Solved

Standard response material re Spyware, Adware, BHOs, and other Malware

Posted on 2004-05-02
202
59,429 Views
Last Modified: 2012-07-22
*** THIS IS NOT A QUESTION! PLEASE DO NOT POST COMMENTS ***

In an effort to create centralized collections of links and eliminate all the redundant information posted and shared by many Experts here, this will attempt to collect links for MALWARE fixes in one spot to minimize load times on all the other question links.  

If you have additional items to add to this list, something needs a correction, or you find a link that is broken and needs updating; DO NOT POST IT HERE.  Post a question with COBOLdinosaur in the title or email me with the information.  I will delete the question and refund the point after I add the new information.

This is a collection from many end-users and Experts who have used them and found them helpful and informative.  There are various download sites for many of these, choose what works best for you.

Below is the index with short format links to the comment containing the information:


TIPS:                                http:Q_20975384.html#10973783
PRIMARY CLEANUP TOOLS: http:Q_20975384.html#10973785
DETAILED INFORMATION:   http:Q_20975384.html#10973787
UNWANTED BHOs:              http:Q_20975384.html#10973789
ACTIVE SCANNING:             http:Q_20975384.html#10973793
GENERAL UTILITIES:            http:Q_20975384.html#10973794
DOWNLOAD LOCATIONS:      http:Q_20975384.html#10973796
IE SECURITY DOCS:             http:Q_20975384.html#10973797
DEFINITIONS:                      http:Q_20975384.html#10973798
PREVENTION:                      http:Q_20975384.html#10973800

If you find this thread helpful, you can say thank you by considering helping an expert we all love... please visit:
http://cityofangels.com/experts/crazyone/


Edited by COBOLdinosaur, Page Editor, Browser Issues
This thread is made possible through assistance from expert: astaec, blue_zee, COBOLdinosaur, kabaam, sramesh2k, sunray_2003

Kibitzing provide free of charge by Netminder.

0
Comment
Question by:COBOLdinosaur
202 Comments
 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 0 total points
ID: 10973783
TIPS

++ If your Browser is hijacked, the quickest way to close the Browser window is ALT+F4.

++ Whichever tool you choose, be sure that you keep the definition files updated AND read the warnings and alerts, some may impact the way your environment has run in the past.

++ For IE6, disable 3rd-party browser Extensions is an immediate workaround. Stops all the BHOs, Toolbars, Browser extensions from loading and starts a clean instance of IE.

++ Installation recommendations from the number one expert in Brower Issues (Asta):

Another thing that should be helpful is this, in terms of manually controlling the installation of items (such as unwanted toolbars, etc)...  Since I always encourage using the most updated version of IE, which is IE 6 with all Service Packs, this is the process:

IE - tools - Internet options - advanced - browsing ->  Uncheck "Enable install on demand (Internet Explorer)" as well as unchecking "Enable install on demand (Other)".  This means that auto installs for updates to IE and/or other interfaces and applications will require your manual intervention to complete.  This is my ideal choice, but we each make our own.

++ Upgrade to MS Java 3810 or uninstall MS JVM and install Sun's version of Java

++ For safe browsing it is best to set the browser to prompt for activeX, Java, and plugins.  The minor irritation is nothing compared to the disaster that can come with downloading malware.

++ NEVER permit the download or running of any EXE unless you are 100% sure you know what it is.

++ NEVER disable the firewall or anti-virus software except when necessary for the installation of items you know are safe

++ If you are not sure about a site; set security to high, and disable all scripting, until you check it out -- look at the source code.

++ "FREE" should always mean proceed with caution.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11064576
Hi, Cd& ... feel free to edit/delete this comment, but wanted to point you here which is one of 2 I posted, the other is in Expert Input area.  Sunray also had a good thought about free viruscanners, but for some reason I thought we already had that.  
http://www.experts-exchange.com/Applications/Viruses/Q_20988241.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11067223
These are cut/paste input from the Q in Virus TA I mentioned yesterday.

Comment from Lobo
Date: 05/14/2004 12:07AM PDT
ID: 11065874
 Comment  


Hi Asta,

Excellent work!  I hope the thread can be updated regularly as new tools and methods appear.

The best thing we can do is educate users into proper use and maintenance of antivirus software, firewalls, and Windows Update. The basic stuff. It's incredible the amount of people who surf the Net daily with outdated antivirus or no antivirus at all; or who has never ran Windows Update.

Re: the Microsoft Reward Program; what MS should do is reward people who identify a security threat. A common beef in the undergroound security community is that when a security hole is found and reported these reports are generally ignored. Some progressive companies hire hackers to test the security of their networks and systems, yet the largest part of the knowledge that community has is not exploited... and it should. The knowledge is already there.

Good Vibes!

Lobo
 
Comment from acmp
Date: 05/14/2004 03:39AM PDT
ID: 11066862
 Comment  


Hear Hear!

If more people had up to date AV/firewall and used Windows Update then viruses would not be a big a problem as they are.

When the kornakova virus was around I received 12 copies in a 30 minute period and thought it was a lot. I now get around 300-400 a day. Around 12000 in the last 4 weeks.

The best prevention tool is education.

acmp<><
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 11067674
Asta,

I'll be doing some additional work on it over the weekend.  It looks like it is going over well and the links are getting posted instead of lists. So :^)

Cd&
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11079633
Great news, Cd&, thanks.  

There have been quite a number of new assaults with various iterations such as Roings and various different URLs, but primary redirects something like this:
 http://www.errorplace.com/red.php?c=&aff=&q=doubleclick  or many others, some are registry keys, etc.  Definite Spyware and some had no problems removing using updated AdAware and Spybot S&D, others said their Email was also infected/problematic and found they could only solve these two issues using
Spyware Remover 8.2 from bulletproof.com.
http://spyware.syncprod.com/dir2/bulletproof_spyware_remover.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11089217
I noticed some end-users stating that they Spybot S&D wasn't updating with new information and saw that as well; few updates and had version 1.2 installed for some time.  I then found another version 1.3 and it has TONS more entries and went from 512 known problems and exploits in the Immunize function to over 1700; so was a good upgrade.  Here's that updated link.  For some reason the standard "check for updates" on the older version 1.2 just wasn't doing it.

Get SpybotS&D 1.3 Final here...  http://www.majorgeeks.com/download2471.html

Also, for Experts to get updates here, as links and info changes; hopefully they 'subscribe' rather than adding comments if nothing new to add or changes to alert us to.

Thanks,
Asta
0
 

Expert Comment

by:LeeMitcheltree
ID: 11115416
Thank you so very much from all of you who answered my very simple question.......using your help it now seems that I've been able to solve my (most probably) self inflicted problem.
Thank you again.
LeeTree
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 11133184

Asta suggested it and I believe it can be useful:

Two cleanup utilities against a persistent  kijacker, trojan, nasty, whatever you want to call it: look2me.com.

These were quite difficult to locate as the usual downloads were obsolete.

I hope no one needs them but, just in case:

VX2.BetterInternet Finder (List & Log)
http://download.broadbandmedic.com/cgi-bin/download.cgi?action=redirect&id=1

KillBox:
http://download.broadbandmedic.com/cgi-bin/download.cgi?action=redirect&id=0

Zee
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11137716
Thanks, Zee, you're terrific; AND right on because I had one heck of a time trying to find a solution which you did find here.  Thanks for posting.  COBOLdinosaur, please feel free to remove/edit any of my comments not pertinent to this topic and thanks again for all your help in coordinating this.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11146559
Is there a way to make this Q TIMELESS (with Jan or Brian's help) to keep it at the top of the Queue?
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 11146672
They are working on some additions to the user interface that will make it possible to create TA specific docs that should fill the bill but I don't knw when we will start seeing the next round of UI changes.

Cd&
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11146851
Thanks Cd&.... you're GREAT!  But then I tell you that all the time.  Nothing new here.

I've sent Austin a number of links; one of which is my open Q in Math & Science (no response) .... looking for a new TA on "homeland security" regardless of where on this planet we live, any hope?  Sorry for off topic query, again... feel free to delete.  
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 11146993
>>>any hope?

Don't know, but it's a good time to ask.  Theya re looking at re-organziing the TAs, so who knows... You just have to catch Austin at the right moment.

Cd&
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 11149310
Hi Cd,

Great work. I noticed online antivirus scanners missing from the list. Here's a few ones worth mentioning (and using!):

Symantec:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro:
http://housecall.antivirus.com/housecall/start_corp.asp

Panda ActiveScan:
http://www.pandasoftware.com/activescan/

PC PitStop:
http://www.pcpitstop.com/antivirus/default.asp

Good Vibes!

Lobo
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11188176
also

www.pestpatrol.com

It scans but doesn't clean.  It gives you the name and registry entries where you can manually remove the spyware.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11189105
Just wondering if you want this fixed:

http:Q_20975384.html#10973796

++  Spychecker:
http://www.spychecker.com/download/download_coolwebshredder.html

----------------------------------------------------------

Also http:Q_20975384.html#10973789 might be edited:

http://sysinfo.org/ to http://www.sysinfo.org/startuplist.php

As the BHO list is allready listed above it.

