?
Solved

Best Auto Spyware Removal Program/Need to run under Safe Mode?

Posted on 2005-03-05
22
Medium Priority
?
2,088 Views
Last Modified: 2013-12-04
Please note that this is a general question relating to no particular PC's Spyware situation. And I did read most of one recent EE thread relating to Spyware, namely "Spyware removal not working"  at www.experts-exchange.com/Security/Win_Security/Q_21318854.html which had some general info, especially if the links are followed. But I am still basically a beginner at removing Spyware/Adware.

I am in a situation where I am called upon 2 - 3 times a week to remove spyware from people's home PCs. As well as fix a variety of other PC problems. The first time I tried to remove Spyware, I noticed that with a PC that had what seems like a bad Spyware infectation, that using Add/Remove Programs (even in Safe Mode) to remove what is clearly Spyware, AND  removing suspect spyware from the start-up list AND even deleting a few clear Spyware files (again in Safe mode) had very little effect on all the spyware symptoms which was quite disappointing. Basically I had failed.

So it appears I need a more automated approach. Based on info from a computer guru friend and things I've seen here and there on the internet, the two best programs are Spybot and Lavasoft's Ad-Aware. However, I have also recently learned that NAV 2005 has added Spyare/Adware removal to its product. And lots of people seem to use Hijack This logs to solve spyware problems. So that is 3 top automated programs and one powerful more manual approach, Hijack This, plus followup as directed by the log.

(1) So MY FIRST QUESTION IS for a PC that has lots of spyware pop-ups and unwanted toolbars and sidebars and even the normal screen background is replaced by a Spyware related background, what is the best approach? Preferably from the above 4 choices but if are sure you know something better, please tell me about it.

(2) MY SECOND QUESTION IS, once all Spyware symptoms are removed (and hopefully all or almost all Spyware), what is the best way to prevent Spyware from reentering the PC.

 Now before you answer I want to briefly describe a converstation I had two days ago with a Symantec Customer Service person in India. I said I ran NAV 2005 Full Disk Scan in the above "failure" situation, and it did improve the Spyware symptoms and removed lots of Spyware/Adware but it also left 10 or so quaranatined virus's and about 100 spyware/adware files (after it removed a few hundred others ). This Indian fellow quickly told me, to rerun NAV 2005 Full Disk Scan in Safe mode. And most of the things left in my previous normal boot run would now be deleted. Because in normal mode, files being accessed by running SW can not be deleted. But in Safe mode, NAV 2005 Full Disk Scan is more powerful. The bad news is that it will take MUCH longer to run in Safe Mode (i.e 2-5 hours) and it is already time consuming in normal mode. Now here's the thing I noticed the most. He said that he had a side business fixing peoples PCs in India and he had a 100% success rate removing ALL Spyware Symptoms running NAV 2005 Full Disk Scan in Safe Mode and then, in some cases, running Ad-Aware after that (if certain files/symptoms  are left).

I cannot ignore this advice because Symantec is the world's leading company in the PC security area (even though their past focus has been more on Virus's) and this fellow has real world experience, not just theory, not just what his company documentation says.

The reason I mention this NAV 2005 thing, is prior to this conversation, my impression was the general wisdom to remove already present Spyware was to run either Spybot or Ad-Aware after a normal boot. But this guy made me seriously considerer a different approach. First run NAV 2005 Full Disk Scan in Safe mode (even though it will take a long time) and then use Spybot or Ad-aware also in Safe mode if some symptoms persist.  

WHAT IS YOUR OPINION?  NAV 2005, Spybot, or Ad-Aware? And should your recommended choice be run in Normal mode or Safe mode?

Or do you feel the way to always proceed is "HiJack This" even though it appears to require knowledge of which entries to follow up on and is not automated.

NOW, assuming I have succeeded in removing the Spyware Symptoms (and hopefully all the Spyware), what do you recommend for PREVENTING SPYWARE FROM GETTING BACK ON THE PC? I know that Spybot has an Immunize button in the left column that addresses this in some way. And I assume Ad-aware has something similar. And NAV Auto-protect blocks new viruses from entering the PC; I do not know if it also blocks spyware and I did not ask the Indian fellow above that question. Or, if it does, how effective is it? Please respond with your recommendations here not necessarily limited to the above products.

Regards,
   Mike
0
Comment
Question by:mgross333
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 3
  • +2
22 Comments
 
LVL 15

Expert Comment

by:greyknight17
ID: 13468384
OK, there is no one software that will be better than others (at least not by a lot).  Different infections may require different tools to remove (especially the more nastier ones).  But like you said, Ad-aware and Spybot are the top two in the list.  They will remove most of the common spyware/malware from your computer.

So:

1.  Best approach is to run Ad-aware and Spybot in Safe Mode.  Make sure that System Restore is turned off if the user is using Windows ME/XP.  I suggest also running a virus scan.

