem that remaoned was and I think the removal of the 100 plus virus files will resolve, was NAV would load, but be disabled.

Keeping my fingers crossed.

Similar to this central repository link that COBOLdinosaur so kindly hosted for us all, created another on SPAM below, since it's a gigantic pain for us all, and thought perhaps it could be of value to help us help ourselves in these regards as well as others...
https://www.experts-exchange.com/Security/Bugs_Alerts/Q_21307879.html

Great idea Asta!

Zee

Thanks, Zee .... aligned to the issue of Email Spam, is of course, Phishing (identity theft), email spoofing and more.  I've posted pointers in Virus, Windows Security and the link above in the hopes we can compile a comprehensive repository to use to minimize the churn for us all in dealing with these incredible intense and ever-growing problems.

Your support is very much appreciated; hopefully the link will be streamlines, since I have no Page Editor access or the like to trim the overhead if irrelevant or indirect responses result, but will look for help in that regard is the responses merit it.

":0) Asta

Thanks, Netminder and Cd& .... I did send an Email to the PE of the link yesterday for the Bugs & Alert TA, but appreciate the reminder.  COBOLdinosaur sure did start something really great here, and I see many of our Experts pointing here in many TAs.  Central Repository links are excellent tools for us all to minimize churn, recreation of wheels and to keep the threads streamlined with the help of the PEs.  Thanks again... ":0) Asta

Ran into one yesterday
msdioo.exe
as soon as you delete/rename
it creates a new instance of it
instantly
any one know anything about it (only found 4 references to it in google)

I recall reading that this may be a trojan related to msmc.exe and possibly Spyware.ClientMan .... was doing research at Norton, and found this link which "may" help.  Google may produce more.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.clientman.html

Thanks Asta
I don't have the machine any more, but I did remove all  reg entries, ended task on any suspicious processes, booted to safe mode, and still exibited the same behavior

Hi, Steven, sending you an Email.  I assume you found this key?  Appears the intrusions are more significant than first glance.  Also including a link that looks fairly comprehensive.
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msdioo.exe
http://www.techsupportmail.com/showthread.php?p=172225#post172225

Asta, yep, got your email, and yes, turned off system reatore, and found that reg key
I'm not going to worry to much about it (don't have the box any more) but wanted to post so others would be aware, may be a new varient :-)

>>>Speaking of CWShredder.  The last couple of times I downloaded the latest Shredder and ran it (even in safe mode), it got to the cleaning of CWSGoogle and threw a error and stopped.

I had the same problem. The newer cwshredder's havn't seemed as good since it changed owner ship.

Regarding System Restore:
I think that SR should be enable during any virus or spyware cleaning. If after a thourough cleaning something is messed up in windws you can alawys use a backup of the registry. If everything is fine, then disable and re-enable SR to clean out any malware that may be in the SR area.

IF a malware is creating itself instantly right after deleting or renaming, it is almost gauranteed that it is in the memory. Kill all non - system processes. Or do a malware scan from a PE enviroment.

Microsoft has a malware tool they update a couple times a month

http://www.microsoft.com/security/malwareremove/default.mspx

Ghostware - Rootkits

CoolSearch spyware has turned into Ghostware.  No wonder you can't delete the stupid thing with our regular tools!

http://research.microsoft.com/sm/strider/spyware/

see
http://www.computerworld.com/printthis/2005/0,4814,99843,00.html

Also see
http://www.thetechguide.com/forum/index.php?showtopic=10984

Any used this regedit tool?

Hi Tituba.  Registrar is a great tool. I've used both the Lite version (free) and the Pro version (unfree). Gives you a lot more info than your regular Regedit. Gets a lot of thumbs up from me.

Thanks Lobo.

Sysinternals now has a free utility to find root kits

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

It use to be you could scan at www.pandasoftware.com and it would detect and then disinfect spyware/trojans.  Ran the scanner last night and they now have a popup saying they will detect only.  

PCWORLD is recommending CounterSpy as a cleaner.  Anyone have any experience with this product?

http://www.sunbeltsoftware.com/product.cfm?id=410

NOTE:  Ad-aware removes Wsaupdater.exe  as a spyware program and then you can't log back into XP.

See
http://support.microsoft.com/default.aspx?scid=kb;en-us;892893

I haven't tried CounterSpy - but it's getting lots of good press as the most effective spyware cleaner for a single tool.


Marc

Ok, the hackers have figured out a way to put back the cookies we are deleting with spyware cleaners etc.  They are using the Flash player.  Macromedia has issued instructions on how to fix this.

http://story.news.yahoo.com/news?tmpl=story&cid=509&e=7&u=/ap/cookie_buster

Macromedia's fix
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=52697ee8

Thanks for the information - tituba2
Ncie work!
RF

Try this website for HJT logs auto-analysis:

http://www.help2go.com/modules.php?name=HJTDetective

Not perfect, but I feel that using this one in conjunction with:

http://www.hijackthis.de/

Will produce a quite nice result that will solve a large percentage of common problems.

Feedback appreciated.

Thanks!

Zee

Intemute (CWShredder tool) has just be acquired by Trend Micro.  

Ran Ad-aware in safe mode and during the "quarantine these items" process, got the dialog box saying I was running in Safe Mode and did I want to do a System Restore.

Is this an Ad-aware bug or is this some evil spyware not wanting to be quarantined?  I didn't answer the dialog and let Ad-aware run in the background.

Is it my imagination, or has this problem slowed?  I am not getting near the calls for spyware issues!

It's your imagination.  Spyware removal is all I've been doing for months.  

Hmmm...I guess, and I am not promoting it, that the Microsoft Beta Spyware must be doing a good job then because I am not getting any repaet call backs on machines that I usually see about every 3 months or so.

Thanks

I don't think the problem has 'slowed', but that more users are becoming aware of this issue, and the tools to subvert them..  I still do my share, but as I do, I educate them (the users) on the proper use of computers, sites NOT to visit, email to DELETE, etc., etc..  this has certainly slowed my callbacks for these issues..  

Thanks!

:)

I use a particular website to report spam.  Is it just me, but it seems that once I started, my spam went up!  Coincidence or what?

I wrote a quick guide, linked below, another expert suggested I post a link to it in here.

https://www.experts-exchange.com/Operating_Systems/Q_21519021.html

Spyware BetterInternet - (you'll find the file nail.exe) is a bitch.  However, I found something that worked:

First you create a text file and name it nail.exe in
the root directory.  Make it read-only.  Then do a
search of your hard drive for nail.exe.  It will find
it in c:\winnt and in some hidden folder (the infected on is 52kb).  Copy
your 1kb nail.exe from the root to these
subdirectories and overwrite the 52kb infected
nail.exe (I found four of them).  Note - you need to
drag and drop it to the winnt subdirectory (copy/paste
doesn't work).  

This will frustrate the trojan.  You'll see it try to
recreate - but won't because it can't overwrite.

Then, go to this site and scan and it will kill many
of the processes.

http://www.ewido.net/en/onlinescan/

I found scanning from Trend or Panda doesn't clean it.
 This site, does a good job.  Then, go to the registry
and search on nail.exe and delete the keys.

Then she be gone.

By the way, Symantec has a tool to remove
BetterInternet/Nail.  It didn't work when I tried.

http://securityresponse.symantec.com/avcenter/venc/data/adware.betterinternet.html

You will, however, want this tool from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html

Great info on  BetterInternet ... it's quite a bear (to say the least)!  Asta