----------------------------------------------------------

http:Q_20975384.html#10973787

++ merijn.org is being blasted by a massive DDoS, that's why it now resolves to localhost.
You can still reach it by adding "209.133.47.200 www.merijn.org" to your hosts file.
Mirror is still available at:
http://www.spywareinfo.com/~merijn/

That was true when I first posted that message in the Lounge, but at this moment it's more off-line than online when you use the IP, so I think it would be better to just use the mirror only.

Also from the same part:

++ Hijack This Tutorial: http://www.TomCoyote.org

Doesn't exist anymore :(
Try http://www.spywareinfo.com/~merijn/htlogtutorial.html

Feel free to delete or edit this comment after the changes have been made as it only takes a lot of room on the site...

(I thought it would be better to post it here then to e-mail one of you, as it's more visuable)

Thanks for all your efford Cd& and asta

LucF
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 11189182
Thanks Luc.  I've set aside some time tomorrow to catch it up.  There are a couple of other threads with stuff I going to bring in.  

I've seen the link posted in about 12 TAs so it is worth the effort.  Especailly if it helps us get someone who has been hit by one of these nasties to get back up and running a little quicker.

Cd&
0
 

Expert Comment

by:Jagrrr
ID: 11272656
I have gotten a bit of the nasty. Whenever I try and run the detection tools such as pqremove (Panda) and Stinger (McAfee) I receive the error -- "filename" is not a valid win32 application

So what do I do next. I have been reading the threads for quite awhile and have been unable to find an answer to fixing this problem.

Cheers!
0
 

Expert Comment

by:Jagrrr
ID: 11273050
Sorry, thanks for the instruction.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11284530
Spyblaster is suppose to protect your browser from hijacking.  They have a new version.

http://www.javacoolsoftware.com/spywareblaster.html
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 11293783
This is a very good/informative link at HP about Worms/Trojans/Viruses and how to protect yourself.
http://h10025.www1.hp.com/ewfrf/wc/famiDocument?product=12455&lc=en&cc=us&dlc=en&docname=bph07130
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11405014
Ran into something the other day with spyware.  Had a client, Windows XP.  Had two profiles on box.

I disabled System Restore.  Disabled startup items. Loaded the spyware cleaners, updated them.

Rebooted into safe mode - choose Administrator as profile.

Cleaned PC of spyware.  Rebooted and logged in as one of the users.  Scanned again - was clean.  So, I thought the box was clean.

Then, I logged off as this user and logged on the other profile.  Did a scan - and guess what?  This profile was infected with Spyware!  I had to clean off the spyware from this profile as well.

The conclusion I'm drawing here is that the spyware cleaners are only staying within the profile you are logged on instead of the whole box......  

If you have multiple profiles, you have to run the cleaners on each one???  Does this seem logical?  

If you clean spyware off a box with multiple profiles, see if you get the same result.
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11407241
CrazyOne's AnswerBase has 6000+ EE solutions including 100's of security and virus related answers.  It's available thru the drop down menu at his recovery support webpage.  You can use 'Find in Page' with keywords to search the topic areas.

http://cityofangels.com/experts/crazyone/

0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11407360
tituba2,

Just for your information (and it could be included in this question for information) all those tools need to be ran by a local administrator or a domain administrator, so all files will be scanned (make sure the administrator has rights to all files, otherwise you'll have to give the rights before scanning.

LucF
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11407515
Doesn't apply.  I had used the Admin profile when I scanned and it didn't clean spyware off the entire box.

Besides, all users on this home machine have administrator rights.
0
 

Expert Comment

by:wavewatcher65
ID: 11415788
Only a small comment, but I thought we were not to comment here. With most of the scanners, they have the directory, of the admin, and users, I have noticed that with some, you have to scroll threw the Dir's, and hit each one. It's rather amazing that the spyware can drill into so many files, but it does. They change the file names, and some of the code, but if you can read code, then it becomes apparent that they are there. One thing that I have found is that to use X, and Ada, then to clean up with a good registry cleaner, then finally cleanse with a antivirus (my wife will kill me, as a nurse practitioner, she doesn't like the overuse of antibiotics.)(just a joke). You can put most into a sleep, if not get them off the system. Some of the most recent I have seen, use more then one file to do what they do. That makes it harder for the online freebies to cleanse. Nothing beats a clean boot, reinstallation. But with all the files we have, that makes it a rather messy job. CDR all the exe.installs that you want to keep. Back up all the PST files, and make sure you have kept some of the most recent on the web servers. If you have domains, then use some of the extra disk space for you own for file saveing. Just protect it, with a good generated password. When in trouble, when I had a box that was partly operational, I would upload all the pertainent system files, clean reinstall, then pick and chose the downloads that we needed to make the system whole again. Then dump my online files, don't forget to make a disk of all the updates for XP, and then some of the other pluses that are out there. Don't forget to check out GRC.com. Some of the most quick updates for new installs, and some other twicking tools if your into it. Not to mention an online port scanner that can show your customer what you have done, before and after. Ok,, sorry to have pitched here, but not selling for anyone. Just read the updates. Later all,,, summer is here, watch the waves,,, and think.
Drew.
0
 

Expert Comment

by:msmith270
ID: 11434821
I would like to suggest Bazooka Spyware Scanner be considered for the malware utility list.  Bazooka detects what Spybot or Lavasoft doesn't completely remove or doesn't detect.  Case-in-point -- I knew a pc was communicating to zuvio.com from the adware OpenSite from the entries in the proxy log.  Ran Spybot - it detected nothing.  Ran Bazooka, it not only identified OpenSite but also remnants of two other adwares that Spybot failed to completely remove.  Bazooka doesprovides manual removal instructions to malware detected.  I have yet to find one free utility that 100% removes malware; I don't think it is possible.
0
 

Expert Comment

by:jonbeeker
ID: 11436727
Some may encounter IE disable script debugger problems not fixed with the normal solutions.

I just thought it might help others that encountered the same problem I had with IE script debugger.  Please use any way you see fit, just wanted to get the info out there.

I am running on Win XP and had a problem with IE's script debugger not turning off.  I unchecked the display errors and checked disable but IE ignored it.  Ran Spybot s/d and Hijack and couldn't find the problem then tried bazooka it seems the problem was a trojan horse (MSOPT.dll).  

http://www.kephyr.com/spywarescanner/library/msopt/index.phtml?source=alerts

once I manually removed it everything was back to normal. So if someone is asking a question and none of the normal Tools/Advanced Options solutions are working for them you might suggest they look for that trojan.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 11438497

Quick update FIY:

New version of HijackThis released (1.98.0):

http://aumha.org/downloads/hijackthis.zip
http://aumha.org/downloads/hijackthis.exe

Full details: http://forum.aumha.org/viewtopic.php?t=6228

Zee


0
 

Expert Comment

by:marcerickson
ID: 11466173
I have some links that I put into an email template that I send out to the customers that I install some or most of these programs on their boxes.  My template also has Download links, but you've taken care of those.  Please feel free to integrate these with your original document.  All of these programs (unless noted) are freeware or donation ware for personal use.

Hoping this is useful,
Marc Erickson


Spybot - Search & Destroy v1.3
About (tells you a bit about what it does):
http://www.safer-networking.org/index.php?page=spybotsd
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=43&

SpywareGuard v2.2
About:
http://www.javacoolsoftware.com/spywareguard.html
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=50

SpywareBlaster v3.1
About:
http://www.javacoolsoftware.com/spywareblaster.html
Tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

AntiVirus:

avast! 4
About:
http://www.avast.com/i_idt_153.html
Download:
http://www.avast.com/i_idt_1016.html
Tutorial:
A general antivirus/firewall tutorial - the section about Internet Explorer can be done with SpywareBlaster by "Enabling All Protection" in SpywareBlaster's settings - see the SpywareBlaster tutorial:
http://netsecurity.about.com/cs/compsecurity101/a/aa072303.htm
Computer Knowledge Virus Tutorial:
Starts with a general view and gets progressively more detailed.  Look at the tutorial map on the left to go to a specific page.
http://cknow.com/vtutor/index.htm

TDS-3 (Trojan Defence Suite)
About:
http://tds.diamondcs.com.au/
Download:
http://tds.diamondcs.com.au/index.php?page=download
Tutorial:
First try the Help included with the program.  Online Help:
http://radified.com/Articles/trojan.htm
Support via Online Forum:
http://tds.diamondcs.com.au/index.php?page=forum

Software Firewalls - these are better than the commercial products:
ZoneAlarm is what I recommend to non-technical folks.  The tutorial and help file are among the best I've ever seen.  Sygate Personal Firewall is the one to use if you're knowledgeable about networking and/or need to create special rules and exceptions (most people don't).  I have no experience with Tiny Personal Firewall (I will be trying it on a computer soon), but it has a small impact on the computer's resources and supports multiprocessor computers and the other two don't (if you don't know if you have a multiprocessor computer or not - you probably don't).  At one time Tiny Personal Firewall was free for personal use - I don't know if that is still so.

