• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Quick! Other than adaware, what's a good prog to clean out spyware?

StageLeft

StageLeft

No Lifer
Screw me if some dickweed piece of sh*t site didn't get a bunch of crap onto my computer, so now it's a royal mess. I hear that adaware doesn't clean everything - what's another top dog program? TIA~!
 
Are you saying you tried Ad-Aware and there's still stuff? Is it coming back after being removed?
 
Originally posted by: mechBgon
Are you saying you tried Ad-Aware and there's still stuff? Is it coming back after being removed?
Click to expand...
I'm saying I don't know that AA has definitions for everything, and I need to be sure it's all gone...

 
Spybot Search & Destroy is another one you can try.

Bigger picture: your defenses are weak somewhere. Questions:
  1. What people use this computer and do they have Administrator-class accounts or restricted accounts?
  2. What operating system does it have, and what service pack level
  3. What antivirus do you have
  4. What firewall(s) do you have, hardware and/or software
 
Originally posted by: mechBgon
Spybot Search & Destroy is another one you can try.

Bigger picture: your defenses are weak somewhere. Questions:
  1. What people use this computer and do they have Administrator-class accounts or restricted accounts?
  2. What operating system does it have, and what service pack level
  3. What antivirus do you have
  4. What firewall(s) do you have, hardware and/or software
Click to expand...
I use it. I installed it because some fvcking site popped up something and I was expecting a file, so i hit install, but this popup was before the one I was expecting, so a bunch of exes and processes and all that good stuff started up.

Anyway, I used adaware, and now the damn sh*t keeps poppping up after reboot (most of it's gone, but a few critical objects are still here), so adaware has to clean it again. Thanks - I'll give spybot a go 😀

Actually a few are cookies. They don't bother me themselves, but no idea how they keep getting there. The fourth problem that keeps popping up is "istbar". It's a registry setting it keeps writing, and I'd love to know what application is writing it, but all either of the progs can find is the registry entry.
 
Since your malware is returning, you should do this:
  1. Rant & throw stuff
  2. Download Hijack This, save it into C:\HJT, and extract the .exe out of the .zip file to that folder
  3. Run it and hit Save Log to save the log file
  4. Post the logfile's contents here
  5. Get Schadenfroh to check it out and recommend what to do 😎
Also, post screenies of your Windows Services list that you would find in Control Panel > Administrative Tools > Services, like this.

Can I suggest switching to a Limited-class account (called a Restricted-User account if you've got Win2000Pro)? Save the Administrator powers for another account that you use when you need it. If you need to run something with Admin powers from within your limited/restricted account, just right-click it while holding Shift, and choose Run As.... I use this precaution myself at home, and as a Restricted User I would not have seen that installer popup that started this mess. Even if I had, it could not have installed since that power is locked away. Try it for a while.
 
I'll give that a go. The Malware is gone, but now I've got, upon booting, three cookies - doubleclick.net, ehg-idg.hitbox.com,hitbox.com I wish the people who do this stuff would die! This is infuriating. Spybot and ad-aware are both finding totally different problems upon each bloody reboot. This was from ONE click.

Spybot keeps finding the dsoexploit. I have XP and SP2 btw, and zonealarm. Hjt here is log:

Logfile of HijackThis v1.97.7
Scan saved at 10:13:15 PM, on 11/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\GrabIt\GrabIt.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///D:/home.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/of...pdate/content/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1098032109780
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.c...cabs/flash/swflash.cab
Click to expand...

Services are now linked here Is there any point in keeping Remote Registry running?

Ah, I see it was a silly error with spybot as to why dso exploit keeps getting reported.
 
I see your System Restore is running. That could be a reason that certain things come back. OTOH, if you used System Restore, you might be able to go back to before this thing got in the door, too. I have a thing against SR since it seems like every virus under the sun has to have SR disabled in order to remove it. So why even give them this hiding place to start with, that's what I say :evil:

Anyway, if you PM Schadenfroh I'm sure he could give you some advice on what to have HJT fix. 🙂
 
Hello Skoorb,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/home.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///D:/home.html
  • R3 - Default URLSearchHook is missing
  • O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
  • O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
3. Delete the following folders
  • c:\program files\180solutions
  • C:\PROGRA~1\COMMON~1\tsa
4.Restart into normal windows
5. Update to the latest verision of HJT and post a new log, as some malware can hide from the older versions of HJT, download latest HJT.

