Topic: Stupid Spyware

[Clark Kent]

I was having majotr problems today, so i decided to run a spyware protection program, and came up with several files.  i keep blocking them, but they keep coming back each time I restart, and i don't know how to get rid of the stupid things.  Anyone have some advice?

[kmelew]

If you know what the executables are you can always try to kill them in the registry.  Be very careful!

[likkerpig]

I've found my Norton picks up some spyware that Adware and Spybot S&D missed. Even Norton couldn't get rid of it automatically, I had to manually delete files following the directions from the Norton site.
Also do you have the latest upgrades for your spyware detection program?
A couple of ideas anyway.

[Clark Kent]

If you know what the executables are you can always try to kill them in the registry.  Be very careful!

sadly, i don't know how to use the registry.

[Clark Kent]

DOn't have norton for the PC, I'm using a progam I DLed from AOL- their program, FYI.  i think it's up to date, but considering some of the spyware it's picked  up is for stealing my data and sending it around i don't want to put that puter online right now.

[kmelew]

If you know what the executables are you can always try to kill them in the registry.  Be very careful!

sadly, i don't know how to use the registry.

If you can get the names of the spyware executables run Start-->Run-->Regedit and do a search for the executable.  When you find it, simply delete it.  Keep on searching until the whole registry is complete, as the executable name may appear in more than one key.  A word of caution--if you accidently delete an incorrect key, you can really mess up your system, so to be safe make a backup or at least a system recovery disk.  I'm pretty sure that Norton has the ability to make multiple backups of the registry (Windows automatically backs up the registry when you  exit, but if the registry has an error the error may be backed up as well).

I recently had to do this with an annoying app which kept setting my default homepage to some spyware search engine.

Ah for the days of WIN.INI and SYSTEM.INI with their RUN= and LOAD= commands!    

[Gambler]

About a month ago I downloaded SpywareGuard.  It's from http://www.wildersecurity.com.  It was highly recommended by Tech TV.  It stops spyware and homepage hijackers as well.

[jualdeaux]

I have a cousin that is going to be VP of Investigative Services for Sony Pictures and he recomended SpyCop for these things.
http://spycop.com/products.htm

Actually, He recommended using it in conjunction with Adaware and Spybot.

[Bonk]

http://www.cacl.ca  (re: your sig)

[Javora]

If you know what the executables are you can always try to kill them in the registry.  Be very careful!

sadly, i don't know how to use the registry.

First I would suggest downloading and running HijackThis.  Then I suggest going to The Tech Support Forum.  The people there can walk you through the removal process.  Hope this helps.

[Clark Kent]

Thanks all, I've managed to get them all but one, and can't quite track that one down.   
I'll try DLing hijack this, see where it gets me.

[RogueJedi_XC]

This sounds a lot like a hijacker we've been dealing with at work for the last month or so.
Does your homepage come up as "res://hultk.dll/index.html#96676"? The .dll file can have any random 5 character name.

If you have this, you are, in a nutshell, screwed. It is so deep into your system the only way to get rid of it is to format and re-install. Then never, ever again visit the webiste you got it from (i.e stay off the porn, son!  ). Trust me on this, no matter how often you delete the files it will come back. Internet Explorer itself is the culprit this time out, and AFIK, no one has yet discovered a full-proof way to get rid of it.

Oh, yeah. Use Firefox, Mozilla, or Opera. Drop IE like a ton of bricks. It's one big security hole that you neither want nor need.

[likkerpig]

 Then never, ever again visit the website you got it from (i.e stay off the porn, son!  ).

      
Heretic!
Without porn, what's the point of computers? The internet? Life?
Yeesh, buy a Mac before you get this drastic!

[Darth Sidious]

Then never, ever again visit the webiste you got it from (i.e stay off the porn, son!  ).
Oh, yeah. Use Firefox, Mozilla, or Opera. Drop IE like a ton of bricks. It's one big security hole that you neither want nor need.

Or use a limited account using Moz/Opera/FIREBIRD for all your pr0n needs.

[Grim]

Internet Explorer has a major major flaw in it, i should know i was hit by a trojan last week, kept redirecting my page to about:blank and loads of popups, tried all sorts, hijack this, adaware, spybot etc and i couldnt remove it.