ZoneAlarm v5.0.590.015
About:
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=nav_za
Download:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Tutorial:
See the tutorial under Start/Programs or All Programs/ZoneAlarm
User Manual:
http://download.zonelabs.com/bin/media/pdf/zaclient50_user_manual.pdf
>>Plugin:
VisualZone v5.7
This is a nifty add on for ZoneAlarm and ZoneAlarm Pro that allows you to visually trace an attack back to the general geographic area it came from - among other things.  You can use the information you get from the plugin to possibly help track them down - useful for the authorities, but you don't need it to use ZoneAlarm.  Norton Personal Firewall and Norton Internet Security do the same thing - but they're not as good of a firewall as ZoneAlarm is  *and* cost money!
About:
http://visualize.phenominet.com/visualzone/visualzone.htm
Download:
http://visualize.phenominet.com/visualzone/visualzone_download.htm
Frequently Asked Questions:
http://visualize.phenominet.com/visualzone/visualzone_faq.htm

Sygate Personal Firewall v5.5
About:
http://smb.sygate.com/buy/download_buy.htm
Download:
http://www.simtel.net/product.download.mirrors.php?id=53687
Tutorials:
http://smb.sygate.com/support/documents/spf/default.htm
http://www.pcplus.co.uk/tutorials/default.asp?pagetypeid=2&articleid=11202&subsectionid=376&subsubsectionid=73
User Manual:
http://smb.sygate.com/support/userguides/spf/spf55_userguide.pdf
Support via Online Forums:
http://forums.sygate.com/vb/forumdisplay.php?s=&forumid=8

Tiny Personal Firewall v5.5.1332
About:
http://www.tinysoftware.com/home/tiny2?s=4089603232020560690A0&offer=standard&pg=tpf5_home
Download:
http://www.tinysoftware.com/home/tiny2?s=4089603232020560701A2&offer=standard&pg=tpf5_download
Tutorial:
See the Help file included in the program.
User Manual:
http://www.tinysoftware.com/home/tiny2/tpf5_manual
Support via Online Forum:
http://www.tinysoftware.com/forum/

Antispam solutions
For all of these solutions, you need to save some spam to train the program.  They learn and eventually tag as spam what you consider to be spam - nobody else.  This is based on Bayesian statistical analysis of the incoming mail (named after Reverend Thomas Bayes) which is currently the leading edge principle used in spam filters.  The original idea for a Bayesian spam filter was in this paper:
http://www.paulgraham.com/spam.html
The heavy statistical math explanation of Bayes' Theorem is here:
http://en.wikipedia.org/wiki/Bayes'_theorem

For Outlook:
SpamBayes for Outlook v0.81
About the project:
http://spambayes.sourceforge.net/
Download:
http://prdownloads.sourceforge.net/spambayes/spambayes-1.0rc1.exe?download
Documentation:
http://spambayes.sourceforge.net/docs.html
Frequently Asked Questions
http://spambayes.sourceforge.net/faq.html

For Outlook Express:
For Outlook Express, you have to (or the program has to, when it's installed) create a mail rule in OE to move your spam from your Inbox to another folder.

K9  v1.28
About and download:
http://www.keir.net/k9.html
Usually the program configures the mail rule, but occasionally it doesn't.
Documentation:
http://www.keir.net/k9_begin.html
0
 

Expert Comment

by:pceasy
ID: 11470182
Thanks for trying your best but i found that the problem was my Download Manager - Internet Download manager. I had Adavanced browser intergration and somehow i turned it off and went to the websiteand all was ok !

I wonder if i am entitled a refund og the points alloted !

Thanks once again !

Pceasy !
0
 
LVL 15

Expert Comment

by:Daydreams
ID: 11477433
News article July 5, 2004:

http://www.cbsnews.com/stories/2004/07/05/scitech/pcanswer/main627500.shtml

"Last week, there were two separate reported of flaws in Microsoft Internet Explorer that could jeopardize your security. .."

".. the U.S. government's Computer Emergency Readiness Team, or "CERT" (www.cert.org) published a warning that included, among other suggestions, the advice to “use a different browser" -- suggesting that PC users look to sources other than Microsoft for a web browser."

(thanks to brunobear for posting here: http:Q_21043408.html#11477197)
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11481326
Looks like the hackers have disabled merijn.org (cwshredder tool).
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11481397
Merijn.org has been down for a few months now, spywareinfo.com/~merijn is probably getting blasted at the moment, sometimes it can be reached though... it's very slow at the moment if the pages even open. I just hope those problems will get solved soon. Other download links are still working: http:#10973796

LucF
0
 
LVL 15

Expert Comment

by:Daydreams
ID: 11519697
Mozilla.org has posted a patch as a result of security issues reported here:

http://story.news.yahoo.com/news?tmpl=story&cid=75&ncid=738&e=6&u=/nf/20040709/tc_nf/25807

To obtain the Mozilla/Firefox security patch:

http://mozilla.org/security/shell.html  (scroll down for patch)

..and follow the instructions. I am impressed by Mozillla's fast response to this security issue. If you download a new version of Mozillla or Firefox it will include this patch.
0
 

Expert Comment

by:jobox11
ID: 11520314
I.m not sure if this is the proper space to make the following comment (question). I gather that 'free' members cannot ask a question in Community Support which appears to be the link to the moderators or whoever that respond to problems with closing questions.  HELP!  Jobox11.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11520395
You can just ask your question at http:/Community_Support/ it's not limited for paying users. The moderators should be helping you as soon as they can.

LucF
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11573223
Anyone run into this variant of CoolSearch:

http://www.pchell.com/support/onlythebest.shtml

Was not able to get rid of this thing.  CWShredder etc. don't clean it.  Registry edits listed on pchell didn't work either.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11573758
Since 27/06 Adaware is able of handling it, just set it to scan everything instead of just the standard run and let it unload processes while scanning, but I agree, it is a horrible hijack.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11574496
This variant of CoolSearch also deleted shell.dll and grabbed ahold of Windows installer.  See

http://www.lavasoftsupport.com/index.php?showtopic=34050
0
 
LVL 1

Expert Comment

by:Douglasfur
ID: 11608260
I recently found a utility that I haven't seen mentioned here. It is called StartUpMonitor and it was created by Mike Lin, a student at MIT. In his words, "StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents those utterly useless tray applications from registering themselves behind your back, and it acts as a security tool against trojans like BackOrifice or Netbus."

I run spywareblaster as well, yet the other day I got a popup from StartUpMonitor that spywareblaster didn't detect, and I was able to stop the install of some little nasty thingy that I'm sure I didn't want.

So...I'm not an expert but I've cleaned up a number of machines using all the standard tools mentioned here.

Mike Lin's tool may be one you would consider adding to the list. It can be found at http://www.mlin.net/
I'd be interested in your comments. They've rescued me in the past.
0
 

Expert Comment

by:jobox11
ID: 11634505
What,s wron with Win Patrol which does a very good job of notifying of new startup apps.  Jobox 11
0
 

Expert Comment

by:jobox11
ID: 11634529
Re: comment from LucF on asking questions in Community Support.  http:/community support/ does not appear to be a valid address. Pls correct or comment.  Tks.   Jobox11
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11637033
jobox11,

Just click the link I gave above, it works just fine for me (don't use a space between Community and Support, but a "_"
The full url is http://www.experts-exchange.com/Community_Support/ or you can reach it by clicking "Support" at the top of every page.

LucF
0
 
LVL 1

Expert Comment

by:Douglasfur
ID: 11658034
The 'StartUpMonitor" that I mentioned above advises you BEFORE any new apps install (register) themselves. You have to say okay before they can complete their install.

Don't get me wrong. WinPatrol is an excellent too. I just thought this new thing was pretty cool.

just sharing...

douglasfur
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11703316
Some of the spyware cleaners are actually vehicles to deposit more spyware.

Here is a good site that lists suspects:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

0
 

Expert Comment

by:AskAudery
ID: 11763882
FYI - Lavasoft just came out with a new version of Ad-Aware called Ad-Aware se.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11948229
This piece of spyware, SearchForIt - is ugly.

First of all, I'm not sure how it gets on the box.  Had a brand new PC, right out of the box.  Got it on the internet, updated Norton, put on Microsoft patches.

Scanned with Spybot and found SearchForIt already on box.

But here is the really issue - SearchForIt also drops a Trojan Keylogger virus.

So, if you ever find SearchForIt spyware, also look in
C:\Windows for setup1.exe

Setup1.exe is a keylogger trojan.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 11948252
Hi tituba,

It sounds like one of those rogue crawlers that ping random IPs looking for machines to infect.

Good Vibes!

Lobo
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11948466
Someone explain to me how spyware is getting by the firewall.  I get how spyware gets on a box if you click on popups or have no protection.

But how is spyware getting on a new box, firewall in place and updated?

Is it because IE is so vulnerable for those 15 min or so before you get all the patches on?

And, more importantly, why aren't Trojans (keyloggers and such) found by Symantec/McAfee?  I discovered the Trojan by scanning with Pest Patrol.  Symantec showed a clean box.  

0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 11948710
>> Is it because IE is so vulnerable for those 15 min or so before you get all the patches on?

Yup!!!