Notes
Dont worry about the DSO exploit, It is a bug and harmless.
 
Thanks, I'm doing that now, as well as going at it with adaware, spybot, CWS, and spywareblaster (runs all the time to prevent spyware I guess - is this a silly app? I'd hate one to really drag down system resources).

I also am using pandasoftware.com's online antivirus and it's found one on my PC, which it has removed. Sadly, it didn't say what the virus was, but it had infected 116/97,000 files.
 
(runs all the time to prevent spyware I guess - is this a silly app? I'd hate one to really drag down system resources).
Click to expand...

No, you enable all protection and close it. It does not take up any resources. See This Link. It is one of the best tools ever to prevent spyware.
 
Originally posted by: Schadenfroh
(runs all the time to prevent spyware I guess - is this a silly app? I'd hate one to really drag down system resources).
Click to expand...

No, you enable all protection and close it. It does not take up any resources. See This Link. It is one of the best tools ever to prevent spyware.
Click to expand...
OK great! How does it protect though, if it's not running...? I see that spybot has immunity, which I guess is the same thing.

I'm still working on this 🙂 BtW those "home.html" is actually my homepage, with a bunch of quick links on it, to save clicking through IE menus 😛
 
Originally posted by: Skoorb
Originally posted by: Schadenfroh
(runs all the time to prevent spyware I guess - is this a silly app? I'd hate one to really drag down system resources).
Click to expand...

No, you enable all protection and close it. It does not take up any resources. See This Link. It is one of the best tools ever to prevent spyware.
Click to expand...
OK great! How does it protect though, if it's not running...? I see that spybot has immunity, which I guess is the same thing.

I'm still working on this 🙂 BtW those "home.html" is actually my homepage, with a bunch of quick links on it, to save clicking through IE menus 😛
Click to expand...

IIRC it puts "hooks" in your system that keep the specific spyware from installing. It also blocks bad cookies and adds sites to IE restricted zones. It does all of this when you hit enable all protection and once its done, your immune to those specific infections (but new variants come out every day, so keep it updated). Spybot only does activeX, spywareblaster does much more and has a much larger database for prevention. Sorry for trying to get you to nuke your home page😛 many hijackers do stuff that looks like that and i did not know.
 
Here's where I stand then. I killed the virus, killed spyware with ad aware, spybot, cws, hjt, and now have run spywareblaster and FINALLY I am not having an annoying cookie with ad-aware. I wonder how long until I have one *shrug*.

Anyway, thanks for all the help. It's muchly appreciated and I'm not longer having violent tendencies. I was reading a couple of days ago about a guy on slashdot who went to one site he knew about to see how badly it could kill his machine. I didn't expect I'd experience it myself so soon!
 
I have about 80 systems to look after, and the #1 countermeasure against spyware in my opinion is to not have people running wild with Admin powers when they don't need them (with beefy, well-configured spyware-aware antivirus protection as backup). If they have Admin powers, they can install spyware despite having Firefox, it won't stop them downloading a Gator/Weatherbug/PrecisionTime/FREE SMILIES FOR YOUR EMAIL!! installer if they want to. 😉 But we all have our opinions, I realize.

I found the Vitalsecurity link in this INQ article seems to describe what happened to Skoorb. Check it out.

 
Originally posted by: mechBgon
I have about 80 systems to look after, and the #1 countermeasure against spyware in my opinion is to not have people running wild with Admin powers when they don't need them
Click to expand...

AMEN!
 
Regarding the "free smiles", mrsskoorb installed that recently. The product itself is actually quite cool, though ad-aware considered it spyware, so I deferred to spyware. Plus I'm sure it was one of the ways that a bunch of crap got on the system!
 
On the DSO exploit - as aforementioned, if your windows install is up to date on patches it's no problem - but if you want to get rid of it anyway, go here
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top