FSCKING adware! I can take NO MORE!

[eigen]

All you windoze user should incoporate the p2pguardian (Though it may be called something else) into your personal firewall. What it is basically a blacklist of known spammer/spyware/govt... sites and when you firewall sees them it blocks the packet. I have little script that works simalary for iptables.

Or Switch to linux.

 

[eLiu]

Originally posted by: LS20
how do people get plagued with such things? i run adaware and spybot once a while.. and keep regular check on my registry... it really keeps spyware from setting afoot...

everytime i check my other computers, though.. jesus h christ!!!

Yeah...me too, and then I only get 1 or 2 bad things every few months. Where does all of you guys' spyware come from..? porn/warez? lol

 

[flot]

Originally posted by: Amused
I use XP pro SP1 with all critical updates and IE on medium security behind a router. The only spyware I have ever had is when I stupidly clicked "yes" to comet curser once a LONG time ago. Other than that, I have NEVER had spyware installed on my machine against my will.

Getting spyware is a case of carelessness.

I have made this challenge in other threads for over a year and will make it here. Send me to a website that installs spyware on my machine against my will.

I'd be sure to do that, but it isn't necessarily that easy to track down. It's usually "oh hell not again" and I realize that one of the 30 sites I visited in the last 5 minutes sent me that crap.

And it is /not/ a case of carelessness, the authors have clearly found some holes to exploit, and I'd love to know where they are.

 

[abaez]

Did anyone read the link that jonmullen posted about CWSshredders evolution?

The most recent one caught my eye:

CWS.Realyellowpage
Variant 39: CWS.Realyellowpage - Inducing homocidal tendencies
Approx date first sighted: March 16, 2004
Log reference: (not visible in HijackThis log)
Symptoms: IE pages changed to real-yellow-page.com, drxcount.biz, list2004.com or linklist.cc, hijack inexplicably returning on reboot with no file seemingly responsible
Cleverness: Where's my infinity character button?
Manual removal difficulty: Battle axe or chainsaw recommended
Identifying lines in HijackThis log:

(not visible in HijackThis)


This variant is a nightmare. If you come across an infected machine that keeps changing back to the aforementioned sites over and over again for no visible reason, you've probably seen this one. It's like whoever is reponsible for this hired some blackhat coder and told him to make the most complex, invisible and devious hijacker he could think of. And he did.
The file is randomly named, and normally hooks into the IE process, loading itself as a module into it. And then it hides the host process from the process list. Yes, you read that right, the process hosting the dll disappears from the task list and most process viewers/managers we tried.
At first it was only visible with FAR Explorer, later we found PrcView also shows it, and has some nice command-line options which makes for nice scripting to aid in manual removal. For Windows 95/98/ME, booting the system into Safe Mode will prevent the file from loading, allowing for even easier manual removal:

* MANUAL REMOVAL INSTRUCTIONS *

Download PrcView here: http://www.spywareinfo.com/~merijn/files/pv.zip, unzip it to the desktop.

Be sure to have at least 1 Internet Explorer window open, then double click on the runme.bat.

Select option '2' from the menu.

Notepad will open with a log in it. Look for a line with this file, size and beginning to it.
The filename will always be different:
winajbm.dll 61c00000 61440 c:\windows\system32\winajbm.dll

This part indicates the bad file:
61c00000 61440
It will always start with that header.

Write down the filename behind it.

Now download KillBox:
http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip and run it.

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot".

On the next screen, click on the File menu and choose "Add File". The file you copied earlier should now show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

After rebooting, make sure the file is gone.

Tech info: Win9x/ME: Known to use the HKLM RunServicesOnce key to load, which is deleted by Windows after loading the file and recreated by the dll when Windows shuts down. Visible in Safe Mode, dll file is not loaded then and can be deleted.
WinNT/2000/XP: Known to use the HKLM AppInit_DLLs value to load, possibly more Registry keys. The 'delete file on reboot' function can be used (KillBox does this), provided the filename is known.
File is heavily encrypted using an unknown packer, has a modified PE header and crashes most (if not all) memory dumpers when attempted to dump the file from memory. Hides the dll as well as the host process (IEXPLORE.EXE, RUNDLL32.EXE, CONTROL.EXE, REGSVR32.EXE, whichever one is used) by an unknown method.

Right now [17/04/04], CWShredder does not remove this variant. As soon as I figure out how to do it, I will update CWShredder for it.

That is absolutely amazing. I mean that people would spend hours coding something like this just boggles the mind.

 

[thebenjamins]

Originally posted by: flot
You guys who have never had it happen to you don't seem to understand what's going on.

I've gotten hit 3 times now. You end up at a questionable website, it starts popping up a gazillion windows - and I don't know WHAT it is exploting in IE, but I sure as hell don't click 'yes' on anything (nor am I easily fooled into it) and the next thing I know, this crap is writing dlls and executables into my \windows\system32 directory, into \program files\ and more.