One of the many reasons I don't use IE. Give FireFox a test ride.

Good Vibes!

Lobo
0
 
LVL 4

Expert Comment

by:tituba2
ID: 11952185
I had even loaded Spyblaster, updated it and enabled all protection.  So this piece of Spyware slipped by.

I have been using Firefox, however, have to use IE to put on patches.

Very disheartening having spyware slip through in the short time IE was used - especially one that also drops Trojans.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 11953267
Hi Tituba,

What I normally do in a new installation is to install Norton Internet Security and Go Back before running Windows Update.  That way, if any MS patch crashes the machine I'm working on, I can use Go Back to restore it.

Good Vibes!

Lobo
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11963259
Since this is a valuable thread for Stopping Spyware, I would like to add a couple of batch files that my help keep your hosts file clean.  Copy and paste them to Notepad, then save with a .bat extension.  The first one 'locks' your host file as Read Only, and the second one Unlocks it for editing...

Lock your Hosts file

========Start Copy=========

@echo off
cls
attrib -r -h -s %SystemRoot%\system32\drivers\etc\HOSTS
      echo.
      echo  ++++++++++++++++++++++++++++++++++
      echo  +                                                                +
      echo  + HOSTS FILE IS NOW UNLOCKED!                +
      echo  +                                                                +
      echo. ++++++++++++++++++++++++++++++++++
      echo.

pause
exit

==========End Copy=========

For Unlocking the Hosts file:

==========Start Copy========

@echo off
cls
attrib +r +h +s %SystemRoot%\system32\drivers\etc\HOSTS
      echo.
      echo  +++++++++++++++++++++++++++++++++++
      echo  +                                                                  +
      echo  + HOSTS FILE IS NOW READ ONLY!                 +
      echo  +                                                                  +        
      echo  +++++++++++++++++++++++++++++++++++
      echo.

pause
exit
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12015957
Although CoolWebSearch has been covered rather extensively in many tools noted here, one user wants deeper information in terms of registry keys to modify and so on and this is the Q still open today in which the steps are again defined (if needed).
http://www.experts-exchange.com/Web/Browser_Issues/Q_21116362.html#12013638
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12016741

A quick word of caution, even if I do agree with your comments regarding the HJT log posts:

The "auto" analysis in http://www.hijackthis.de/index.php?langselect=english is not that good and can, in certain cases, be dangerous.

Worse than not flagging some nasties, it flags legitimate entries as nasty!!

And if users "fix" them with HJT can end up with serious problems.

I suspect this problem is specific to WinME scans, but...

Zee


P.S.:
Asta: Thanks for the reminder!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12016791

The entry being incorrectly flagged in WinME scans:

C:\Windows\Rundll32.exe

Because it should be run from C:\Windows\System32 !!!
~8-|

Zee

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 12038396
Hi! All!

Don't think I saw this above.
Someone has provided a mirror site for Merijn's
Located at:
http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

>ZEE
Issues with automatic analysis are showing up.
The notable one being that 2 or 3 of the latest variants of CWS
cannot be dealt with by using HijackThis, by itself.

Regards...
RF
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12041334
Hi Ross!

>>The notable one being that 2 or 3 of the latest variants of CWS
cannot be dealt with by using HijackThis, by itself.

Some "experts" are insisting in recommending HijackThis as a cure for everything and encourage askers to post several HT logs making the Questions unusable as PAQs. In the Viruses TA we're already seeing Askers including entire HT logs as part of the Question itself.

http:Q_21119781.html

Good Vibes

Lobo
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12043463
COBOLdinosaur and other Page Editors have tried to encourage Experts to post the Analysis link instead and only post the results they're unclear about for further guidance, which helps in terms of cluttering the PAQ, IMHO.  Frequently, from what I've seen, the experts who encourage the posting of these logs in their entirety end up going to the Analysis site and doing what the end-user (Asker) can do directly in terms of make some initial assessments and changes, as needed.
http://www.hijackthis.de/index.php?langselect=english

Personally, haven't had any downside results from the information which is returned for my own 'issues', but also have read others who took cleanup actions and sat with huge problems.  The good news/bad news scenario, very real.
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12049363
Hi Cd,

http:Q_21129167.html

for the current discussion at Experts Input. I'm sure there's one or two suggestions that can be of value to the discussion you guys are having.

Good Vibes!

Lobo
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12206749
COBOLdinosaur

This link is an excellent procedure on how to kill off Cool Web Search - that most unpleasant of scumware:
http://www.silentrunners.org/sr_cwsremoval.html

The link was orginally published via NTBUGTRAQ (www.ntbugtraq.com) and I have included the whole text of the post below. (I hope I have satisfied IPR here!)

Cheers

JamesDS

Start Post-----------------------------
Hello,

CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware.
Rossano Ferraris (rossano.ferrarisNOSPAM@libero.it) and I have collaborated to develop a simple procedure to remove it from an NT4-W2K-WXP box.

CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective.
Users are sometimes forced to reformat the hard disk to remove it. CWS comes in a variety of flavors. This post will only consider the most insidious, which involves two components: a shield-DLL and a BHO (Browser Helper Object).

Shield-DLL
----------

The shield-DLL installs itself to the following registry value in NT4-type systems:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls

Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.

Here's what the CWS shield-DLL manages to do:

1. It prevents almost all registry editors from displaying it as an
   AppInit_Dlls value. This list includes, but is not limited to:
   Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns,
   HijackThis, and, my favorite (because I wrote it), the "Silent
   Runners.vbs" script. The _only_ program known to display it, for
   unknown reasons, is the freeware Registrar Lite 2.0, available
   here: http://www.resplendence.com/reglite/

2. It prevents all GUI and command line tools from listing it or
   deleting it. This list includes, but is not limited to: Windows
   Explorer, DIR, ATTRIB, CACLS, and DEL.

3. The .DLL file has eccentric security permissions (SYNCHRONIZE
   and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed
   from memory, an Admin must reset security to delete the file.

4. It has a unique name on every system it infects.

5. It ensures that a BHO starts up with IE at every boot.

6. If the BHO is deleted, it restores the BHO under a new name at
   the next boot.

This combination of features makes it a formidable adversary.

BHO
---

This is a .DLL that installs itself as a subkey of the following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

The BHO is responsible for the ad-ware symptoms: change of home page, profusion of popups, and anything else that foments the users' wrath.
The BHO registry key and the file are not protected; both can be deleted. The BHO will simply be reloaded under a new name at the next boot.

To eliminate CWS, we have developed a relatively simple procedure (compared to everything else that's out there) that involves using Registrar Lite 2.0 to record the name of the shield-DLL, a VBS script to remove it from AppInit_Dlls, the "Silent Runners" script to identify the BHO, and, after reboot, a second VBS script to delete the shield-DLL and BHO files. The procedure and scripts can be found here:
http://www.silentrunners.org/sr_cwsremoval.html

MS please take note:

AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed ASAP from NT4/W2K/WXP.

regards, Andrew Aronoff & Rossano Ferraris

                                *****
 Want to know every program (well, almost every program -- CWS being
             the exception) that starts up with Windows?
                    Download "Silent Runners.vbs":
                    http://www.silentrunners.org/
                                *****

End Post-----------------------------
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12222486
This, IMHO, is excellent... deals with important steps and prerequisites prior to dealing with Spyware removal processes and some OS specifics.
DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal
http://forums.majorgeeks.com/showthread.php?t=35407
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12223164
Very good astaec..  I especially like the idea of removing the VM Java from MS..  and installing Sun's version.  
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12223234
THanks, agree.  Especially since it's MS Java is no longer supported and phasing out so more and more of us will need to find alternatives and migrate.  I've been very pleased with the Sun Java VM and keep it updated.
http://www.java.com/en/download/
0
 
LVL 11

Expert Comment

by:Paul S
ID: 12348454
NEW TOOL:

MWAV - Created by Microworld Technologies (www.mwti.net)

it will detect over 100,000 malwares! recently it stopped removing it though. It only detects the probelm.

http://www.mwti.net/antivirus/free_utilities.asp

For full protection that does remove the threat try eScan.
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 12416112
Heads up Folks... There may be a new bad actor on the way:

http://www.experts-exchange.com/Security/Win_Security/Q_21178555.html

Cd&
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12416401

I may have missed it mentioned in EE, but there is a new version of CoolWebShredder, version 2.0:

http://www.intermute.com/spysubtract/cwshredder_download.html

Also installable via CWS update feature.

Zee
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12417133
COBOL..  thanks for the heads up..  First thing I did was drill into my webserver to ck it out.  We need to stay on top of this, so if anyone finds any details, please post..!!

FE
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 12422004
My concern is that this is some kind of new variation.  We have seen it before.  Best protection right now seems to be to use FF if you are investigating because it looks like it can really tear up IE, and then goes after any connected IIS server.

Cd&
 
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12422047
That's frightening; this may help.
Report a Security Vulnerability
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it.
https://s.microsoft.com/technet/security/bulletin/alertus.aspx
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 12422810
This is what we have:

Spybot found it as a BackOrifice.B DSO (3 reg entries) and a copy of a
wininet.ini file placed in the WINNT folder that it could not remove because
the wininet.ini was in use.