I sorted it out basically by restoring my pc to its previous factory state, essentially removing everything off it since i bought the machine. I then dumped IE and am using Firefox now.

Microsoft are in a rush to get the major flaw fixed, however most security companies, government related agencies etc have advised surfers to not use IE at all until the issues are sorted out.



"US Government warns against Internet Explorer: Internet Exploder will harm your machine
Inquirer.net ^ | Wednesday 30 June 2004 | Tamlin Magee

Posted on 06/30/2004 9:38:30 AM PDT by demlosers

THE US GOVERNMENT has sent out a warning out to internet users through its Computer Emergency Readiness Team (US-CERT), pleading users to stop using Microsoft's Internet Explorer.

Following a malware attack last week which targeted a known flaw in IE, like so many other attacks, the US-CERT recommended using alternative browsers thanks to their increased security. Microsoft is hurriedly trying to increase IE's security with the Windows XP Service Pack 2, but it's not fast enough for many.

In a vulnerability note released by US-CERT, it says "there are a number of significant vulnerabilities in technologies relating to the IE domain" and that "it is possible to reduce exposure to these vulnerabilities by using a different web browser." Well, they're right.

The latest "extremely critical" IE bug has still not been patched by Microsoft."

[Pestalence_XC]

Ok.. I wrote up a guide for people to follow on how to correctly configure Windows and Internet Explorer to help prevent Spyware and also provided the best utilities to use in removing spyware.. which happense to be Spybot Search and Destroy and Ad-Aware 6.. most other programs that remove spyware usually installs spyware with the program only so that they can remove them after install during the first run so that you will purchase it.. plus they sometimes block other spyware engines from finding spyware that it installs on your system...

One such example is SpyHunter.. it is loaded with over 12 different spyware programs and it blocks out definitions in Ad-Aware 6 as well ass sometimes completely killing Spybot S&D.

anyhow.. here is the page I created on proper setup of Internet Explorer for SP 1.. i will update the patge as soon as SP 2 is released publically from Microsoft.

http://www.nightsoft.net/effhq/IE.html

Please follow all the instructions.. it will take a couple of hours to go through all the steps.. and if you have questions when it comes to the Hijack This.. Please just send me an email of the hijack This log file and I will break down for you on what to keep and what to remove to ensure system integrety. the only thing I will not provide for support on Hijack this is for your system start up programs.. removing those components will prevent programs from launching with your system (icons next to system clock and sometimes spyware exe files).. I will do my best to point out the spyware files.. however I will not recommend removing any legitimate programs from system start up.. you will have to choose to do that on your own.. but removing as many programs from system start up as possible is most recommended.... I say this as it will free up system resources which can be applied to your actual applications... but that is your choice..

anyhow.. let me know and I will help.

Pestalence

[Clark Kent]

This problem is getting worse.  More Spyware is showing up on my HD, and destroying my ability to use this machine on the internet.  I was considering- after a long time- of finally upgrading to Windows XP from ME which I have now.  I've put it off for this long because I've heard people complain that when their computer crashed MS would not allow them to reinstall their OS on their PC due to MS's wonderful policy regarding piracy.  The version of XP I got my hands on is a home version,a nd I've read these are the problem systems, where as XP pro is better if you have a crash and have to reinstall.
This does answer one question I had though:  should I just upgrade, or reformat and upgrade.  I guess the latter.
You're right that this came from a pron site- I was using a link to a page (not pron) and ended up getting redirected to a porn site which I could seem to get out of.
I guess I have one question:  when It comes to backing up, are there any types of files I can't trust to put on CD and relaod after reinstall?  I haven't acked up my favorites, and wanted to do that, along with the regular run of the mill files and game setting for various games so I could pick up where I left off after reformat.

[RogueJedi_XC]

I go to your web page and get the following: ?
?

[Bonk]

I'm not sure where exactly nightsoft is, but the server is notoriously unreliable, I've observed approximately 50%(or less) uptime over the last two years.

[Clark Kent]

Ok.. I wrote up a guide for people to follow on how to correctly configure Windows and Internet Explorer to help prevent Spyware and also provided the best utilities to use in removing spyware.....anyhow.. let me know and I will help.

