Man, I REALLY hate this.. have all these damn spyware things I never agreed to be installed and can't seem to get rid of on my computer. p**ses me off how there's so many f**kwads out there that seem to have nothing better to than design s**t to screw other people's computer.
Seems like nothing out there yet will completely eliminate all them, and despite all the reg editing and digging and deleting and restarting and rescanning some of them still persists.
Are some company so f**king pathetic for people to visit their website they feel they need to make s**t like this? Man, I hope there's a special circle in hell for people who design crap like this...
(sighs and goes back to try to clear out his computer...)
-grim
I'm with you on the special place in hell for these pricks. I work network support at an educational institution and we have to keep watch on this crap constantly. McAfee the virus software that we use usually releases an update once a week for their virus definitions, this week they have released five updates.
You need to turn adaware or spybot, (both have free versions) and make sure you update it at their website so you know it will detect the particular evil that is infesting your computer. I have found some specific scripts for some of these just by doing a google search.
What exactly is the spyware doing? From your comments, I'm guessing its a browser hijack of some sort. I had one last year that kept changing my homepage and putting shortcuts to online casinos on my desktop. McAfee couldn't fix it and neither could AdAware, nor any amount of digging for it on my own. Did a Google search for the name of the site that kept popping up, and eventually found a freeware program specifically designed to clean up that type of hijack. Can't remember what it was called or where I found it, but it worked like a charm.
Once it was fixed, I immediately downloaded all of the patches from Microsoft I'd been ignoring, and eventually switched to PC-cillin and Spybot. Haven't had a problem with viruses or spyware since.
Post Edited (03-26-04 09:06)
I'm with you Grimsnipe!
Spyware is becoming an insanely bad problem. I work tech support for an ISP and you have no idea how many calls we recieve about browser hijacking and things of that nature.
As for people burning in hell, I would personally like to take out the person who created GATOR and the bastard who invented NEW.NET.
As Trek_Geezer said, run both Adaware (http://www.lavasoftusa.com) and Spybot which you should be able to find at http://www.download.com. I'm pretty partial to SpyBot myself as it is extremely in depth. But Adaware will find things that Spybot misses.
While visiting my in-laws back in Feb, I found over 200 spyware objects in 20 some add running processes. Some had been installed unknown to the owners for nearly a year. We only discovered it do to browser hijacking.
Adaware did a very good job of cleaning it up - except for Gator. Gator was a pain to get rid of, and finally I had to 'outhack' the crackers who wrote it.
Adaware would delete it, and on next reboot, it would reinstall. Gator is a pain, and they are proud of it, as their web site seems to indicate.
In any case, don't give up. A little patience (ok, a LOT of patience) will go a long way, and clean things as systematically as you can. Once you get 'clean,' it will be easier to keep it clean.
Spammers, virus/worm writers, spyware. All of 'em should be shot, imo. The damage they cause is enormous. We probably don't even know ALL the consequences yet.
ulthar wrote:
> Adaware would delete it, and on next reboot, it would
> reinstall.
Exactly what was happening to me last year. Frustrating as hell.
I can't even imagine what kind of sick people write viruses, or just what kind of sleazy crook uses browser hijacking to boost traffic on his site. It's just unbelievable to me that people can be so...... I don't even have a word for it.
I'd like to see them all roasted over a cheery fire.
Post Edited (03-26-04 09:54)
I had some stinkin' program download itself on my computer that everytime I did a Google search, this other program would open a new window, run a search on some other search engine site, and give that to me. Then another stinkin' thing with "funny icons" that actually installed a toolbar right on my browser. Usually if you do a search on the name of the program, you can find a way to delete it.
I use Spybot, but you have to be a little careful. The first time I used it, I just let it delete everything it wanted to, which caused some problems. I'd get these little dialog boxes with error messages, then another and another cascading diagonally across my screen. Luckily Spybot has a restore feature. Seems to work good now. I pick of 50 or so programs every time I run it.