That sounds old, so I don't know why is would not get blocked at the firewall; unless it is a new variation

You have to use safe mode to remove the wininet.ini file
and registry keys containing "%@LANGUAGE" need to be remove
the rhtools.asp file might not show up on the computer even
though that is the source of the attack.  

It does not spread to other computers on the domain, but goes after
any IIS server it can find; which it then apparently opens up for all
manner of hack attacks.

Cd&
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12518482

Excellent and useful:

Rogue/Suspect Anti-Spyware Products & Web Sites
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

Zee
0
 
LVL 4

Expert Comment

by:tituba2
ID: 12520035
Run Pest Patrol software and removed spyware and Trojans.  Ran Ad-aware, spybot and cwshredder.  Removed items in msconfig.  Reboot PC and it now makes a sound effect when you open IE.  (no sounds are enabled).

I rescanned (with several scanners) and no viruses, spyware etc. on box.

This has happened three times now.  I'm assuming that one of the spyware/Trojans is still talking to IE.  Some registry tag left over?  Anyone else run into this?  Weird sound effect when you open IE after removing spyware/Trojans?
0
 
LVL 11

Expert Comment

by:Paul S
ID: 12520583
tituba2, you should post this problem as a seperate question.

P.S. Try running a scan with MWAV
0
 
LVL 4

Expert Comment

by:tituba2
ID: 12522585
After I posted this, I put it up as a question.  Couldn't figure out how to delete my entry.  Once I get the answer, I'll post it here as this appears to be something that is happening when you remove spyware.
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12677489

http://www.eweek.com/article2/0,1759,1731474,00.asp
Study: Tools Let Spyware Slip Through Cracks
By Ryan Naraine
November 23, 2004       

Damn...

Zee
0
 
LVL 15

Expert Comment

by:Daydreams
ID: 12682968
Banner ad iframe exploit: experts suggest using browser other than IE:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1027844,00.html?track=NL-34&ad=498096

"Security experts are urging Internet Explorer users to switch to another browser or disable Active Scripting to guard against a new exploit for the IFRAME vulnerability that hides in Web site ad banners."

"A Microsoft spokeswoman has acknowledged the vulnerability in interviews with SearchSecurity.com and other media sites. But the software giant has yet to issue a statement on its Web site with potential workarounds or word on when a patch will be made available. The company's next patch release is scheduled for Dec. 14."


http://www.technewsworld.com/story/news/38393.html

"..Microsoft has known about the iFrame vulnerability since it was published earlier this month, but has not yet released a patch..."

"My hope is that people will embrace the idea that there are other browsers that are safer and better than IE. I'm not a Microsoft basher. IE has great possibilities, but it's just not safe at this time.. ..It's security doesn't appear to be enough of a priority for Microsoft. I wholly recommend using another browser for general Internet browsing and saving IE to use only for the things it's required for." (Matt Jonkman, senior security  consultant with Infotex, an information security firm).



http://www.internetnews.com/dev-news/article.php/3439701

"John Pescatore, security analyst and vice president and research fellow at research firm Gartner said unless users are running Windows XP Service Pack 2 (SP2), which is immune to the IFRAME vulnerability, they should consider running an alternate browser to IE."
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 12797405


To Home Users: Do you want free security programs that really works?
http://msmvps.com/donna/archive/2004/12/06/22450.aspx

Zee
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13045570
WOW, I'm really impressed with the new Microsoft AntiSpyware Beta1 tool.  Just installed it and ran it (deep scanning all drives) and despite the fact that I did a full updated Viruscan last night, along with Spybot S&D (Immunized) and AdAware SE Pro then a HijackThis run and log check was "clean" ..... BUT then ran this beta software from Microsoft this morning and found 8 threats (high risk), 7 files and 11 registry keys.  Very very impressive.  I love it.  Links here:
http://www.microsoft.com/athome/security/spyware/software/default.mspx
http://www.microsoft.com/athome/security/spyware/software/faq.mspx
Download link follows:
http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

Asta
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 13050232
I like it because it is controlable also (has lots of options) and so far has done a great job, with no ill affects on the machine I have been running it on
A buddy of mine set it up, and then wanted to really test it, so he went to a lot of crack/serialz sites, and not one ill affect (blocked all the nasties), ran a scan after and didn't find anything, so the proactive part seems to work as well
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13050256
It seems like a good tool. Kudos to the guys at Giant Software who created it. Let's hope MS doesn't screw it up.

http://giantcompany.com/
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050437
Amen!  They did recommend uninstalling any prior Giant related software to circumvent problems.  LucF is also testing it on various systems and hope he pops by here as well.  At the cost of sounding redundant, had what I thought to be a totally clean test system last night and unplugged/offline with HW router, blah blah blah, and found significant issues using the MS AntiSpyware tool so quite pleased (so far).  Though, I did over-ride the recommendations of the results some were quaranteen recommendations, which I know I didn't want/need to changed to delete.  Overall top notch!  Hope it keeps growing, stays current and stays FREE.  LOL  Asta
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13050516
If MS sticks to its usual business practice, the Tool will remain free and it may even be built right into the next release of Windows. When the lawsuits come it'll be too late since AdAware and other good tools will be dead by then.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 13050528
Don't worry Asta, I'll update as soon as I find something :o)
I have it running on 11 systems now, of which 8 in our business network (especially at systems of users I know try to circumvent all security measures) and will see how it performs in the next few weeks.

Take good care,

LucF
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050547
YIKES!  All gone, deleted, and back.  The recurring culprit is eXact.Downloader Trojan Downloader.... running another series of scans (SysRestrOff) .... WT... heck?

Cool, thanks, LucF.  ":0) Asta
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13050579
astaec  - scan from www.pandasoftware.com.  Panda usually catches and deletes these spyware trojans.

As for Microsoft's spyware cleaner, I had mixed results.  Had a customer with the variant of CW Coolsearch from hell (see http://www.pchell.com/support/onlythebest.shtml)

anyways, CWShredder (the new one) didn't fix.  Microsoft's scanner didn't even identify it as a problem.

So, I don't think that the Microsoft tool will replace our current scanners.  Just supplement them.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 13050580
Asta,

Nope, thank you! :) I still remember http:Q_20924179.html and appreciate it.

All downloader.trojan versions are a hell to remove :(
Mainly running tools from safe mode will fix them, but sometimes...
Check your running services and you'll find the culprit (if any)

LucF
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050603
Here's someone who manually claims to have found the fix, and interacting with Giant to get it added....
http://www.iamnotageek.com/history/topic.php/78896-1.html
Will see after this rescan and multiple reboots.  Never went to anything related to Bargain Buddies, have XP SP2, Router with HW firewall and all the known protections..... the only thing I can imagine is that I clicked some bugger link in doing EE research 'coz I'd never willingly go anywhere that bopped my and mine like this, let alone a bargain buddy.  

Cd&, feel free to edit delete my tirade, LOL.

":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050681
More to read, will check things out and thanks so much, all.  

Just spoke to a County Administrator who said that they've tested tons of Spyware tools and choose Aluria Spyware (never heard of it) and that it caught 3X more than any other tools they've tested over the past many months.  Also checking it out.  

LucF  ... yeppers, that link was a thing I'll always also remember.  You were a main contributor to getting this boat to float....   teamwork works!

":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050686
tituba2 -> Thanks, will reboot a few times and test that link as well.  Interesting to see if the problem recurred and Panda catches it.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 13050705
>>teamwork works!<<
No kiddin' *big grin* :o)
It's what EE is all about, everyone knows something about something. Together we know a lot, and with all added value every day we all learn from it.

Thanks,

Luc
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13050871
Well said, Luc.

BEFUDDLED.... ran everything again in Safe Mode, continuously removed eXact.Downloader Trojan Downloader on the test machine, consistenly found again and again... More to be done.  WHAA
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 41

Expert Comment

by:stevenlewis
ID: 13050905
I think there is no one tool that gets them all, the complete toolbox contains a bunch of the removers :-)
I try and take a positve slant, this will always put some $ in my pocket, as my clients will always get some, and i'll have to clean it LOL
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13051065
True, spyware has been paying my rent for the last several months.  However, it does get to be a drag spending so much time watching scanners.

IMO - By far, the hardest to get rid of is the Cool Search variants.