Pestalence

Thanks alot pestalence.  I It being the fourth, i'm not too enthusiastic to do this today, so i'll see about it tomorrow.  Hopefully I'm literate enough in windows toi handle thison my own.
Thanks again pestalence, and everyone else whos' provided help.

[Pestalence_XC]

OK.. my site is down at the moment.. so i move the html file to SFCx for the time being...

Please remember that the links to the software will not work (they will work to the sites listed, but not the actual software listed) as the software i have hosted on nightsoft. The instructions are listed on the page below.

http://www.sfcx.org/downloads/mirrors/Pestalence/IE.html

Hope that this helps.

[AdmWaterTiger-11thFleet-]

Good site for SpyWare fixes.

http://www.tomcoyote.com

[Clark Kent]

And it continues to get worse.  i can't manage to get anything I want Dled because whatevr this crap is it's using up just about everything in my connection to Dl new spyware, meaning more ads that screw everything up even more.  The computer itself is running at a snails pace right now, so I think I'll use what's left of my processing power for a backup then wipe the entire damn thing.  This seriously irritates me, since I haven't been going out and DLing questionable materials, just email, AOl and this board- and school work.  Right now I'm on my iMac, which thus far has proven impervious to things like this.  I'm running a virus scan right now, but the pace it's going it will take a few hours.  Once it's finished, if I don't come up with a virus I'll be commencing the wipe.
Stupid Windows.
Oh yes- I'm starting to get multiple messages to insert a windows install CD to provide system files that have apparently been deleted.  I think this thing is FUBAR.

EDIT:  System resources are now below 40% with no programs opened.

[Mackie]

actually theres only one program you need to get rid of spyware
AdAware

[Green]

Thanks Pesty.  That looks like a pretty extensive prevention effort.  I've saved your guidance and will set aside a Saturday afternoon to get it done ... will be worth it.  Definately looks good.  ::

[AdmWaterTiger-11thFleet-]

actually theres only one program you need to get rid of spyware
AdAware

Ad-Aware doesn't catch half of it. TomCoyote.com has 7,000+ forum members for a reason. He supports Ad-Aware, but there is more than that it takes to clean up the junk.

Tell Tom hello and watch the staff go to work on the issues.

<S>

[Grim]

Currently most of the programs out there cant remove a specific malware threat atm, when i was attacked by the coolwebsearch hijacker, i tried various programs such as:

-Adaware
-Hijack this.
-Spybot
-Spyhunter
-CWShredder
-and various registry editing programs

I could remove it but then 2 days later i got reinfected, i ended up restoring my pc to factory settings and luckily its fixed.

Great work by pestalence and his tips, advice and knowledge concerning IE, but personally i would not use IE, microsoft and various agencies advise that you dont til its fixed.

[RogueJedi_XC]

Great article, Pestalence. Two, maybe three, things I would change, though.

First,when you are discussing the  security settings in IE, you leave the Microsoft VM Java Pemissions level set to low. This is a monumentally bad idea. All of the hijackers put out this year get on your system using a hack into the MS Java VM. Always set the Java VM Permissions to Highest Safety.

Second, in the Advanced setting in Internet Options "Enable 3rd Party Browser Extensions" should be disabled at all times. Almost all hijackers install a BHO (Browser Helper Object), disabling this option kills half the hijacker.  Only turn this on if you use a known good toolbar, like Google's or MSN's (yeah, MSN's toolbar is actually pretty good). If you keep this enabled, keep track of what BHO's are running on your system.

Third, if you are using Sun's Java VM (and why aren't you?), then the MS Java VM settings on the Advanced tab (and perhaps the security tab, too) should be set to disabled. I don't think there's any conflict, but leaving the MS JVM running is like leaving your car unlocked but using the club to lock the steering wheel...

Also, CWShredder is your best friend. Use it before turning to Hijack This. CWShredder is aimed specifically at removing almost 2 dozen variants of hijackers. It's a damned good tool. I wish the guy who created it would open-source it so it could continue to be updated now that he's given up the race with the scum who write these things.