Do NOT run spybot on a machine that has a real copy of Kazaa on it. It will remove the ad programs that come with Kazaa and you will lose the program.
Which might not be such a bad thing anyway.
Hey listen up all, there's a free program I found called SPYWAREBLASTER and it has been a total blessing!
Here's how it works:
"SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
By setting a "kill bit" for spyware ActiveX controls, SpywareBlaster can prevent the installation of any spyware ActiveX controls from a webpage. It does this while not interfering with "friendly" ActiveX controls - so your browser can work correctly and you can have peace of mind!
You won't get any more annoying "Yes/No" boxes popped up, asking you to install a spyware ActiveX control (which can increasingly be found in pop-up ads!). In fact, Internet Explorer will never even download or run the spyware ActiveX control!
In addition, SpywareBlaster can prevent many of these spyware ActiveX controls from running, even if they are already installed on your system.*
The newest SpywareBlaster version can even block spyware/tracking cookies!
And SpywareBlaster does not need to be running in the background to provide this protection!
The SpywareBlaster database contains information on these known spyware Active-X controls. Make sure you run the Check For Updates feature frequently to get the latest database! (And make sure you check the new items to protect your system against them!)"
I'm telling you, I have had almost no spyware, adware, malware or browser hijackers since I installed this many months ago.
If you do install it, you'll want to make sure that you update it right away as there are several updates available.
Go here to get it:
http://www.javacoolsoftware.com/spywareblaster.html
By using Spywareblaster and running Spybot S & D once a week, you'll pretty much wipe out spyware for good on your p.c.
Post Edited (03-26-04 16:17)
Ash, you sound like a salesman. LOL
Does sound like a pretty awesome prog. I'll have to check it out.
I haven't had any kind of spyware install itself on my system since I told Explorer to prompt before running ANY ActiveX stuff. Of course it's a little bit of a pain because EVERY SINGLE COMMERCIAL WEB SITE ON THE PLANET uses ActiveX, even when there is no valid reason to and not allowing it to run doesn't change most of the web sites at all. Unfortunately Explorer is so stupid that after I tell it not to let the ActiveX control run, it tells me that the web page may not display properly, EACH AND EVERY TIME!
I also installed a little program called Cookie Wall, which will accept, delete or ask you what to do for every new cookie that pops up on your system. If you tell it to always delete a cookie, it will delete it whenever a copy ends up on your system. So far I have 559 cookies in my delete list and 6,719 automatic kills. It seems that virtually every site tries to send you at least one cookie and some will send you 3-5! Cookie Wall comes from AnalogX (http://www.analogx.com).
I also use a tiny little popup blocker called PopDown. Unlike popup blockers that keep lists of what windows to allow, PopDown blocks *ALL* popup windows unless you either disable it, or you hold down the Ctrl key when clicking a link that would normally open a popup window (like a help window). The only downside is that it occasionally seems to get disabled for no apparent reason and then it won't work again until you reboot.
I also occaisionally run a program called HijackThis.
It's primarily for more advanced p.c. users and here's why...
Here's the publisher's description:
"A general homepage hijackers detector and remover. HijackThis examines certain key areas of the Registry and Hard Drive and lists their contents. These are areas which are used by both legitimate programmers and hijackers. It is continually updated to detect and remove new hijacks.
Note: HijackThis does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything."
The trick is that you have to know what you're looking for in that list that may be spyware or a browser hijacker.
HijackThis DOES NOT tell you what's what...you must look on that list and determine on your own what needs to be removed and what doesn't.
If you don't know what you're looking for and accidentally delete the wrong file...Whoops! It's gone for good and you could end up messing up your p.c. pretty badly so be careful using it!
As far as I can tell it does not have a restore feature like Spybot S&D does so if you erase the wrong file...you ain't getting it back.
Other than that, it's a pretty decent program and has helped me to get rid of 2 very troublesome browser hijackers that kept re-installing themselves on my p.c. after I thought I had disposed of them.