There comes a point in cleaning off spyware when you've invested so much time that it becomes a toss up of spending more time or formatting the thing and being done with it.  More and more, formatting seems to be a good alternative as it fixes all the issues, gives the client back a faster machine and they do a happy dance.  Plus, you don't have to deal with little orphan problems that didn't get cleaned by any of the scanners.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13051098
Well, here I am.... did it all, still persists....  go figure!
http://www.experts-exchange.com/Security/Win_Security/Q_21275441.html
Asta
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13051104
Amen!!
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13051111
astaec - you should post your problem in the Virus section.  This thread really is suppose to be used to list spyware programs and solutions.  Questions need to go in the Virus area.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13051137
I placed it in WindowsSecurity, but if no help, will repost there, tituba2 (thanks) ....
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13051160
As regards reformatting and starting anew YEP, the way to go.... but not for this system; it carries ancient apps that just manage to work and are on a test system for many reasons and manage to work in the XP SP2 environment.... wouldn't dream of reformatting and blowing 20+ years of 'magic'.... so to speak, though it's all kind of a pain where you sit.  LOL  If/when the various projects are complete, that's exactly what I'd do.  But for now, gotta fight the buggers and "maintain" what I can to keep things moving.  I should have just been smarter and not used this system and access levels to do EE work and research, where I'm quite sure I got all of this "helping others" and "clicking links'.... Doh on me.
0
 

Expert Comment

by:Stardotstar
ID: 13052575
Hey astaec, I had a machine a while back that was giving me heck and I pulled the drive and placed it in as a secondary in another machine and ran the various programs.  Found a bunch of stuff that way also, just an idea if you have not already thought to do it.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13052847
The reason some spyware keeps coming back is due to some insidious dll's that are placed on your system, and this could be the case with this one, Astaec...  I ran across the about:blank problem a few weeks ago (client's system), and had to really dig to get rid of it.  Not sure this is your problem, but it could be the same type of problem...  Here is the page I used to kill it, just for reference on what may be happening in this case:

http://www.pchell.com/support/aboutblank.shtml

Lots of good links on the page also..

FE
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 13053697
BTW,

I hope you have all seen: http://www.experts-exchange.com/expertAwards2004.jsp

Where well into the second half of the page is the ist of best questions of 2004.  THIS thread was selected NUMBER ONE for 2004.  I am also a please that the number one editor's choice question was also one I participated in.

Congrats to everyone who has contributed t this.  Now we have to come up with a best of 2005 thread. :^)

Cd&
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13058170
Hats off to your hard work here and all who have contributed...   This is a growing plague for us all, and a central link with resources is the way to go!  It cuts redundancy, helps expedite solutions, gives us a central repository link to which to point and with your hard work, COBOLdinosaur, to continue to trim it and keep it updates helps everyone.

This can ensure 2005 processes, since it's (as I said) a growing plague where we can continue to contribute and share solutions.

Thank you also for your input, FE, Stardostar and all else who keep this updated with news.

RE. the ongoing fiasco of the bundle.exe, the BargainsBuddy, ZESOFT and related Iseng*, cashback, eXact.Downloader Trojan Downloader, BullseyeNetwork Adware and other invasions, more to be done on this, but do have a current link on this noted above to track.

Asta
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13058178
Thanks, and ditto to both Cobol, Astaec, and everyone else who had joined in!
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13081195

Quotiong Asta above:

>>WOW, I'm really impressed with the new Microsoft AntiSpyware Beta1 tool.  Just installed it and ran it (deep scanning all drives) and despite the fact that I did a full updated Viruscan last night, along with Spybot S&D (Immunized) and AdAware SE Pro then a HijackThis run and log check was "clean" ..... BUT then ran this beta software from Microsoft this morning and found 8 threats (high risk), 7 files and 11 registry keys.  Very very impressive.  I love it.<<

I have not been so impressed with it, and I'm starting to feel I'm right not to be.

This is worth as much as you want it to be, but considering who posted it...

On the use that MS AntiSpyware:

Quote:

Don't unless you're ready to format your hard drive and re-install everything.  It's a beta, which means it has problems.  It also delivers false positives and if you remove everything it "identifies" your machine may not work anymore.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only.  Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

Unquote.

This is found in the MS newsgroups.

Zee
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13081795

Unofficial bugs list and FAQ's on MSAS Beta:

http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Zee
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13082455
Thanks for adding these alerts, Zee.  I've had no problems as identified here whatsoever, but appreciate the "heads up" and link; I don't only use this, I also use the Spybot S&D Tool (with Immunize function) as well as the AdAware SE Pro (newest paid version) and the combo has worked well to purge the majority of intrusions found.  If/when DSO Exploits or some other known issues remain, rebooting in SAFE MODE and rerunning works well to purge.  Anything that the MS Beta product IDs I judge in terms of validity and always send the reports to Spynet.  "Beta" is always risky and I'm rarely one to run beta code, but have had good results on this one.  

Again, your alerts here are appreciated and will include this link as a reference point if/when I provide my opinion in Qs in the future and appreciate your input here.

Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13082496
Also noted that some problems reported had IE 5 installed and/or other OSs, and are not supported; it helps to check the Systems Requirements (as always)...
Microsoft Windows AntiSpyware (Beta): System requirements

Minimum system requirements for Windows AntiSpyware (Beta):
• Microsoft Internet Explorer 6.0 or higher
• A 300 MHz or faster processor with at least 64 MB of RAM
• Microsoft Windows 2000, Windows XP, or Windows Server™ 2003
• At least 10 MB of available free space on your hard disk
• Internet access with at least a 28.8 Kbps connection to use SpyNet™

Other problem noted, where users may 'remove' vs. 'quarantine' results, this:

 Windows AntiSpyware (Beta) displays detailed information about every spyware program detected, including a description of the threat, where it is located on your computer, a risk rating, and a recommended action to take. This information enables you to make informed decisions regarding removal. Detected spyware can be either temporarily disabled using Spyware Quarantine or permanently removed from your computer. If you inadvertently remove any programs, you can easily get them back.

More here....  http://www.microsoft.com/athome/security/spyware/software/faq.mspx
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13082535
Also curious if you've see this....
Malicious Software Removal Tool
Published: January 11, 2005 | Updated: January 12, 2005
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers
 
Virus and Worm Families Cleaned
This tool scans for and cleans malicious software associated with the following security threats:

• Berbew
• Blaster
• DoomJuice
• Gaobot
• Mydoom
• Nachi
• Sasser
• Zindos
 
http://www.microsoft.com/security/malwareremove/default.mspx
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13082716

Asta,

The Removal tool looks good, but for the moment I will go for Stinger first, with the advantage of running with older Windows.

The alerts on the MSAS Beta bugs had the intention of reminding people it IS a Beta and it's starting to show.
;-)

And, of course, thanks for the other tips and comments.

Zee
0
 

Expert Comment

by:Stardotstar
ID: 13086771
It just found autotbar.exe trying to load on my machine!!!

Anyone know about this one?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13086832
Thanks, Zee.  Wanted to note that when running MS AntiSpyware tool, check File and updates, new definition files were just added.

I could be mistaken, Stardotstar, but think it has to do with HP systems and internet keyboarding.  But would recommend that you open a question to handle this, since this is a central repository link to share information on Spyware/Malware/Malicious BHO links and tools vs. actually working specific questions.

Asta
0
 

Expert Comment

by:Stardotstar
ID: 13086869
Thanks will do and report back.

SDS
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13086987
And to follow up on astaec comment about a central repository...   Had an interesting time today with another About:Blank page hijack...  None of the standard utilities helped me at all..  Hacking the registry would not work, nor would HijackThis help at all...  Almost thought I would have to reimage the PC, but as a last resort dnloaded Adware Away in its trial version...  60 seconds later the hijack was solved and fixed..  They will try to sell it to you, but the trial version worked like a charm....!!!  The only link for download is here (with a list of spyware it will remove):

http://www.adwareaway.com/list.htm

I cannot say how highly recommended this utility comes (ME)...  Download it while you can, as I am sure they will lock it down sooner or later..

FE
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13087121
That looks really good, FE, thanks.  Downloaded/installed and testing on some systems here.  ":0) Asta
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13087147
Welcome, of course!
0
 

Expert Comment

by:Stardotstar
ID: 13087309
Support at HP said it had to do with imaging?  Funny I have had this running for a week and it has never caught it before.  I reactivated it and it did not catch it again.

FYI,

SDS
0
 

Expert Comment

by:Stardotstar
ID: 13148088
FYI,

Been working on a machine for 2 days now.  Love a good challenge!  Owner for the last year has been running an XP machine no Antivirus or Spy protection, so you can imagine.

My point is: after running many of the programs in the post along with 3 on line virus scanners, I installed the MS Beta Anti-Spy.  It found more things that the others did not pick up.

The fight continues!!!!!

0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13148125

Remember it still is a Beta.

Unofficial bugs list and FAQ's on MSAS Beta:

http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Zee
0
 

Expert Comment

by:Stardotstar
ID: 13148500
Well like my experience on other machines with multiple user accounts, I have found that running MS Beta has produced same and more spy stuff under each different user.

Go Figure!  or maybe false positives?
0
 
LVL 11

Expert Comment

by:Paul S
ID: 13170088
Just a note for computer techs who remove spyware all day like me:

MWAV - A cool spyware / virus scanner from Micro World Technologies (the makers of eScan)
http://www.mwti.net/antivirus/free_utilities.asp

It only detects though

MWAV cleaner - A program i wrote that deletes all the files that MWAV detects.
http://www.paulscomputerservice.net/index.php?body=downloads.php

just copy the list of detected viruses and then paste into MWAV cleaner. it deletes files and kill processes when needed.