2.  Prevention programs will help you better protect yourself from another spyware infection.  It's not 100% guaranteed but it does a great job.

I have a short tutorial written about removing spyware and also a prevention section (near the button) at:

http://www.greyknight17.com/spyware.htm

That guide should get most of the bad ones.

Something to add to the spyware programs.  You might also want to try using Microsoft AntiSpyware.

Yes, it's usually best to run all these scans in Safe Mode since that will have the least processes running.  The one program that I can remember now that should not run in Safe Mode is HijackThis.  We want all the processes to be listed so we can catch any bad files/programs.  So that should be in Normal Mode.

Regarding NAV, I'm never a big fan/user of Norton products.  Just didn't like it.  Regarding the person from India fixing spyware using NAV, I doubt it will remove ALL spyware.  I'm not saying that he didn't get computers clean from time to time, but I doubt NAV does a 100% clean out of spyware.  It can't even remove some viruses/trojans.

I have asked users to do this before.  They ran all the tools/programs like Ad-aware, Spybot, Norton, etc.... and they say clean.  Then I ask for a HijackThis log and low and behold, there were spyware/malware in there being caught by HijackThis.

So basically, run all the programs first before using HijackThis.  You have to be careful on some of the fixes though because there are some (like New.Net) which will kill your internet connection if you try to remove it.  So for that case, I usually ask users to download WinsockFix (google for it) and run that program first before removing it from Add/Remove and HijackThis.

I hope that covers it all.
0
 
LVL 15

Expert Comment

by:davidis99
ID: 13469521
I've had to deal with a number of cases of removeing spyware from home PCs, and removal and inoculation of office PCs against receiving spyware.  My first comment - it's a lot easier to keep the stuff off than to remove it once its on.  For inoculation, I recommend:

1) run WinXP SP2 - one feature of IE6 on SP2 is it blocks the installation of activeX controls without the user specifically allowing them.
2) use the spybot immunize feature, and also use Spyeare Blaster, which maintainsi its own set of signatures for items that try to infect both IE and Firefox.  In freeware mode, both need to be updated manually, though with Spyware Blaster (and probably Spybot as well) you can pay for an auto-update service.  These two in tandem work quite well in keeping spyware off PCs - I've had virtually nothing to clean up since rolling these out on the PCs at the office.
3) For spyware removal, I recommend trying successive tools until the problem is cleared.  Spybot and Ad-Aware are good choices to start with; you can follow them up, if needed, with the Yahoo toolbar's spyware scanner (http://toolbar.yahoo.com/ie), Microsoft's windows antispyware beta (http://www.microsoft.com/athome/security/spyware/software/default.mspx), and a trial of Ewido Security suite (http://www.ewido.net/en/) which I've found to do a good job of cleaning out things other removal tools can't remove (or things that break other removal tools.)

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13470317
davidis99
... one feature of IE6 on SP2 is it blocks the installation of activeX controls without the user specifically allowing them-
I can't find this setting... it'd be nice if that were one... but I've never seen it.

mgross333
To remove viri, or spy-ware, on xp or winME you must make sure that system restore is off first, then remove.
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
I find that mcafee has a few more definitions than norton when it comes to spy-ware. And hands down when it comes to mal-ware or potentially unwanted programs, mcafee leads the way again. Norton does not detect programs like, L0pht Crack, JohnTheRipper, Cain&Abel, Kerbsniff, KerbCrack, pwdump etc...

For prevetntion, these two suggestions are paramount:
1) Never run as an admin of your machine when doing day-to-day activities, espically when browsing the web. Admin rights are for admin tasks, such as software installation, or system setting changes,
2) Use an alternate browser than IE. Firefox, mozilla, opera, or even netscape have more security and lack the activeX controls that spy-ware rely on.

For good measure, you should run AV products such as norton or mcafee. Ad-Aware should be used in addition to AV. I've found no benefit to using safemode. System-Restore is the worst.
-rich

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:rossfingal
ID: 13470863
Hi!

Good advice from all above!

For prevention; look into these programs:

    * Spywareblaster <= SpywareBlaster will prevent spyware from being installed -
      http://www.javacoolsoftware.com/spywareblaster.html
    * Spywareguard <= SpywareGuard offers realtime protection
      from spyware installation attempts.
      http://www.wilderssecurity.net/spywareguard.html
    * How to use Ad-Aware to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Ad-Aware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
    * How to use Spybot to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Spybot.
      Similar to Ad-Aware, I strongly recommend both to catch most spyware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
    * Run CWShredder - to remove numerous variants of {KoolWebSearch}
        {CWShredder - "stand-alone"} - http://cwshredder.net/bin/CWShredder.exe

To protect yourself further:

