Getting pwned by spyware

[duragezic]

So yesterday I had to goto my boss's house to fix her personal computer since her internet stopped working. After describing the problem, I knew it was messed up Winsock settings since they had remove some spyware and whatnot. So it was fixed fine until today when she told me she was getting bombarded with popups, ads, etc. So I went over there and there was tons of spyware, adware, and malware so I did the standard steps of removing what I can in Add/Remove programs, clearing temp files, running Ad-aware, Spybot, deleting startup items, clearing entries from the registry, msconfig, etc. I also installed Firefox on their machines and told her to use that from now on for prevention of spyware.

But I have a couple of problems. For one, I have the same problem as this guy. But in that thread, it doesn't appear that he ever got a solution so that the exception on the startup would stop. Perhaps this is related to the fact that ISTbar and CWS keep coming back. I did disable the system restore. But after every restart, I get that exception, and running Ad-aware or Spybot keeps coming back with (mostly) ISTbar and CWS entries, yet either they get fixed and just come back or it just can't fix them at all. I downloaded HijackThis and removed said entries from that thread, but those come back. There is a Program Files\ISTbar directory that if I boot into safe mode I am able to delete the ISTbar.exe, but regardless, it comes back after a restart, and loads on startup. Several spyware startup entries in MSconfig keep coming back also. But otherwise, I think I removed the rest of the loads of spyware from her machine.

Does anyone have any ideas?

Oh yeah, I downloaded CWShredder thinking if I could get CWS completely off I might have less troubles. But that program keeps crashing as soon as it starts scanning to Fix. I tried that CWS killer mini util but it said I did not have that specific program on there so I don't think that was causing CWShredder to quit.

 

[imported_Phil]

Originally posted by: duragezicThere is a Program Files\ISTbar directory that if I boot into safe mode I am able to delete the ISTbar.exe, but regardless, it comes back after a restart, and loads on startup. Several spyware startup entries in MSconfig keep coming back also. But otherwise, I think I removed the rest of the loads of spyware from her machine.

You're on the right track; have you run the various adware-removal tools in Safe Mode?
I wouldn't mind betting that'll yield better results than battling with it when it's memory-resident

 

[rh71]

I didn't read all that but noticed ISTbar... I had the same crap... took a few times of running Yahoo AntiSpy, Adaware, then Norton Antivirus to get rid of it all.

 

[KeyserSoze]

Yeah, I would reccomend Safe Mode with Networking. Run the spyware tools like you have been doing (Hopefully updated, right?) and then maybe even try to run a free online virus scan. Maybe some of those are considered "Trojan's", and might get dealt with that way.

I don't know what else to reccomend, except that you seem to be doing the right things.





KeyserSoze

 

[Bearcat14]

Good luck to you on this. Unfortuneately, I had the much the same problems as you a while ago. I was able to get rid of IST bar, but Cool Web would not go away no matter what I did (CWS shredder DOES NOT work b/c I think the guy that was updating it (yes, only 1 guy) quit doing it).

As far as I know, there is no easy solution to getting rid of Cool Web Search. I had to reinstall windows to get rid of it, essentially doing a hard drive erase. I simply got tired of fighting the stupid thing. There are web sites out there that will explain to you how to get rid of it, but when I printed out the complete directions, it was about 50 pages long!!!! I hope you have better luck than me, and if you do, post your solution here so no one else has to endure this.

 

[warcrow]

- Download and update the following apps: Spybot Search and Destroy, Adware SE (you already have, but be sure to update it), and Spywareblaster
- Reboot into safe mode.
- Run all 3 applications.
- Boot back into windows and see if you have the same issue.
- Report back here with what happens.

 

[imported_Phil]

Originally posted by: warcrow
- Download and update the following apps: Spybot Search and Destroy, Adware SE (you already have, but be sure to update it), and Spywareblaster
- Reboot into safe mode.
- Run all 3 applications.
- Boot back into windows and see if you have the same issue.
- Report back here with what happens.

In addition to that, download & run Hijack This 1.99 and post the log file for us to have a look at. Make sure you run all those apps in Safe Mode!

 

[duragezic]

Ok. Well I didn't run them in Safe Mode previously, but I will try that. They also have the newest Symantec AV so I will run that. I did download HijackThis to her computer, but the next time I go there (either tomorrow or not till next week) to work on it, I would have to get the log and post it, but likely by the time I got a reply I wouldn't be there working on it anymore.

Anyway, thanks for the suggestions all. Hopefully I can clear it out completely next time, cause I don't really want to have to format. I don't really like formatting other people's rigs because I don't know everything they need backed up and the like.

 

[Rip the Jacker]

Yes. Here's an idea.

Copy important information to CDs.

Reformat.

Install AntiVirus/Firewall/Spybot/AdAware/etc

Install Firefox

Done!

 

[Capitalizt]

download Spywareblaster (Free) and keep it updated to avoid infections in the first place.

 

[mechBgon]

They also have the newest Symantec AV so I will run that.