It's completely absurd. One "cleanup" site I went to mentioned something about a JVM security hole, but then according to that it should have been patched in some windows service pack. I run XP with all the latest updates, and these things have been a complete PITA.

PS: If you're really curious, just start visiting more questionable sites. I don't know the name of the last one I got, but the previous one was called "coolwebsearch" and whatever varient it was, none of the automated cleaning tools I found could do anything about it - I had to just start combing through directories and unregistereing DLLs then deleting them.

just take an email account at www.digiverse.net.
after it i killed all processes associted and searched for all new files that day and deleted what i didnt want, and it still came back.

 

[Triumph]

abaez, that had to be what I had. the hijacked homepage wasn't the same, but all of the symptoms were. randomly changing filenames for dll's, hidden processes, CWShredder wouldn't remove, etc. I wish I had seen your post before I reformatted.

 

[Zombie]

Originally posted by: dmurray14
Just wasted the last hour of my life removing the fscking spyware from hell. Not only does this sh!t completely take over your system, it makes it completely impossible to remove. I don't know what the hell this thing was, but it monitored what I was doing and would cancel any spyware-removal related downloads and would close spybot, adaware, or anything like that as soon as I opened it. I couldn't find the process at all. Why the hell do these spyware writers think that they have the power to completely fscking take over other people's PROPERTY with their horseshit motherfscking programs from hell!? We need anti-spyware laws or something! Ugh!!!

Anyway...anyone who gets this same sh!t on their system, what you have to do is run a system restore, then once the restore is complete and the "sucessful" dialog box is on the screen and keeping the shell and everything else from loading, run spybot S&D and adaware from the task manager to weed that crap out. If anyone finds out who wrote this sh!t, post their company name and IP and we'll all have fun with them.

Phew, glad I got that out! Rant over...

or you can use FIREFOX

 

[Turin39789]

umm, Firefox anyone?

 

[yukichigai]

Originally posted by: DopeFiend

Originally posted by: Legendary
Reboot to safe mode with networking, proceed to download and remove spyware.
That method has never NOT worked for me.

This is very true. If you can't remove it from here, you don't know what you're doing. Period.

Not true. The latest CoolWebSearch variant was written by someone who spent entirely too much time on it. It even had foils for detecting the process or disabling it in safe mode. Merijn ranked it as "where's my infinity character button" out of ten in terms of cleverness. And he's right too. The thing is nuts.

Bleah, the folks at CoolWebSearch need to die.

EDIT: Someone else posted info about it a few posts up. (Realyellowsearch)

 

[PanzerIV]

I had a coworker who brought in his personal laptop for me to look at since as usual he screwed it up. Turns out he had some viruses and spyware. Ok, pretty standard stuff and I confidently got rid of all that crap, or so I thought. He has this one S.O.B. program that hijacks his browser and nothing in my power could stop it. I tried all of my old standby programs like HijackThis and although it identifies it and seemingly removes it, upon the next reboot the friggin' program is back again. It didn't matter that I cleaned it out of the registry or removed a DLL from the system32 folder and checked for suspicious programs running in the background. Nothing worked and I haven't been that frustrated or beaten in a long time.
In my opinion the creators of this stuff are no different than virus writers or hackers. They should be prosecuted. Our systems are not their personal playgrounds to f^ck with and sell their sh!t. I deeply resent those bastards.

 

[Chunkee]

i had this about a month ago, did a google search and found the best way to get rid of it was to go into registry, deny system access. reboot, delete the files, and then clean a few times. that took care of it

PEST PATROL, SPYBLASTER< ADWARE, SPYBOT and ZA Pro with NORTON all run on my PC, i use firefos also.

had not had one since

also, stay aware from crap sites and QUIT CLICKIN YES on pop up dialogs

 

[DrPizza]

While it can be argued that it's the users fault that they get these programs in the first place. It's like adding a key to the keyboard between the g and the h, with the promise that if you accidentally hit that key, your computer is going to need to be reformatted to fix the error, unless you're nearly an expert at using it - accidentally hitting that key means that some company is going to cost you many hours of your time to fix the problems it causes.

I think the problem is just as great or greater than problems of spam mail and unwanted phone soliciations. I can easily delete the spam mail. I can easily hang up the phone. But, these companies have made it next to impossible to fight their intrusion into our lives, and our property!

So, I rattled off an email to Senator Clinton. I hope many of you would start doing the same. I think that the lack of public outcry is a large reason why nothing is being done about this problem. (wouldn't a simple law stating that all software needs to have a clearly identified program associated with it that will completely remove that software?)

Unfortunately, there is no public outcry. (While Anandtech is a major forum, #11, it's still just a drop in the bucket. We can complain to each other all we want, but our voices aren't being heard.)

 

[chiwawa626]

Originally posted by: Legendary
Reboot to safe mode with networking, proceed to download and remove spyware.
That method has never NOT worked for me.

my first thought when I read the title lol..