It's worth a try for advanced p.c. users only.
Here is the link to the main page:
http://www.spywareinfo.com/~merijn/index.html
And here is the link to directly download the zip file for it:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Like I stated before, BE CAREFUL using this!
If you know what you're doing then you should have no problems.
Post Edited (03-26-04 19:07)
Download your free copy of Mozilla Firebird and Mozilla Thunderbird and dump Internet Explorer and Outlook/OE completely. You'll be glad you did.
www.mozilla.org
The spyware writers have gotten into the social engineering game, tailoring their products to look like something you want to have. Specifically:
There was a recent (last month??) article I read about a pretty big list of anti-spyware programs that actually install spyware or other trojans on your computer. I am not saying the one you mentioned is on this list, but it *IS* something to keep in mind.
So far as I know, the *ONLY* two spyware scanner/remover (and this does not include the software Ash mentions, since it is a preventer) programs that are known legitimate are Adaware and Spybot. Most admins 'in the know' recommend using both, as each will miss some that others catch. Any others are best viewed with some skepticism.
JohnL wrote:
>Of course it's a little bit of a pain because EVERY
> SINGLE COMMERCIAL WEB SITE ON THE PLANET uses ActiveX, even
> when there is no valid reason to and not allowing it to run
> doesn't change most of the web sites at all.
IMO, this is a serious problem with the mindset of too many web developers. They *KNOW* that two big vectors for malware communication is active scripting and ActiveX on web sites...yet they still use them. It is nonsense. Before I switched to Mozilla FB, I ran IE with all active scripting, activex, java and cookies turned off, except for certain "Trusted Sites." This is easy to do in IE, but it should not even be necessary. All this ActiveX stuff, again imo, just makes a web site annoying when it works properly and gets a site 'closed immediately' when it doesn't.
The web is a giant client/server network, which means 'the work' should be done on the servers. ActiveX, VBScript and JavaScript all put processing responsibilty on the client. While useful for *some* things, and necessary for a few things that are in fact handy, this 'privilege' of running code on the client (user's) computer is very, very abused. Not using these technologies should be the norm, which unfortunately is not the current state of the web.
> Unfortunately
> Explorer is so stupid that after I tell it not to let the
> ActiveX control run, it tells me that the web page may not
> display properly, EACH AND EVERY TIME!
IE is not W3C compliant, meaning you can have a site that meets the internationally recognized standards for web content, and IE may not know what to do with it. All this garbage about 'This site designed for IE' means nothing; it would be better if developers designed for the standard, not some stupid browser that changes A LOT even for minor revisions.
Again, Mozilla is W3C compliant; if a site does not render properly with Moz, it is an improperly designed site (if you take W3C to be the 'standard' all sites should follow).
>
> I also installed a little program called Cookie Wall, which
> will accept, delete or ask you what to do for every new cookie
> that pops up on your system. If you tell it to always delete a
> cookie, it will delete it whenever a copy ends up on your
> system. So far I have 559 cookies in my delete list and 6,719
> automatic kills. It seems that virtually every site tries to
> send you at least one cookie and some will send you 3-5! Cookie
> Wall comes from AnalogX (http://www.analogx.com).
>
I think IE can do this...I had my IE set up to accept cookies from 'trusted sites' and reject from all others. You can even customize it further to allow only session cookies or permanent cookies.
Moz can do it as well.
Maybe the program you have is just easier to use (I admit I am not familiar with it) than using the built in IE feature.
> I also use a tiny little popup blocker called PopDown. Unlike
> popup blockers that keep lists of what windows to allow,
> PopDown blocks *ALL* popup windows unless you either disable
> it, or you hold down the Ctrl key when clicking a link that
> would normally open a popup window (like a help window). The
> only downside is that it occasionally seems to get disabled for
> no apparent reason and then it won't work again until you
> reboot.