    * IE/Spyad <= IE/Spyad places over 4000 websites and domains
      in the IE Restricted list
      which will severely impair attempts to infect your system.
      It basically prevents any downloads (Cookies etc) from the sites listed,
      although you will still be able to connect to the sites.
      https://netfiles.uiuc.edu/ehowes/www/resource.htm
    * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
      with one containing well know ad sites etc.
      Basically, this prevents your computer from connecting to those sites
      by redirecting them to 127.0.0.1 which is your local computer
      http://mvps.org/winhelp2002/hosts.htm
    * Google Toolbar <= Get the free google toolbar to help stop pop up windows.
      http://toolbar.google.com/

I also suggest that you delete any files from "temp", "tmp" folders.
In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files"
and select the box that says "Delete All Offline Content" and click on "OK" twice.
Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".
These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051

Good luck!

RF
0
 

Author Comment

by:mgross333
ID: 13472827
Thanks for all the good advice. I am still taking it all in and following some of the links. In the early part of the week of 3/7/05 I will have an opportunity to try out some of this advice.

Before that, I would appreciate ANSWERS TO FOUR FOLLOW-UP QUESTIONS; three are directly prompted by the responses above.

(1) Why does turning off System Restore help? I would think that all this does is prevent further Restore files from being saved. If previously created Restore/Recovery files exist with Spyware/Viruses in them, those will still be there because I assume that turning off System Restore does not delete existing Restore files. However, if turning Restore off "unlocks" them to NAV, Spybot, Ad-Aware and the like so they can delete the files or the virus/spyware in them that WOULD be effective. PLEASE CLARIFY THIS FOR ME.

(2) To Expert "richrumble" where you say
> I've found no benefit to using safemode (when running NAV, Mcafee and Ad-aware).
I would think that it would always be better to run in Safe mode. As most files would not be accessed by running programs and could be deleted by Virus/Spyware Scanners. I have observed on one PC that NAV Autoprotect popped up two warnings about different Virus files that could not be repaired. I tried to directly delete them and failed with an error message from Windows about the files being accessed at the time. I rebooted in Safe mode and my deletes were successful. On a different PC, I found 3 known Spyware programs that I could not remove with Add/Remove programs. The remove command failed and they remained in the Program list in Add/Remove Programs. I rebooted in Safe Mode. And the Removes from Add/Remove Programs now succeeded (not that it did any good as most Spyware symptoms persisted).

This experience plus the advice of "greyknight17" above that
> it's usually best to run all these scans in Safe Mode since that will have the least processes running
seems counter to your advice. PLEASE RESPOND as to why you have found NO BENEFIT to using Safe Mode given the above.

(3) To Expert "greyknight17" is it true, as the Indian Symantec Tech Support guy claims, that running Virus/Spyware Scanners in SAFE MODE TAKES MUCH LONGER than running them in normal mode? If so, can you hazard a guess as to how much longer? i.e twice as long, 5 times as long, or whatever. Because running a full disk scan with NAV can take a half hour to over an hour depending... So MUCH longer than that is definately a consideration that I need some kind of handle on if I am going to follow your advice. In some cases I am not provided a long time to fix the problem and would need to reschedule to a better time or would start the scan in Safe mode and come back the next day and finish up, if I know the Safe mode scan will take several hours.

(4) Please briefly explain what Quarantine means, a term used by NAV and Ad-aware. And, given that definition, why is it effective as it apparently still leaves the virus/spyware on the PC? And is quarantine the last resort after delete and repair have failed?

Regards,
    Mike

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13473586
Turning off system restore deletes previous restore points. I'm not sure you can get them back or back them up... never tried, as I turn it off by default and never enable it on all our 2000+ xp pro machines. It is true that safe-mode will not run as many programs from starting up, Ad-Aware has a function to add itself to the first program to be booted, effectively pausing all others until it has run it's scan, or removed a previously marked target. Using TaskManager can also kill many of the programs that seem to be active or locked. If none of that is enough, I take the HD out of the PC and put it in another as a secondary drive and scan it. Simple for me, but maybe not others... If using winxp or 2003 you can also kill a lot of the startup programs with Msconfig http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/msconfig_usage.mspx

HijackThis and Ad-Aware typically are more than enough to remove the pest's... McAfee sometimes interferes with the removal with it's on-Access scan... if mcafee see's that ad-aware has run accross some spy-ware, it will snatch it away from ad-aware and try to clean it itself- ad-aware also see the pest, and marks it for deletion, however mcafee has typically already done that. Doesn't cause any real problem, but something of note.

Spy-ware was just too much for us to keep up with- so now everyone uses FireFox at the company, and if a site requires IE to be used to rendered corectly, the users click on a vbscript that open's IE as a user in the Guest group- lowest privledge, and activeX scripting is turned off- but java is allowed.