Ok, lets make it five things. 
You mention disabling the messenger and alerter services to help block popups. First, this only applies to Windows 2000 and XP, second, if you got all the updates as mention earlier in the article, this is not necessary. Microsoft released a patch for the Messenger overflow almost a year ago. Most users can disable these two services, though, to free up a couple of megabytes of memory. They were originally intended for network admins and the like to send urgent messages, such as "We're shutting down the servers for patching in 5 minutes, close your pr0n sites now..." ), but even they rarely ever use them. Starting with XP service Pack 2 these services will be disabled by default.

Please take this contructive critisism as it's intended -- as constructive criticism. It is a very good article and is spot-on in all but the above 5 things. I do all of what you list, already... in addition to using Firefox instead of IE. But, that may be a political thing more than anything.

[Grim]

Concerning CWshredder it is best to run the pc in safe mode then use CWshredder, then use hijack this then adaware, that should remove most of the easy to get rid of spyware.

[RogueJedi_XC]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

[Mackie]

actually theres only one program you need to get rid of spyware
AdAware

Ad-Aware doesn't catch half of it. TomCoyote.com has 7,000+ forum members for a reason. He supports Ad-Aware, but there is more than that it takes to clean up the junk.

Tell Tom hello and watch the staff go to work on the issues.

<S>

hrm quess im wrong then ; for me adaware has always done the job needed ;p

[Grim]

Just found this on Zdnet articles section:

Explorer hole finally filled
Robert Lemos
CNET News.com
July 05, 2004, 08:35 BST
   
A flaw that has left Windows users open to attack for the past nine months has been patched by Microsoft

Microsoft released on Friday a work-around for an Internet Explorer vulnerability that has left Windows users open to attacks for almost nine months.

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security programme manager for Microsoft's security response centre.

"It is a permanent change, but it is an interim step -- we are still in the middle of our investigation," he said. "We have taken a look at the functionality in the product and seen that that functionality is really being used by attackers."

The change fixes a problem that allowed several compromised Web sites to infect visitors' PCs with a Trojan horse program, known as Download.Ject or JS.Scob.Trojan. The program would record the keystrokes and send them to an overseas email address. That Internet Explorer security issue and several others lead some security experts to suggest that users should consider alternative browsers.

Microsoft's configuration change blocks the ability of the ADODB.screen ActiveX component to write to the PC's hard drive. ActiveX, which adds interactivity to Web sites viewed with Internet Explorer, has long been thought to have security issues.

This particular vulnerability has been known about for more than nine months, said David Endler, director of incident response for security company Tipping Point.

"Though written configuration hardening instructions have been available online for a while, it's nice to finally see this particular security tweak in Internet Explorer distributed to the masses, even if it's long overdue," he said.

Microsoft continues to study this issue and expects to release a more comprehensive patch. Moreover, the company is readying a major security update for Windows XP, known as Service Pack 2, that should be out later this summer.

If you use IE for browsing and you use XP i recommened you check updates.

[Gambler]

The flaw, in an ActiveX scripting component, gained notoriety last month when it became the mechanism used by a network of compromised Web sites to install a malicious program on victims' computers. Microsoft has decided to plug the hole by turning off the ability for the ActiveX component to write to the operating system. The software giant published the work-around on its Web site and directed customers to use its Windows update service to download the patch.

Though Microsoft intends the change to become a standard configuration for Windows, the software giant is working on a more comprehensive solution, said Stephen Toulouse, security programme manager for Microsoft's security response centre.

I wonder exactly wtf MS is doing allowing ActiveX to write directly to the OS in the first place?  Actually I bet it was part of Bill's goal of having the ability for people to run everything remotely.  Rent MS Office and then just use it from the Internet whenever you actually need it.  Need an additional component to your OS?  Just pay us for it and we'll activate it on your PC.

[Green]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

RJ, what is the difference between running a scan in safe vs normal?  Am interested.

Thanks in advance.

[Clark Kent]

well, my restore is underway.  When I finally finished my backup I wasn't able to squeeze more that a percent or two out of the system, and most programs wouldn't even open- not to mention the fact that I wasn't able to gather enough power over my dialup to download anything, and the computer couldn't access any sites i wanted it to- it just ended up going to some spamware site.  The spamware protectors were not doing anything of consequence, for every prgram I disabled 3 more took it's place, plus the one that I simply could not get rid of at all.  I'll be going back to base windows ME, then I'll look into finally upgrading to windows Xp later today. 
i hate doing this.