I haven't seen a popup in so long, I forget they still annoy many people. Again, disabling active scripting or java altogether for 'untrusted sites' fixed that little problem for me. Since switching to Mozilla, I still don't see popups.
Sorry for the soapbox and diatribe...just more $0.02 for the kitty.
>The web is a giant client/server network, which means 'the work' should be done
>on the servers. ActiveX, VBScript and JavaScript all put processing
>responsibilty on the client. While useful for *some* things, and necessary for a
>few things that are in fact handy, this 'privilege' of running code on the client
>(user's) computer is very, very abused. Not using these technologies should be
>the norm, which unfortunately is not the current state of the web.
I agree. So far, out of all the sites that use ActiveX, I've only found a few that need it to function properly. Mostly it seems that it's required (whether it truly is or not) for streaming video, or at least calling the Real Player plugin to play the video.
>I think IE can do this...I had my IE set up to accept cookies from 'trusted sites'
>and reject from all others. You can even customize it further to allow only session
>cookies or permanent cookies.
>
>Moz can do it as well.
>
>Maybe the program you have is just easier to use (I admit I am not familiar with it)
>than using the built in IE feature.
I believe it is. IE will prompt you to accept a cookie, but it doesn't remember if you tell it to not accept the cookie, so it will ask you every time you visit that site and it sends you a new copy of the cookie. You can use the trusted/untrusted options to allow/disallow cookies from different sites, but that's a pain in the neck.
Each time a new cookie is detected, Cookie Wall pops up and asks if it should always delete the cookie, always allow it or allow it for that session only. Once set, you won't ever get asked about that cookie again. That's if you have it set to prompt, you can also have it automatically allow or delete all new cookies. It also maintains editable lists of allowed/disallowed cookies and you can easily delete cookies from either, in case you decide you want that cookie and want CW to re-prompt you for what action to take.
>I haven't seen a popup in so long, I forget they still annoy many people. Again,
>disabling active scripting or java altogether for 'untrusted sites' fixed that little >problem for me.
I once tried turning ActiveX off completely because one site was using it on every single page. Explorer still popped up a warning that the page might not display properly every time the site tried to use ActiveX.
>Sorry for the soapbox and diatribe...just more $0.02 for the kitty.
No problem. I've got a ton of things about Explorer and Microsoft in general that really bug me. Why do I use it? Compatibility. Yeah, I know... :-/
Quit using IE it is the spawn of the devil Bill . Go to mozilla.org and download Mozilla or Firefox. They both have pop up blocker built in (with an exception list where you can save site names that require pop ups to work correctly) You also get a less confusing options setup.
The neatest thing is the tabbed browsing, you can have several sites open in one window, each site gets it's own tab. Check it out, it's open source, meaning it;'s free.
JohnL wrote:
>
> Each time a new cookie is detected, Cookie Wall pops up and
> asks if it should always delete the cookie, always allow it or
> allow it for that session only.
I think this is how Mozilla Firebird works, as well. Cookie Wall does sound like a good program, tho.
> No problem. I've got a ton of things about Explorer and
> Microsoft in general that really bug me. Why do I use it?
> Compatibility. Yeah, I know... :-/
I'm sorry...compatibility with what? I've been using Mozilla Firebird for a while now and I have only seen ONE web site that had some java script buttons that did not render properly. Moz is faster and TONS more secure. If there is some specific thing you need IE for, that's cool, but I must say, my break with IE was A Happy Day.
trek_geezer wrote:
Sorry trek_geezer, I posted my reply before reading yours! For the record, again, I LOVE Firebird since switching.
>
> The neatest thing is the tabbed browsing, you can have several
> sites open in one window, each site gets it's own tab. Check
> it out, it's open source, meaning it;'s free.
>
I have found tabbed browsing not only neat and easy, but also EXTREMELY useful. There have been several times that this has saved my butt in regard to losing data. In IE (or Moz), I did not like having multiple sites open in separate windows as that really fills the task bar up...if you get 20 sites open at once, the desktop gets to be a mess. With tabs, it's all in one window, and MUCH MUCH faster to find what you need and switch between open sites.