Other sypware links:
http://www.paulscomputerservice.net/index.php?body=./software/malwareinstructions.php
http://www.paulscomputerservice.net/index.php?body=spyware/Techniques.php
0
 

Expert Comment

by:Stardotstar
ID: 13171485
Well after 3 days of working on this machine. I believe I have it as clean as it is going to be short of a format.  It was not until yesterday when trend micro sent out their notice of update.  I rand their online scanner and right away, something it missed before, it caught agobot on startup.

From that point on I ran everything else under the sun and even NAV online would run for the first time.

I fully realize I put way to much time in this machine, but like others here, love an occassional chanllenge!

0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13172171

A question I would like to put forward regarding an issue I have been debating elsewhere and that I got so flamed by a few MS MVP's I can still smell the smoke:

   Turn off System Restore before malware/spyware/virus cleansing.

- Yes or no?

I was flamed defending the yes.

Your opinion on this?

Thank you.




Cd&,

If you feel this is OT in here, please feel free to delete or move elsewhere.

Zee
0
 

Expert Comment

by:Stardotstar
ID: 13172222
I always turn off to delete all old points before I statr everything in safemode.  Then upon completion, turn it back on.

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13172229
>The_Computer_Guru_777

RE. mwav cleaner -
Very good!

Thanks!

>Stardotstar
Congrats!
"I fully realize I put way to much time in this machine, but like others here, love an occassional chanllenge!"
The law of diminishing returns!  :)
However, in a time when many users don't back up adequately:
sometimes a reformat/reinstall is not really an option!
Oh well!!

Regards...

RF
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13172256
Yes, CG777...  If you don't mind, I will be linking to your site from mine!

Thanks..!!

FE
0
 

Expert Comment

by:Stardotstar
ID: 13172386
Anyone seen a "search the Web" bar that hides behind the menu bar, lower right hand side of screen?

Adaware and Spybot havce not removed it.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13172413
Never seen that one..  assume you cked the Add/Remove list..  Can you pull up a context menu on it and identify the bar?
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13172521
Don't forget to check IE's "trusted sites" as spyware puts itself on the trusted list.

Also, check the host file and make sure it hasn't been tampered with.  Then change attribute to "read only."

I also use Spyblaster, update it and run it.  It puts known spyware sites into "restricted sites" in IE.

As for System Restore, if a machine is in sad shape, then I disable before cleaning.  However, if a client tells me it was working just great last week, then I try the restore point first to save myself hours of grief cleaning a pest.

Had "interesting" spyware the other day that I couldn't identify or remove.  I kept creating internet shortcut icons on the desktop.  Fun is.

0
 
LVL 4

Expert Comment

by:tituba2
ID: 13172532
Regarding "search the web" - yup lots of times.  I carry the full version of Pest Patrol with me.  Install it, clean the box and then remove the product.  Pest Patrol finds and kills this spyware.  Lately have been finding "viewpoint" on alot of boxes.  You use to be able to go to pestpatrol.com and do an online scan.  It wouldn't clean but would show you the reg tags you had to pull.  Pest Patrol has been sold and have had problems getting it to scan now.
0
 

Expert Comment

by:Stardotstar
ID: 13172541
Context menu?  it may be ffisearch.exe which is loading in the startup.  Going to delete it and see what happens.
0
 

Expert Comment

by:Stardotstar
ID: 13172586
Interesting: ffis, won't let me delete its setting in the registry.  Will trya safe mode.
0
 

Expert Comment

by:Stardotstar
ID: 13172589
And whenn I try to turn it off in msconfig, it reboots to normal.

0
 

Expert Comment

by:Stardotstar
ID: 13172620
Had to remove and edit it in safe mode,

FYI
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13172628
I believe that "search the web" is related to lop.com intrusions....

Always turn off system restore first and never regretted it, though regretted the wasted time when I didn't.  Baffled why you'd be flamed about this or what realistic downside others have stated as facts in their experience when first turning off system restore (which deleted restore points) .... but then do backup critical files first.

":0) Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13172647
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13172710

>>Baffled why you'd be flamed about this<<

Small sample of what I got from one of the MS MVP's posting:

Common on practice is not BEST practice.  This is a perfect example of
very bad advice and something not countenanced by anyone who has given the
subject any thought whatsoever.

I'm sorry but it is totally asinine to disable system restore until the
system is back up and running OK and to advise otherwise is simply bad if
not also stupid however well intentioned.

Unquote.

I was so damn suprised that I just needed double checking with more experienced EE experts.

Thanks and looking forward to other opinions for or against turning off SR.

Zee
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13172792
GADS, Zee, I'm blown away and not in a good way by this response!!!!    Malware and many other intrusions can mess restore points anyway and numerous conditions can make the restore a headache, brief samplings in this FAQ but many others come to mind....
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

Spyware solutions: Technology and leadership
Microsoft's strategy for addressing spyware and other potentially unwanted software - Updated: January 6, 2005
http://www.microsoft.com/athome/security/spyware/strategy.mspx

If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.
Much more here..... but the issue on "best practices" that the MVP addressed makes some assumptions, the least of which is that "most" would know if their restore points are infested.... it boggles the mind to think that you'd be flamed in this manner by anyone, but then ..... anyway, enough ranting on my end.  The source for more here:
How antivirus software and System Restore work together  (Which does not address the full gamut of other intrusions like malicious BHOs, malware, spyware) ....
http://support.microsoft.com/default.aspx?scid=kb;en-us;831829

Sorry to see, Zee, that you've had to endure such stuff.

Best wishes all, logging off for a spell.

Asta

0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 13172972
Zee,

Would you be kind enough to post the link to the thread where you got that flame.  I have some concern about that going on in a user's thread, and I would like to get a little more context on it. If there is an issue about what the right approach is, then maybe a broader discussion is need so we all get on the same page.

Cd&
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13173006

Cd&,

It was not in EE, it was in a NG.

Topic: reoccurring viruses. My suggestion: turn off SR before cleansing.

The discussion turned so sour I doubted myself... Maybe I was wrong, maybe other people, like EE experts and others were also wrong...

Most people suggest turning off SR before cleansing. I understand why and also advise that.

The intention of my post was, exactly, understanding what the right approacxh should be...

SR before cleansing: Off? ... On?

Zee
0
 

Expert Comment

by:Stardotstar
ID: 13173169
Anyone seen Hijackthis ID Symantec file as agobot infected?  Have scanned with everything imaginable and can't find it or remove it?

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE



0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 13173205
OFF

But I am a dumb old dinosaur who likes results to be predictable.

Cd&
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13175267
Hi!

Some comments concerning System Restore from the Langalist:
http://langa.com/newsletters/2005/2005-01-27.htm
http://langa.com/newsletters/2001/2001-12-03.htm#1

For some reason: it's hard to clean a user's computer when something
has been designed to place a copy of itself in System Restore -
you do this, you do that - nothing works!?!

IMHO: usually - OFF!

Regards...  :)

RF
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13177203
OFF
0
 

Expert Comment

by:marcerickson
ID: 13178693
I turn it off.  My customers want this stuff removed in the shortest possible time (= less $) and anything that is programmed to hide in files backed up by System Restore will merely return after a reboot if it's not turned off.
0
 

Expert Comment

by:Stardotstar
ID: 13179245
Question: how long do you find yourself troubleshooting a machine that has spyware problems?

0
 
LVL 4

Expert Comment

by:tituba2
ID: 13179412
Well, that's the question now isn't it?  When does troubleshooting spyware become such a long process that it makes more sense to backup their files and format the box?  Last year, I was putting in the good fight and spending, on average, two to three hours.  

Now, I usually put in a good hour with all the standard tools.  Then I give the customer the option.  Tell them on average, two to three hours to clean up the mess, put on the patches etc.  Or, just about the same amount of $ I can backup their stuff and format the thing and be done with it.  I explain the pros and cons of both options.  Of course, if they have "borrowed" software and no CDs, then formatting isn't an option because I don't provide any illegal software/os.

The strongest argument for formatting is that you get rid of any of those unexpected orphan trojans and damage that have been left behind.

The other day, I had a box that had several viruses (including Netsky and Sdbot) as well as a piece of spyware I've never run into that actually kept creating desktop icons every five minutes or so.  

My personal nemesis is
http://www.pchell.com/support/onlythebest.shtml

When I run into this one, formatting is my main advice.  I have not been able to get rid of this Cool Search variant no matter what.
0
 

Expert Comment

by:Stardotstar
ID: 13179459
I usually bill for about 3 minimum hours, but put in easily 5-6, or more.
0
 

Expert Comment

by:Stardotstar
ID: 13188269
Well have this machine down to this entry found by Spybot: UNKNWON  RAS Profile 2 entries, HK_Users\default\remoteaccess\dialup01.

Just need to figure out what these are.

0
 

Expert Comment

by:marcerickson
ID: 13190504
Question: how long do you find yourself troubleshooting a machine that has spyware problems?

Answer- Not long.  Furthurmore, spyware can cause such weirdness on a machine, that if the complaint is 'I can't do <whatever>', I look for spyware first and remove it.  That cures a lot of problems that I would otherwise spend hours on - fix the crappy software first and it makes your job SO much simpler.