Here is the script if your interested: (use SCRENC.exe if you don't want them to know the pass or change the script...)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/seconscriptencodersyntax.asp

Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:guest ""iexplore.exe"""
WScript.Sleep 100
'Replace the string yourpassword~ below with 'the password used on your system. Include tilde
oShell.Sendkeys "yourpassword~"
Wscript.Quit

-rich
0
 

Author Comment

by:mgross333
ID: 13475849
To Expert "richrumble"

Thanks for the answers on System Restore. And alternatives to using the IE browser (or using it in the normal way). However, for typical home users, not running IE normally may not be practical; they will want to do that. In a Corporate environment where the System Admin/MIS Manager has some authority, it's a different story. Hence, I'm hoping that some of the approaches suggested by "rossfingal" above will prevent Spyware from re-entering the PC.

On reading your reply, I realized I cannot take action on your the Safe/not Safe mode advice unless I also have the answer to my followup question (3), namely whether it takes MUCH longer to run the Spyware/Virus Scans in Safe mode (and Diagnostic Mode, see below) than in normal mode.  If you reply again in this thread could you PLEASE ANSWER THAT QUESTION (although I did not address it to you). Or perhaps "greyknight17" will reply on this.

Regarding your reply on the Safe mode issue
(A) Isn't rebooting in msconfig/Diagnostic mode (i.e the first link in your reply) essentially the same as Safe mode? I compared the Task Manager process lists for Diagnostic mode and Safe Mode and they are the same (except Diag mode added userinit.exe). And Diag mode also does not load many drivers. Which brings me back to the "MUCH longer time" question above. The point is, if Diagnostic Mode also slows running of Scans as much as Safe mode (if that is the case), than it does not address my concern.

(B) Assuming that both Safe and Diagnostic Mode slow down the scans a lot, is the following a workaround? Run the Spyware/Virus scans in normal mode. Reboot in Safe/Diag mode and then do the delete/repair/quarantine. Because it is the scans that take all the time, not the fix/delete part. I need to know this for three programs: NAV 2005, Ad-aware and Spybot.

(C) Regarding the workaround for Ad-aware you suggested, namely
> Ad-Aware has a function to add itself to the first program to be booted, effectively pausing all others until it has run it's scan, or removed a previously marked target.
Are BOTH these actions the default? If not what do I need to do to turn this on? And I assume in the latter case I need to reboot because if Ad-aware is not the first booted program, no command entered to it will make it so, until I reboot. Also do I need to be Administrator or have Admin privleges to get this to work?

(D) Does Spybot, the other program recommended by Experts above (and a PC guru friend of mine) have a similar option (becomes the first booted program)?

Regards,
  Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13476218
I'm not sure why safemode scan's take longer... I've not done many scan's this way, and I don't recall them being longer than normal.
Ad-Aware's boot-first feature is turned on by default, and the way it works is this- ad-aware will tell you after you've selected and removed all the pest's that there are porgrams that some pests cannot be removed right now, would you like to remove these at next startup? You tell it yes and it will do so on the next reboot.

>Also do I need to be Administrator or have Admin privleges to get this to work?
No, this run's before any login has taken place... so the system account is being used- the system account is the highest privledge account, higher than admin.

one of the best ways for prevention is not running as a local admin, or having your users in the local admin's group. This can prevent lot's of programs from being installed on the pc, not to mention spy-ware... this is one of the top suggestions of "best practices" for any OS.

If you have the mean's of using a second PC, and safe mode scans take too long, I'd suggest removing the HD from the infected pc, and placing it in another pc with AV and spy-ware removal programs. This drive will be a secondary drive, and can be scanned at full speed. This is also a great way to get rid of the rootkit's that are becoming popular with spy-ware programs. This is not much different than using a winPE cd-rom to scan a PC booted off the Cd-rom, so no windows drivers are loaded- the principal is the same.

I work in a coperate environment, and I am in a position of influence on security and keeping cost's low. We are a M$ shop, and our intranet and even our site use lot's of M$'s languages... firefox and the others render the content just fine for 99% of these sites. There are times when selection boxes, or drop down boxes fail to appear or render properly due to M$'s code not following the many standards out there. Again we tell the users when this happens, to open up IE using the vbscript above to open IE in the guest account (they don't know any of this, and the vb file is encoded in vbe, not plain-text vbs.) and they are able to view that content fine, again activeX is turned off on our pc's but java is still ablt to run. This can still lead to a few pop-ups or pop-unders- but the Google toolbar (mentioned above) helps with that, in addition to moving the users to xp-sp2 with it's pop-up blocker.

I don't work with norotn products any longer, I see:        Detects spyware and certain non-virus threats such as adware and keystroke logging programs.
-rich
0
 

Author Comment

by:mgross333
ID: 13493401
Summary: I have followed almost all the advice above and have made no progress at all. None. All the Spyware symptoms are still there. I have posted a HiJack This Log below for further Expert analysis in hope that the Spyware can still be removed. But BEFORE YOU GO TO THAT, please read the details below of the earlier steps I took and the results AND also reply on how this result is possible given all the things I did.

