Stupid spyware!

nexus_7 · Post by **nexus_7** » Thu Jul 29, 2004 3:32 pm

I had just formated my moms rig and reinstalled windows and office. came back a few hours later and she had used her system for a little bit. Loaded down with spyware.

Ad-Aware, spyware blaster, and spybot search and destroy ALL have been used with limited sucess for now. Now moving on to Spy Sweeper.

Any other suggestions?

Greg

Absolut Talent · Post by **Absolut Talent** » Thu Jul 29, 2004 3:48 pm

what are the affects?

Does adaware and spybot actually find the stuff? and then not deleteing it?. Then try to remove them in safe mode

Sure its not a virus?

tell her to stop looking at pr0n.

wvjohn · Post by **wvjohn** » Thu Jul 29, 2004 5:29 pm

that stuff is outta control - people at work who are very careful are getting hosed by it - some say spywareblaster is ok

nexus_7 · Post by **nexus_7** » Thu Jul 29, 2004 5:37 pm

spy sweeper actually cleaned it all out so that was good.

Yea, it wasnt a virus. Norton was the other program I installed before she used it.

symptoms were, reboots, software in add remove could not be removed, pop ups ofcourse. Google bar was taken over, and a few other things.

All gone now though

No ad aware and spybot didnt find these.

Greg

eGoCeNTRoNiX · Post by **eGoCeNTRoNiX** » Thu Jul 29, 2004 7:37 pm

Sounds like you're having as much fun as me.. I have a clients comp and it had 229 traces.. S&D did the deed it still ran like ass... I tried something else, no go.. I'm trying this program now, I hope it does good.. I've got the traces of some virus on this computer though I believe because when I try to install AVG I get "Cannot find Shell.dll" and the little googling I've done link this to a virus.. No luck with it yet either..

eGo

Post by **FlyingPenguin** » Thu Jul 29, 2004 7:48 pm

There's a couple of new ones that Spybot/Ad-aware/CWShredder combined won't remove. Fortunately they're easy to manually remove. Boot into safe mode, disable anything that looks like it doesn't belong in the startup (any DOS app in the startup is DEFINATELY spyware) and reboot.

Delete or rename the executables when you're sure you've identified them. The ones I've run into are pretty obvious to spot. If you're familiar with Startups, you should spot them easily.

blade · Post by **blade** » Fri Jul 30, 2004 12:02 am

Damn glad you brought this up.

I usually keep spywareblaster up to date. Just ran ad-aware 6 and it found 16, including 2 folders (a first)

Vendor:WinFavorites
Category:Malware
Object Type:File
Size:40960 Bytes
Location:c:\windows\system32\a.exe
Last Activity:7-30-2004 4:00:00 AM
Risk LevelLow
Comment:
Description:No Detail Information Available.

Vendor:WinFavorites
Category:Malware
Object Type:File
Size:69632 Bytes
Location:c:\windows\system32\bridge.dll
Last Activity:7-30-2004 4:00:00 AM
Risk LevelLow
Comment:
Description:No Detail Information Available.

Gave me this message:

Before rebooting, I Ran spy sweeper for the first time: Says 48 spyware found, 220 traces found!!! WTF!! :;

About to reboot. If I ain't back soon...

eGoCeNTRoNiX · Post by **eGoCeNTRoNiX** » Fri Jul 30, 2004 12:09 am

Originally posted by blade
Damn glad you brought this up.

I usually keep spywareblaster up to date. Just ran ad-aware 6 and it found 16, including 2 folders (a first)

Vendor:WinFavorites
Category:Malware
Object Type:File
Size:40960 Bytes
Location:c:\windows\system32\a.exe
Last Activity:7-30-2004 4:00:00 AM
Risk LevelLow
Comment:
Description:No Detail Information Available.

Vendor:WinFavorites
Category:Malware
Object Type:File
Size:69632 Bytes
Location:c:\windows\system32\bridge.dll
Last Activity:7-30-2004 4:00:00 AM
Risk LevelLow
Comment:
Description:No Detail Information Available.

Gave me this message:

Before rebooting, I Ran spy sweeper for the first time: Says 48 spyware found, 220 traces found!!! WTF!! :;

About to reboot. If I ain't back soon...

Same thing here blade, blew my mind.. Actually my main rig was not that bd.. about 28 me thinks, but this clients was and still is horrible.. Uninstalling NortonGiveYouVirus now because it's a POS in my opinion and installing AVG which has already picked up 3 virii that Up To date Norton did not.. Go Figure..

eGo

Post by **FlyingPenguin** » Fri Jul 30, 2004 10:37 am

Blade, keep in mind that different spyware scanners look for different things.

For example, Spybot may remove the executables, folders and registry startup for a malware program, but not remove some other incidental registry entries. Those entries may not cause any problems at all if they stay in there, however Ad-aware might remove the registry entries.

Whenever you get that message that some spyware couldn't be removed, it just means that the executable is loaded in memory and that Ad-aware couldn't delete the executable because it's in use.

Just let it run again when it reboots and it'll remove it (when it reboots it won't be loaded in memory because Ad-aware removed the startup reference for it).

You could also just write down the names of the files and manually delete them yourself after rebooting if you want to save time.

Additionally just browsing on the web for an hour will probably cause you to pickup a couple of dozen "evil" cookies which Spybot & Ad-aware will detect as spyware, but they really aren't.

blade · Post by **blade** » Fri Jul 30, 2004 5:06 pm

What a freakin' nightmare. :;

After rebooting I ran a full norton av scan. Nothing showed up. Funny though, I could not get on the net either by cable modem or 56k modem dial up. Tried everything (yes everything), it wouldn't even let me call in to get more possible trial isp's. Called tech support, they were clueless.