 

[thebenjamins]

Originally posted by: DrPizza
While it can be argued that it's the users fault that they get these programs in the first place. It's like adding a key to the keyboard between the g and the h, with the promise that if you accidentally hit that key, your computer is going to need to be reformatted to fix the error, unless you're nearly an expert at using it - accidentally hitting that key means that some company is going to cost you many hours of your time to fix the problems it causes.

I think the problem is just as great or greater than problems of spam mail and unwanted phone soliciations. I can easily delete the spam mail. I can easily hang up the phone. But, these companies have made it next to impossible to fight their intrusion into our lives, and our property!

So, I rattled off an email to Senator Clinton. I hope many of you would start doing the same. I think that the lack of public outcry is a large reason why nothing is being done about this problem. (wouldn't a simple law stating that all software needs to have a clearly identified program associated with it that will completely remove that software?)

Unfortunately, there is no public outcry. (While Anandtech is a major forum, #11, it's still just a drop in the bucket. We can complain to each other all we want, but our voices aren't being heard.)

havent you read the posts. i didnt click on any acceptance at all, and the damn thing got on my system twice! and no the usual software didnt remove it at all.

 

[flot]

havent you read the posts. i didnt click on any acceptance at all, and the damn thing got on my system twice! and no the usual software didnt remove it at all.

Ditto that. I've been fixing people's computer problems for almost 20 years now (yes I know how to make a 5.25" floppy double sided) and I certainly don't go around authorizing random crap programs to install... this is definitely some sort of IE hole, and it is NOT amusing.

It took me H-O-U-R-S to remove the last time, and the only reason I was successful is that i knew the approx time of infection, so I could search for files with those approximate timestamps and try to delete them. (although a few of them resisted deletion with amazing success, could never find the process that was locking them, dlls that refused to unregister, etc)

 

[ShawnD1]

Originally posted by: flotI certainly don't go around authorizing random crap programs to install... this is definitely some sort of IE hole, and it is NOT amusing.

It sort of is amusing because it shows who still uses IE after knowing how insecure it is. If people choose to stick with IE even after knowing how insecurie it is, maybe they deserve the harsh lesson. The worse the spyware gets, the faster people will learn to stop using IE.

 

[FunkierThanU]

The first step in removing that crap is to drop your internet connection. If you're still online it will just keep loading right behind you! Downloading ad-aware and running it will offline will catch some of it.

Knowing which processes are part of it is half the battle. It doesn't hurt to find the paths of were the live on you pc and deleting them after booting up in DOS so they aren't all reloading each other.

After that, cleaning up the Registry can help.



Of course the easiest fix I've found is good ol' Windows XP restore points! Back up your data and then jump back to a restore point from before that crap got on your machine in the first place.

BTW Most folks get this from clicking links in SPAM. If don't know better than to use Internet Explorer AND you don't know better than to click a URL in SPAM then.... well.... maybe rebuilding a PC might not be a bad thing for you.

 

[ShawnD1]

damn double post. sorry

 

[FunkierThanU]

Originally posted by: Sysadmin
Bonzai Buddy is your friend.



Sysadmin

hhhhahahahaha

 

[JustAnAverageGuy]

I've not gotten any spyware since I switched to Opera.

The best way to stop spyware is to prevent it.

Recommended:

Opera / Firefox
Spybot S&amp;D + immunizations
Adaware
HijackThis
CWShredder
AVG
hardware firewall
Windows XP SP2
All win updates
Win firewall (SP2) on (better than nothing)
(Optional) ZoneAlarm
A well configured HOSTS file

And finally, the most important one of all:

you != dumbass

Everything on there is free to use, except the hardware firewall. Opera is only $15 for students, otherwise ad supported. IMO, Opera > Firefox, but, firefox is better than IE anyday.

 

[MisterMe]

Just installed that Firefox thing. Sorry but talk about POOP! I give it a re-visit when it's like v4.0...

In the mean time, my trusty google toolbar and ad-aware is doing just fine...

 

[silverpig]

Originally posted by: Sysadmin
Bonzai Buddy is your friend.



Sysadmin

Okay, I installed it but it seemed to make things worse?

 

[eigen]

Originally posted by: MisterMe
Just installed that Firefox thing. Sorry but talk about POOP! I give it a re-visit when it's like v4.0...

In the mean time, my trusty google toolbar and ad-aware is doing just fine...

What did you not like about firefox?Just wondering

 

[ShawnD1]

If you're going to use IE, at least disable ActiveX.

 

[silverpig]

Originally posted by: eigen

Originally posted by: MisterMe
Just installed that Firefox thing. Sorry but talk about POOP! I give it a re-visit when it's like v4.0...

In the mean time, my trusty google toolbar and ad-aware is doing just fine...

What did you not like about firefox?Just wondering

Prolly didn't want to download/install any plugins or something. I dunno.


Hardware linux based router
linux + firefox

or

linux router
xp + firefox + NAV + spybot + adaware + me != teh cumbass = no crapware