Details: It appears that after each step described below, all the Spyware that was removed came back at the next reboot. But that is only one possible interpretation. Also my impression from the above Expert comments is that a Hijack This Log is to get rid of the last few Spyware/Adware objects after running the usual Spyware removal programs gets rid of most of the bad objects. In my case it appears that little or nothing was PERMANENTLY removed at all. Somehow they all came back at the next reboot. In this context, note two things.
(1) After running the Microsoft beta Spyware removal tool, it said just before closing that "Reboot now to prevent Spyware from Regeneraing". This comment implies to me the possibility that Spyware can be removed and still come back as I think is the case here.
(2) It takes about 5 minutes after rebooting for the hour glass symbol to go away. And initially the screen looks fine, correct desktop background and icons (however errors pop-up immediately about two missing files (boln.dll and soft.exe) that are only used by Spyware so that is a bad sign from the start). Then over a period of a few minutes, the correct background turns to solid blue, solid white and then black and then black with a Spyware-generated message in the background. All this happens slowly because the PC only has 128 MB RAM (barely enough for its XP OS) and a 1.6 MHz P4 or at least that is my guess as to why this takes so long. Then a variety of Spyware pop-ups start appearing. And the Windows Task Manager shows a very long process list with all kinds of Spyware processes as determined by entering their names in a Google search. The point is that this is lots of time for all the Spyware to come back and that's what seems to be happening.

OK, here's what I did. I ran NAV 2005 Full Disk Scan in Safe Mode and removed the one virus it found successfully; it found no spyware.  (I had previosuly run it in Normal mode and it found over 500 bad objects and removed most but not all. It quanrantined or repaired the viruses but did nothing in the previous run about the spyware it could not fix.). It is also IMPORTANT TO NOTE that this PC has NOT had any virus protection or any Microsoft OS updates for three years before I got there. I have now installed all 23 Microsoft critical (ie. security) updates but not SP2 as the directions for SP2 said to remove all Spyware and Viruses before installing SP2.

Then I TURNED OFF SYSTEM RESTORE as directed above. Also all Spyware removal programs WERE UPDATED before running. Also when they said to reboot because there was one object they could not remove and it would go away at reboot, I did that. Furthermore all Spyware Removal was done in Safe mode except the Microsoft one because it would not run in Safe mode per an on-screen message. Also one (can't remember which) said it was recommended to turn on quarantine and I did that as recommended. Then I went thru all the steps in order listed in the link http://www.greyknight17.com/spyware.htm provided by greyknight17 in the first post above to my question.

First I ran CWShredder. After two reboots and re-runs it finally found no CWS objects.

Next I ran Ad-aware SE Personal from the PCWorld Magazine site (and updated it). It found about 635 critical objects and I had it remove every one except a low threat level (TAC score = 3) relating to a browser pointing to a blacklisted site. I did not record the details of this one object except the notes suggested to me something that might be legitimate and not spyware related.

Then without rebooting to see if anything had improved in normal mode, I ran Spybot S&D 1.3 from the PCworld site (and updated it). It found 55 bad objects and removed all of them.  Before going on, I want to note that the Spyware names were pretty much the same ones that Ad-aware had reported. CoolWebSearch (which CWShredder was supposed to remove), Bargain Buddy, and many others whose names I unfortunately did not write down to list here. But it was pretty much the same list. Now about the 55 objects here vs. 635 in Ad-Aware. This looks like Ad-aware removed most objects. But Spybot might not expand each Spyware name into as many separate objects as Ad-aware does. So maybe the Spybot 55 corresponds to the 635 in Ad-aware with everything still there. I don't know but perhaps an Expert who responds to this will know.

Another possibility is that Spybot found the Ad-aware Quarantine file and all it's bad objects found were in that quarantine file. I don't know.

Next I selected Immunize in Spybot and also updated Immunize. And selected Tea Timer in advanced mode.

Next I ran Spyblaster 3.2 (per Expert rossfingal above) from the MajorGeeks site and updated it and set all protection enabled. These last two were to prevent further Spyware from entering the PC.

Finally after all the above done in Safe Mode (and the Downloads done in Safe Mode with Networking) I finally rebooted in Normal Mode. And got the results noted near the start of this long comment in the paragraph that starts "(2) It takes about 5 minutes after rebooting.....". And this was NO IMPROVEMENT over the symptoms before I did all this.

So next following the advice from Expert davids99 above, I ran the Microsoft beta Spyware remover (after updating it) , and it found pretty much the same list of Spyware as Ad-aware and Spybot. I removed everything, started it's Spyware protection feature and rebooted as it directed. Same result. No improvement at all. Then I started the Ewido Security Spyware remover (per davids99 above) but it ran much slower than the others so I stopped the run quite early.