The first thing I do is run msconfig - if I see anything unknown to me I look at that file's properties.  It won't show any details if it's spyware so at that point I can show the customer 'see, all these legitimate files have all of this info in the Properties and these don't.'  I assume that if I see a couple of spyware progs there will be more I can't see so I install the big four and a firewall, update, disable System Restore, boot into Safe Mode, and start scans.  Remove everything possible with the tools I installed and boot up normally to see if anything comes back - of course if I see evidence of CoolWebSearch I run CWShredder before booting normally.  If anything comes back, I use Startup List (merijin) to see what's running and where it's starting from.  Back into Safe Mode - delete anything required and regedits as required.  Total time: 2 - 2.5 hours (usually - unless it's my stepfather.  :-(  He seems to pick up some really persistent stuff...).

If I see too much in msconfig and some appear to be viral I urge a format and reinstall on my customers - including data backup and restore it takes around four hours unless they have a lot of data and it's scattered all over the place.  That's just to get Windows on and updated, a firewall and an AV program on the box.  (I don't consider my job done until it has the firewall and AV - I will not allow a box out of my care without doing the Windows Updates and the other two - if the customer whines about the cost, I do it for free.  Hopefully they will remember that and recommend me - if not, I have the inner satisfaction of knowing I did the job RIGHT!)
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13190622
What I do is install the AV and Firewall FIRST, then plug the machine to the Net, Update AV and Firewall services, and only then run Windows update.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13192051
Speaking of CWShredder.  The last couple of times I downloaded the latest Shredder and ran it (even in safe mode), it got to the cleaning of CWSGoogle and threw a error and stopped.  I had disabled System Restore and items in msconfig.  Ran Hijack and removed items in Registry.   I had to remove Cool Search variants using Pest Patrol, Spy Sweeper, Ad-aware and Spybot.  Even scanned with Housecall to get the random Trojans.  Then ran Shredder again and all was fine.  So either the Shredder tool isn't as good as it use to be, or there is some variant out there that is really messing with it.
0
 

Expert Comment

by:Stardotstar
ID: 13192717
If you are having problems with Home Search, I finally found  a program called Home Search remover.  Once I removed it and also ran a registry program to permanently delete winnings (something or other) .com from continually loading in IE trusted zone, I began to make some serious headway on this machine that I have been working on for 3 days.

Once these two were stopped, I was then able to run Trend Micro online and it found over 100 virus problems in the C:\windows\system32 folder.  Something that Panda, NAV and even Trend Micro would not find.

Now when I get home today, I'll turn the machine back on and check it again.  The only remaing problem that remaoned was and I think the removal of the 100 plus virus files will resolve, was NAV would load, but be disabled.

Keeping my fingers crossed.

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13266636
Similar to this central repository link that COBOLdinosaur so kindly hosted for us all, created another on SPAM below, since it's a gigantic pain for us all, and thought perhaps it could be of value to help us help ourselves in these regards as well as others...
http://www.experts-exchange.com/Security/Bugs_Alerts/Q_21307879.html
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13266817

Great idea Asta!

Zee
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13268334
Thanks, Zee .... aligned to the issue of Email Spam, is of course, Phishing (identity theft), email spoofing and more.  I've posted pointers in Virus, Windows Security and the link above in the hopes we can compile a comprehensive repository to use to minimize the churn for us all in dealing with these incredible intense and ever-growing problems.

Your support is very much appreciated; hopefully the link will be streamlines, since I have no Page Editor access or the like to trim the overhead if irrelevant or indirect responses result, but will look for help in that regard is the responses merit it.

":0) Asta
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 13269006
It it a little off of my beat, but you know where to find me if there is no one else to help.

Cd&
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13275113
Thanks, Netminder and Cd& .... I did send an Email to the PE of the link yesterday for the Bugs & Alert TA, but appreciate the reminder.  COBOLdinosaur sure did start something really great here, and I see many of our Experts pointing here in many TAs.  Central Repository links are excellent tools for us all to minimize churn, recreation of wheels and to keep the threads streamlined with the help of the PEs.  Thanks again... ":0) Asta
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 13275188
Ran into one yesterday
msdioo.exe
as soon as you delete/rename
it creates a new instance of it
instantly
any one know anything about it (only found 4 references to it in google)
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13275300
I recall reading that this may be a trojan related to msmc.exe and possibly Spyware.ClientMan .... was doing research at Norton, and found this link which "may" help.  Google may produce more.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.clientman.html
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 13275354
Thanks Asta
I don't have the machine any more, but I did remove all  reg entries, ended task on any suspicious processes, booted to safe mode, and still exibited the same behavior
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 13275976
Hi, Steven, sending you an Email.  I assume you found this key?  Appears the intrusions are more significant than first glance.  Also including a link that looks fairly comprehensive.
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msdioo.exe
http://www.techsupportmail.com/showthread.php?p=172225#post172225
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 13276074
Asta, yep, got your email, and yes, turned off system reatore, and found that reg key
I'm not going to worry to much about it (don't have the box any more) but wanted to post so others would be aware, may be a new varient :-)
0
 
LVL 11

Expert Comment

by:Paul S
ID: 13294122
>>>Speaking of CWShredder.  The last couple of times I downloaded the latest Shredder and ran it (even in safe mode), it got to the cleaning of CWSGoogle and threw a error and stopped.

I had the same problem. The newer cwshredder's havn't seemed as good since it changed owner ship.

Regarding System Restore:
I think that SR should be enable during any virus or spyware cleaning. If after a thourough cleaning something is messed up in windws you can alawys use a backup of the registry. If everything is fine, then disable and re-enable SR to clean out any malware that may be in the SR area.

IF a malware is creating itself instantly right after deleting or renaming, it is almost gauranteed that it is in the memory. Kill all non - system processes. Or do a malware scan from a PE enviroment.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13343417
Microsoft has a malware tool they update a couple times a month

http://www.microsoft.com/security/malwareremove/default.mspx

0
 
LVL 4

Expert Comment

by:tituba2
ID: 13370457
Ghostware - Rootkits

CoolSearch spyware has turned into Ghostware.  No wonder you can't delete the stupid thing with our regular tools!

http://research.microsoft.com/sm/strider/spyware/

see
http://www.computerworld.com/printthis/2005/0,4814,99843,00.html


0
 
LVL 4

Expert Comment

by:tituba2
ID: 13370497
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 13373045
Hi Tituba.  Registrar is a great tool. I've used both the Lite version (free) and the Pro version (unfree). Gives you a lot more info than your regular Regedit. Gets a lot of thumbs up from me.
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13529986
Thanks Lobo.

Sysinternals now has a free utility to find root kits

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

It use to be you could scan at www.pandasoftware.com and it would detect and then disinfect spyware/trojans.  Ran the scanner last night and they now have a popup saying they will detect only.  

PCWORLD is recommending CounterSpy as a cleaner.  Anyone have any experience with this product?

http://www.sunbeltsoftware.com/product.cfm?id=410

NOTE:  Ad-aware removes Wsaupdater.exe  as a spyware program and then you can't log back into XP.

See
http://support.microsoft.com/default.aspx?scid=kb;en-us;892893





0
 

Expert Comment

by:marcerickson
ID: 13542246
I haven't tried CounterSpy - but it's getting lots of good press as the most effective spyware cleaner for a single tool.


Marc
0
 
LVL 4

Expert Comment

by:tituba2
ID: 13732750
Ok, the hackers have figured out a way to put back the cookies we are deleting with spyware cleaners etc.  They are using the Flash player.  Macromedia has issued instructions on how to fix this.

http://story.news.yahoo.com/news?tmpl=story&cid=509&e=7&u=/ap/cookie_buster

Macromedia's fix
http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=52697ee8
0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 13732785
Lol...I have to go find the thread where some moron argued with me that flash was safe because they had a security mode tha guaranteed the code could not access the Harddrive.  

Thanks for posting the fix.  I clean on that one because I refuse to install the flash player so that site can throw flash ads in my face.

Cd&
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13733640
Thanks for the information - tituba2
Ncie work!
RF
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13885382

Try this website for HJT logs auto-analysis:

http://www.help2go.com/modules.php?name=HJTDetective

Not perfect, but I feel that using this one in conjunction with:

http://www.hijackthis.de/

Will produce a quite nice result that will solve a large percentage of common problems.

Feedback appreciated.

Thanks!

Zee

0
 
LVL 53

Author Comment

by:COBOLdinosaur
ID: 14023577
Perhaps some help on the legal side of this:

http://yro.slashdot.org/yro/05/05/17/182218.shtml?tid=158&tid=17

Cd&
0
 
LVL 4

Expert Comment

by:tituba2
ID: 14052830
Intemute (CWShredder tool) has just be acquired by Trend Micro.  

Ran Ad-aware in safe mode and during the "quarantine these items" process, got the dialog box saying I was running in Safe Mode and did I want to do a System Restore.

Is this an Ad-aware bug or is this some evil spyware not wanting to be quarantined?  I didn't answer the dialog and let Ad-aware run in the background.
0
 

Expert Comment

by:Stardotstar
ID: 14053028
Is it my imagination, or has this problem slowed?  I am not getting near the calls for spyware issues!

0
 
LVL 4

Expert Comment