Disable System Restore so the stuff can't pop back out from System Restore. Also, run an antivirus scan in Safe Mode, after updating Norton to the very latest daily antivirus defs. On the Norton Antivirus options, go through each and every panel and max out all detection options, including for spyware/adware/Trojans/dialers/etc. I also recommend a "silently delete" approach whenever possible, to take the human element out of the picture.

I bet if you run Microsoft Baseline Security Analyzer you'll also find it coming up as Severe Risk. Secure the Admin-class accounts with strong passwords if MBSA gripes about them being weak/blank. Don't want to be giving the malware a victory-by-forfeit here


edit: also, educate the users about spyware/adware. Firefox doesn't keep them from seeing an advertising banner for FREE LIVING DOLPHINS 3D SCREENSAVER!!!, and downloading & installing it (and whatever package of adware is hidden in it), does it now Bait... hook... yeah. Education.

 

[Lanyap]

Try the 30 day full version trial of SpySweeper. Also run each level of Ad-Aware SE. It has a smart scan feature which is default and a full scan. I had to clean up a friends Dell 4300S that was full of malware. Ran each spyware prog and AV mutliple times till it was clean. Even then her PC was still sluggish to I did a clean load from her Dell recovery CD. Runs great now.

 

[BW86]

Use spywareblaster

This is what I use:
Ad-Aware
Spybot
Spywareblaster
Firefox is a plus

 

[SuPrEIVIE]

Originally posted by: mechBgon

They also have the newest Symantec AV so I will run that.

Disable System Restore so the stuff can't pop back out from System Restore. Also, run an antivirus scan in Safe Mode, after updating Norton to the very latest daily antivirus defs. On the Norton Antivirus options, go through each and every panel and max out all detection options, including for spyware/adware/Trojans/dialers/etc. I also recommend a "silently delete" approach whenever possible, to take the human element out of the picture.

I bet if you run Microsoft Baseline Security Analyzer you'll also find it coming up as Severe Risk. Secure the Admin-class accounts with strong passwords if MBSA gripes about them being weak/blank. Don't want to be giving the malware a victory-by-forfeit here


edit: also, educate the users about spyware/adware. Firefox doesn't keep them from seeing an advertising banner for FREE LIVING DOLPHINS 3D SCREENSAVER!!!, and downloading & installing it (and whatever package of adware is hidden in it), does it now Bait... hook... yeah. Education.

i have several partition is it recommended to turn off system restore on all drives?

 

[Jeff7]

I don't know if I can remember all of what I did when a CWS variant kept crashing CWShredder...I know it kept using random-named dll's in the Windows folder. I was able to work in DOS, as the people were using FAT32 with WinXP, and I did a directory of the system32 folder, sorted by date, and I had to go through and wipe out any suspicious dll files - rather risky if you don't know what you're looking for. I also set the hosts file's attributes to +system and +read-only. That was able to cripple the POS enough so that it wouldn't load; I don't remember how I found it then, if it was found manually, or if CWShredder was able to kill it. They also had the IBIS Toolbar, which also is able to regenerate its entire Program Files folder from a hidden file.

Some of the new variants of CWS are able to either trick, or entirely evade HijackThis.


And yes, Firefox is a good bet too, at least until the a$$es who write CWS, and other spyware, decide that Firefox users are a viable market, and start exploiting Firefox's vulnerabilities.

 

[KoolDrew]

Microsofts Anti-Spyware is great. Especially with its real time protection.

 

[SuPrEIVIE]

Originally posted by: KoolDrew
Microsofts Anti-Spyware is great. Especially with its real time protection.

but isn't it in beta still?

 

[intogamer]

When you have that kind of problem I would format>sp2>firewall>norton 2005>ms spyware, spybot(etc.)

edit>firefox

 

[KoolDrew]

Originally posted by: SuPrEIVIE

Originally posted by: KoolDrew
Microsofts Anti-Spyware is great. Especially with its real time protection.

but isn't it in beta still?

Yes, but I have not had any problems with it nor have I heard about anyone having problems with it. It was actually Giants anti-spyware, but Microsoft bought it and I have seen many tests that showed it to come out on top and with it's real time protection it makes it an all around great product.

Don't be worried about trying it just because it is in beta. It is a great product.

 

[madthumbs]

Spybot, Adaware -teh suck
Webroot's SpySweeper, M$ Antispy =teh win

Whoever mentioned Norton prolly has trojans up the ying-yang.

 

[imported_Phil]

Holy Thread Resurrection.

 

[Slickone]

Originally posted by: madthumbs
Spybot, Adaware -teh suck
Webroot's SpySweeper, M$ Antispy =teh win

Whoever mentioned Norton prolly has trojans up the ying-yang.

Was listening to Kim Komando's show today (uh, as background noise), and she said Ad Aware wasn't very good anymore. Said Webroot's Spysweeper was the best, along with (I think she said) Spybot and M$'s. Don't think she mentioned Spywareblaster but I wasn't really actively listening.

 

[SuPrEIVIE]

i just used MS antispy and i like it but hesitated to install b/c i already got spyboy, adaware and spyware blaster on including spy sweeper(trial) which i removed,

i decided to keep MS antispy, it already has real time protection so should i keep spywareblaster who also does this?