Now before I get to the all-important HiJack This Log, PLEASE NOTE THE FOLLOWING.

There is only one account that shows any Spyware Spymptons. Namely Jack Flynn. I also removed Administraor privleges from this account before rebooting in normal mode per Expert Advice above. Previously it had Admin rights. The other account  Ann Flynn which has Admin rights shows no Spyware Symptoms but IT HAS HAD NO INTERNET access since before the problem began. Previous to that it had dial-up internet access but the dial-up no longer works. Jack Flynn has hi-speed internet access via Comcast.

(A) One idea I have is to delete the Jack Flynn account (he has no email he wants to save), create a new Jack Flynn account, and call Comcast and get both accounts connected to hi-speed internet. Then see if the Spyware symptoms occur in these two accounts. Do you think this IDEA HAS ANY CHANCE OF SUCCESS ?

(B) Another idea is to take the time to run the trial Ewido Security Spyware removal tool to completion as Expert davids99 says above it does "a good job of cleaning out things other removal tools can't remove ".

OK, BELOW IS THE HiJack This Log. But there are several PROBLEMS WITH IT. The advice above from the link http://www.greyknight17.com/spyware.htm  said to update it. I downloaded it from the PC World site (HiJack This Version 1.99) and started it and noted there was NO OPTION TO UPDATE IT. I was running out of time as the PC owner said I had to leave soon. So I ran it and did not try to find another version that might be updatable. Second the same link said to disable Tea Timer in Spybot Immunize which I failed to do. I did have Show Hidden files enabled. I did not check if Hide File Extensions for known file types was disabled (unchecked) which could be another problem.

I have copied the log below. If you think it is useful despite the problems noted above, please look at it and TELL ME WHAT TO DO TO REMOVE THE SPYWARE SYMPTOMS given all that I already did above seems to have failed. If you think it is essential that I correct the problems in the paragraph immediately above FIRST, please say so and also provide a link to HiJack This that provides SW with an option to update. And then I will repost the new log in this thread.

Also I would appreciate a reply on why running NAV 2005 twice and then CWShredder, Ad-aware, Spybot (then Spybot Immunize and Spyblaster) and finally Microsoft's beta Spy removal tool has had so little effect. HOW IS THIS POSSIBLE???

HI JACK THIS LOG:

Logfile of HijackThis v1.99.0
Scan saved at 6:45:42 PM, on 3/7/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.loadingwebsite.com/normal/yyy26.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3BBF5CF1-894A-B6F8-92B6-EFB8F4B6478F} - C:\WINDOWS\system32\mfcbi32.dll
O2 - BHO: (no name) - {62F2AC5D-997E-B421-B408-D040AF8B8D53} - (no file)
O2 - BHO: (no name) - {AF9A7C05-5F3D-3A17-7FB6-4DE13205B12B} - (no file)
O2 - BHO: (no name) - {DDC2FE6F-2C81-F639-3F77-24B0DD6C1334} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [rndewrrb] C:\WINDOWS\System32\wccuv\rndewrrb.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ragrv] C:\WINDOWS\System32\mdmeyh\ragrv.exe
O4 - HKLM\..\Run: [qyuokl] C:\WINDOWS\System32\xeta\qyuokl.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [cmxi] C:\WINDOWS\System32\puylju\cmxi.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [sysri.exe] C:\WINDOWS\sysri.exe
O4 - HKLM\..\Run: [ccrvoj] C:\WINDOWS\System32\wmlgxfn\ccrvoj.exe
O4 - HKLM\..\Run: [qyvvsa] C:\WINDOWS\System32\etdgjdxv\qyvvsa.exe
O4 - HKLM\..\Run: [mokkh] C:\WINDOWS\System32\gpkh\mokkh.exe
O4 - HKLM\..\Run: [fsro] C:\WINDOWS\System32\vdtclhet\fsro.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitergf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O15 - Trusted IP range:  (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109887623702
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: otloykqqexmk - Unknown - C:\WINDOWS\System32\ikbyonvr6.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\sdkcq32.exe

Regards and Thanks if you got this far,
   Mike





0
 

Author Comment

by:mgross333
ID: 13493424
I forgot in my long comment above to list a third idea (other than ideas (A) and (B) above the Hi Jack This Log). That is to install Windows XP SP2 despite the Microsoft advice to not install it before removing all virus's and Spyware. I am particualry referring to SP2's SW firewall that might be useful here.

Regards,
  Mike
0
 

Author Comment

by:mgross333
ID: 13493514
Oops. I think I may have run HiJack This in Safe mode but am not 100% sure. If it was run in Safe Mode (as was the case for all the Spyware Removal tools except the Microsoft beta tool) I believe the log is partly or mostly useless. I now suspect this is the case because the process list at the start of the log is that for Safe mode. There are many many more processes shown in the Windows Task Manager after I reboot in Normal mode. Is there a way that an Expert can look at the log and tell with certainty if it was created in Normal mode or Safe mode? If so please reply to this comment and let me (and other responding Experts) know.