[Clark Kent]

Well, looks like no XP for me.  The copy I have was bought by my dad off of eBay as a 451 mb download.  Everything seemed legit, and still does, to the best of my knowledge, but his laptop does not come with any specific burning software, such as adaptec easy cd creator like my computer has.   Also, his XP system will not accept my CD of CD reator, and everytime I've tried to copy this stupid file it has left me with an error message and an unusable CD, so there is no way for me to transfer this file to my computer and use it.  No XP for me.
I HATE windows.

[RogueJedi_XC]

Absolutely correct. Also, you should run a full system scan with your antivirus program in safe mode at least once a month (once a week or more in normal mode, depending how paranoid you are).

RJ, what is the difference between running a scan in safe vs normal?  Am interested.

Thanks in advance.

Safe Mode only loads a subset of the services, drivers, and programs that normal mode does. Most spyware, trojans, worms, and virii do not run in Safe Mode, so they are not able to stop the antivirus scanner from running (which has been all the fad with the script kiddies for at least the last year.). In general, you will find more stuff in safe mode than you would in normal mode, and you'll be able to delete more of that stuff (because the virii processes are not running in Safe Mode).

[AdmWaterTiger-11thFleet-]

Concerning CWshredder it is best to run the pc in safe mode then use CWshredder, then use hijack this then adaware, that should remove most of the easy to get rid of spyware.

Got it; easy, small safe.

Good stuff for browser hijackers.

<S>

WaterTiger

[Iceman]

Clark,

If you're good with your hands and technology, you could hook up the HDD with win xp on it to the comptuer with the problems. 

Just a thought, don't think you're had thought of.

Otherwise, I'd say god help you.  In all seriousness, I've never seen a spyware case this bad.  I got one a while back that would take over my IM program, (aim, trillian, etc) put up an away message with a link to itself and send me to it's homepage. It was like friends.scr or something. A friend of mine figured out how to get rid of it, but I'm on XP Pro, so I can't help ya.

[Clark Kent]

actually, that's a good idea, but I don't think I have the parts necesary to connect a laptop HD up to a destop computer, but who knows, maybe I could find a way.  Dang, now I want to see if I can pull that off.
The computer is up and running again, reformated and reinstalled, so all is well, for the moment anyways.

[Iceman]

actually, that's a good idea, but I don't think I have the parts necesary to connect a laptop HD up to a destop computer, but who knows, maybe I could find a way.  Dang, now I want to see if I can pull that off.
The computer is up and running again, reformated and reinstalled, so all is well, for the moment anyways.

I dont know anything about laptop drives, but I think they use the same methods that a regular one does. Someone with more laptop experience is needed, hence my (actual reason for post coming) bump.

[Sethan]

In order to connect a laptop drive up to a desktop, you need a 44-pin (laptop) to 40-pin (desktop) adapter.

They cost about $7 at an electronics store.

That said, read the following carefully before attaching the laptop drive to the desktop:

First, the IDE cable and the connector must mate - some IDE cables have a pin block in place.  If the adapter does not have a missing pin, you will need to remove the pin block, or get a different cable.

Next, turn off and unplug the computer.

Next, connect the adapter to the IDE cable.  It is a little counter intuitive - the power connector on the adapter goes on the opposite side of the cable from the colored stripe on the cable.  Don't mess this up, or you will fry the laptop drive.

Now connect the laptop drive to the adapter.  The connector on the adapter is offset, and the bottom of the laptop drive goes toward the edge the connector on the adapter is closest to.

Connect the IDE cable to the desktop in place of the CD-ROM drive cable.  If you are using the CD-ROM drive cable, disconnect the CD-ROM drive from the cable.

Connect power to the adapter (it uses a standard power plug, and you can use the one from the CD-ROM drive).

Plug in and turn on the machine.  Depending on your setup, you may need to go into CMOS to tell the computer to look for the drive - otherwise, it will be recognized automatically.

[Iceman]

I knew somebody would know how!