So I tried a repair install. No worky, something about the system I'm trying to install is newer. Well duh, it's because it's been updated. Would not allow me.

So, I booted from cdrom, tried a repair install again. Again, no worky. So tried again just installing a new copy over the other one, which says it will delete the other install. I should have formatted and started over that way, but I went ahead. I still may have to do that later.

Ok, back to work. Once things were back up I got my net working by installing the nvidia drivers, then downloaded that free grisoft av. The one I always loved far more than that norton slow pos. Well gollee gee, it found 5 viri. 3 were healed, 2 it couldn't do anything with.

So I tried that freee online virus scanner from trendmicro, only I had to end up downloading it because it wouldn't load on the browser, even after installing that hated java crap.

Trend found 3 viri/trojan and removed them all.

It has been sooo much fun doing all the mickysoft updates, again. And all those lovely reboots.

Running grisoft again to be sure.

Funny too, after booting up it wanted to do a disk check on each hard drive, and that killed several files that had no virus. Some like football games even, now just shows a 32kb file in it's place. Said something about not being valid so it's truncated.

aaaaahaahhhhhh!!!

)*

I run ad-aware 1-2 times a week and never had this many. I ran norton twice weekly, it never found anything.

If this is still screwed, then it'll be format time. Wish I done that first.

*grisoft is still running, just found another .exe virus.

wvjohn · Post by **wvjohn** » Fri Jul 30, 2004 9:08 pm

I have one rig at work that runs norton pro 2003/grisoft with daily scans .... this computer never goes anywhere funky....ran spy sweep on it and it had a peer to peer client installed and some other junk...it really is getting ridiculous -

here's a question for you os gurus - if i create a limited rights (no install nothing) account, and use that for daily business, would that make a difference?

or

will this stuff still install covertyl even though no one with administrator privileges is logged on?

Post by **FlyingPenguin** » Sat Jul 31, 2004 12:35 am

WVJOHN: I assume you're using IE?

Be aware that a lot of the sites you download game demos and patches from now like to install goofy download and P2P clients. I NEVER use that crap. Use a download site that allows you to do a regular HTTP or FTP download without a client.

Make sure you have all the latest critical updates. 95% of all updates are to fix holes in IE.

In IE settings make sure that "Install on Demand (Internet Explorer)" is disabled. This is the most common way this crap gets installed. If you want to be more paranoid (I am), then also turn off "Install on Demand (other)".

I gave up on IE a year ago. Been using Mozilla and - last month - Firefox. IE is just to full of security holes. Only thing that my spyware scanners ever find on my systems is bad cookies.

blade · Post by **blade** » Sat Jul 31, 2004 3:13 am

Another virus was found and when doing a windows update, it stopped. You would not believe all the bs I tried. To make a long story short, I formatted my c drive to ntsf, d drive of the same hard drive is still fat 32. That ok?

Before this, when rebooting a gazillion times it kept wanting to check D drive for errors. The first time, as I mentioned above, it for some reason "truncated" some files, saying they are not valid. I stopped it a few reboots (fearing to lose more files) but one time it started scanning regardless.

I don't get it. For example, here's what it did (when it truncates a file) to a football game file, that was once 698mb:

Funny too, it must still be there somewhere because the space left on the drive is the same as before. what thu.. :;

It did that to 7 movie/game files and at least one whole folder. Which had mostly tv programs I recorded. Why, any ideas? Could it be it saw it as illegal? These were all recorded from my tv tuner. Fortunately I had most games backed up on DVD or cd, but not various tv programs. Like about D-day, etc..

After formatting and installing xp, I ran avg, it found the virus and removed it. Everything 'seems' ok now. Did the windows updates and all went well. But I see they took off SP2.

I'm sticking with AVG, norton can go suk a rotten egg. Not that norton caused this problem. Just too darn bloated and slow. And AVG has yet to fail me.

It appears this all started when I ran all those spyware apps. Something went wrong. I think. I let them all remove what all they wanted to, which was a lot.

*catches breath*

In IE settings make sure that "Install on Demand (Internet Explorer)" is disabled. This is the most common way this crap gets installed. If you want to be more paranoid (I am), then also turn off "Install on Demand (other)".

No doubt! And another "critical" update showed just an hour or so ago.

wvjohn · Post by **wvjohn** » Sat Jul 31, 2004 9:25 am

yes, I have been running IE - i have started using firefox on one rig and will probably switch over all the machines....

The_Frapster · Post by **The_Frapster** » Sat Jul 31, 2004 3:13 pm

Blade I had the same problem almost, but not as bad as yours. The ad/virii programs play nice as long as they have free reign of your system, but once you try to get rid of them, they start doing stuff that your talking about. Some virii delete or more the executible part of the file, and put itself into it's place. So when you execute that file, you install the virus, and then after it's installed, it loads the executible part of the file you wanted in the first place. So you never know it's even there.

Anyways, best of luck with it all.

Oh one more thing. Check out a program called protowall and blocklistmanager. Protowall installs as a service on your network card. Then it filters ips based on a list you make with blocklistmanager. Not sure if this will help you or not, but there are sites I used to be able to go to without this program installed, that I am no longer able to surf too. However, my spyware installs have went down significantly. So if I really want to check something out, I can stop protowall, but most often I don't, mainly just because I know it helps.