Sorry about having to post this last comment. All I can say is it was the end of a long day and the PC owner was breathing down my neck to leave and it now appears I created a mostly useless log. If Experts confirm this, I'll rerun HiJack This in Normal mode and repost the new log. This will probably not occur till early next week as I will be away on a trip till then.

Even if this is the case, I would appreciate responses on why all the Spyware Removal tools I ran did not remove any Spyware symptoms as detailed in my long post above. And whether any of my ideas (A), (B), and the 3rd one in my short post immediately above this one are worth trying.

Chagrined,
   Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13495757
I've run in to this situation as I'm sure many have... I think the best thing to do is to remove the HD and scan it in another PC as a secondary drive with AV and spy-ware programs updated. You may have to do a little travel back to your house or work to clean it, or bring a PC to the location and use the monitor keyboard and mouse, but that's what I've done for friends and family. I update a pc and it's software, shut it down and tote it to the place I need to work. This gets around the root-kit problem that seems to be happening more and more.
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Also, leave system restore off until the next reboot- if you hadn't done so already.
-rich
0
 

Author Comment

by:mgross333
ID: 13497946
To Expert richrumbe
Are you sure that if I do this (mount the Spyware infected disk as a 2nd drive in my home/business PC and run Spyware removal tools on it) that there is NO chance at all that my primary disk C: could somehow become infected with the same Spyware? Because my home/business PC is a brand new $3,300 (without monitor) Custom built state-of the art PC and I would be upset if any Spyware entered it while trying to help someone else out. Assume that I will turn System Restore off before mounting the 2nd disk and leave it off until it is removed and a reboot is done.

I encourage OTHER experts who have used this procedure to ALSO comment on this question.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13498720
No chance. As long as you don't run any program from the secondary drive. If you do (run a program from the secondarry drive), then who knows what are safe programs and what aren't... you can run AV and Spy-ware tools against the HD with no problem. And yes disable sys restore before removing the HD and placing it in the new pc as a secondary drive. The AV and Anti-spy-ware tools access the secondary HD as they do the main harddrive, they are simply looking at the code in the files, not executing them. The boot sector if the secondary drive is ignored during boot up.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13498727
The boot sector OF the secondary drive is ignored during boot up. (sorry for the typo)
-rich
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 400 total points
ID: 13499357
Hi!

Yes, your log file is definitely from a "Safe" mode scan.
The 010 entries should not be fixed with HijackThis.
If you do fix them; you'll break your Winsock Layered Service Provider stack:
resulting in - no Internet connectivity!
Download LSPFix and have it on hand before you do anything:
http://www.cexx.org/lspfix.htm
Read the instructions carefully.

Also, a newer version of HijackThis is out - ver. 1.99.0.1
Download from:
http://www.subratam.org/?page=removal

You should not run HijackThis from a temp folder or from the desktop.
HJT makes backups and log files and it's important to have them in one centralized place.

These 2 entries are malware running as a "Service" -
O23 - Service: otloykqqexmk - Unknown - C:\WINDOWS\System32\ikbyonvr6.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\sdkcq32.exe
Unforunately, they're not the only "suspicious" entries that show!

Have done as richrumble suggests numerous times - slave the drive into another computer.
Have never had the good computer become infected!  (Knock on wood!!)  :)

This is Experts-Exchange's policy on posting HijackThis logs:
http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html
If you want someone to look at your HJT log -
copy and paste the log into the Automatic Analysis site here:
http://www.hijackthis.de/index.php?langselect=english
Then, post a LINK to your log back here.

You should run HJT in "Normal" mode; and then, post a Link to that log here.

Good luck!

RF
0
 

Author Comment

by:mgross333
ID: 13500437
It appears I cannot scan a 2nd disk with Spybot 1.3; it appears to have no option except to scan C:. even when I am in Advanced mode.  Please correct me if I am wrong.   NAV 2005 and Ad-aware have such options. I don't know if the Microsoft beta tool and Ewido Security have such an option. If you do know, please respond on those two. I would like to run a minimum of two Spyware Scans and right now I only have one for a 2nd HD, Ad-aware. NAV is not really effective in the Spyware area so I am not counting that.

Also, I believe it is possible that the PC owner has nothing of value on the PC or can back up the little he has. Would a much easier solution be to delete all partitions, create a new one and do a scratch install from his original install CD? The point of this question, is if Spyware tools can not see the RootKit problems then I am unsure that deleting all partitions will remove the RootKit problems either. Also if this will not work when the bad disk is the system disk, can I mount it as 2nd HD on my PC, wipe out the partitions (and delete all RootKit problems that way) and remount it on the original PC and do a scratch install from CD?

If this latter approach will work, also remind me of how to delete all partiions (the command to use) and how to create a fresh partition.

0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1600 total points
ID: 13500569
You can even copy the entire HD to back it up without any risk of infection. If they (or you) can rebuild the PC from scratch, that's another option. The rootkit's are too big to fit in the MBR of a HD so a total format and reinstall would be sufficient. The setup disc will prompt you- to install on the current partition, to delete the partition etc... - but if you back the drive up to your own- then right-click the drive in my computer- there is a format option also.
I do this also, but I have a standard ghost image of the PC's we use, so it works on every model we have, and all we have to do is put the favorites back, and the my doc's and such. Your faced with a bit more of a battle, reinstalling all the software they were used to having, M$ office, Adobe this and that etc.... Sometimes the OEM disc's supplied by the manufacturer don't contain all the files needed. This is a last resort. There are things to consider like the background image, and the way they had the folder views etc... sometimes if these aren't the default's they tend to complain that it's "not like it was before wahhh"

-rich
0
 

Author Comment

by:mgross333
ID: 13534182
Regarding solving spyware infection thru scratch install. Assume the owner has NOTHING of value on the PC except perhaps the MS Office app.
(1) Does the Windows XP Install CD supplied by Dell with their PCs have a scratch install option? Because if it does not, then the owner would have to spend $200 to get one from Microsoft (price on newegg.com). i.e the upgrade CD ($100 on newegg.com) will not have a scratch install option and will not help here at all. And I do not think the owner will spend $200 so the ability to quickly and easily solve this problem depends on what kind of CD Dell supplies.

(2) About MS Office, same question.
One reason I am asking Question (2) is Expert richrumble's reply above which says apparently in the context of reinstalling App SW
> Sometimes the OEM disc's supplied by the manufacturer don't contain all the files needed

If the Dell XP and Office CDs won't do scratch installs, then I need question (3) below answered which was already asked in my last post above on 3/9/05 at 1:05 PM
(3) What Spyware removal SW other than Ad-aware allows one to specify a 2nd HD as the target? As noted, it appears Spybot 1.3 does not allow this (and in 5 days, Spybot Customer Service has not replied to my question on this). Please answer, if you know, for Microsoft's beta Spyware SW, Ewido Security Suite, and the Yahoo Toolbar Spyware removal SW. Because if I am going to go this route, I prefer to run two Spyware removal packages rather than just one. NAV 2005 does not count as I do not believe it has adequate Spyware removal capabilities.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13534368
Ad-aware and most others that I've used do allow you to scan other HD's. The only thing you loss when you do this is the ability to for ad-aware to scan the registry of the second hd. if the programs are gone though (after your used ad-aware to remove them) you may get an error sayinjg "couldn't find so and so..." which is no big deal, a second scan with the program once the pc is back up should take care of that. You may also use the Regfix.exe from M$ to fix these type of errors.
It would be best to test the cd the came with the pc.
The Dell we use contain everything that was originally on the cd, but I was not sure if the owner installed anything extra on their own. If you have some small hd laying around, put it in a pc and try a mock rebuild and have a look around once it's built. you can also place the cd in the rom and browse it (hold the shift key once it starts to spin to cancle any Autorun that may be on the cd.) The cd provided by dell should be looked over and tested, but should contain the necessary files.
-rich
0
 

Author Comment

by:mgross333
ID: 13543635
I successfully removed all Spyware/Adware (in Root-kit) by doing a scratch install (reformat of C:) from the Dell Windows XP Re-install CD. After creating the Windows Accounts, I installed 20 Microsoft Critical XP Updates (as the CD was created 3 years ago) and also Windows XP SP2. The latter took over an hour; it appears the Microsoft servers for SP2 updating are not sufficient for the job. Then I started Spybot Immunize, Spyblaster and NAV 2002 (the latter from Dell re-install CD). Then I recreated the two Outlook Express email accounts and reinstalled Microsoft Word and Money from the Dell Re-install CDs. Finally the Lexmark X73 USB printer still did not work (driver for this old printer not in XP) so I installed the driver from the Lexmark site. The PC OWner has no personal files of any value which is what made this approach to removing Spyware in Root-kit feasible.

It is worth noting that despite this being a scratch install, Spybot found 5 Spywares and removed them. Four were tracking cookies (not serious threats I assume) and the fifth was Alexa (advertising something). I do not understand how you can do a scratch install and then have Spyware but it is probably because I did not run Spybot till after I went to a number of web sites thru the IE browser. And Spyblaster was not started immediately after reinstall.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13551778
Alexa shows up with M$ products, including (but not limited to) clean installs
Oh well!?!
Alexa is the least of your problems!  :).
RF
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question