Ulthar,
Fantastic to actually see someone else using Firebird!
ulthar wrote:
> There was a recent (last month??) article I read about a pretty
> big list of anti-spyware programs that actually install spyware
> or other trojans on your computer.
Reminds me of an anti-spam program I tested out, called Qurb. It's apparently recommended by a number of magazines, etc., but I found it to be a completely worthless program. It doesn't do anything except keep a list of familiar addresses, and put messages from unfamiliar senders into a folder. Problem is that you still have to sort through it for any legitimate messages from first-time senders, and mark them to be added to the list. It's no more convenient than going through the inbox, and actually sticks a folder full of spam in front of you every time it runs. Pain in the ass.
Worse still, I noticed the volume of spam increased markedly after it was installed. I can't prove it, but I think this thing probably didn't just compile a list of email addresses for my benefit. I wouldn't be surprised if every address I had on file is getting more spam.
I uninstalled Qurb after about a week, and was glad to see a comment window pop up asking why. I told them what a useless piece of crap it was, and accused them of selling spyware.
I've since upgraded to the new PC-cillin, which has a built-in spam filter. Works beautifully. It adds the word 'spam' to the subject line, and Outlook Express throws out anything with 'spam' in the subject line. Perfect.
Well, believe it or not, I have both Adaware and Spybot going on my computer (plus I even bought McAfee virus protection) and go through the Hijack This program on occasion. There are two scripts in particular (Look2Me and Newton Knows) that sypbot keeps detecting and (supposedly) eliminating, but they just come right back. Plus there's that every popular WinHost32.exe (Winhost, actually sounds like a f**king legitimate file, doesn't it?) that just won't go away now matter how many times I hit the delete key.
To top it off, I think I might have accidently deleted something important (that or one of the programs might have damaged it) as I occasionally get error messages from explorer.exe or my computer just freezes (well, the mouse still moves, but I can't do anything else) and I have to shut the damn thing off (which I told is not good on the harddrive.)
I'm about to the point where I'm thinking of buying a CD burner, burning my personal stuff and just del *.* the whole f**king hard drive and starting from stratch. (If I had the money I'd just get a completely new system, but, I'm not very wealthy at the moment.)
I guess it doesn't help I have Windows ME, the bastard stepchild of the Windows family...
Anyway, thanks for letting my rant guys... :)
-grim
AndyC wrote:
> What exactly is the spyware doing?
Usually it's random popup adds.. sometimes it even replaces my homepage with this damn zestyfind. Once, I'd click on certain links and I'd get f**king zestyfind telling me the page was down! And I then reentered the page and, violia, it worked just fine! Then I get Winhost32 which occasionally brings up a window on my screen like some sort of ActiveX program or something. It stays there (even if I hit the showdesktop button) until I hit control alt delete and hit "end program" on the list.
Anyway, I do have adaware and spybot but some of them still persist, been looking into some more info and doing some regediting. I dunno.. some of these files just don't seem to want to leave.> PC-cillin and Spybot. Haven't had a problem with viruses or
> spyware since.
Like I said, I have spyboy, but not Pc-Cillin. May have to check that one out..
Thanks for the tip!
Mike
trek_geezer wrote:
This will sound silly, but the only prob with Mozilla is I can't seem to get the yahoo games to work on it. Yeah, yeah, I know.. it's dumb, but I really like playing those games. (Course, for all I know those damn things have spyware on them too...)
(sighs)
> Quit using IE it is the spawn of the devil Bill . Go to
> mozilla.org and download Mozilla or Firefox. They both have
> pop up blocker built in (with an exception list where you can
> save site names that require pop ups to work correctly) You
> also get a less confusing options setup.
Grimsnipe wrote:
There are two
> scripts in particular (Look2Me and Newton Knows) that sypbot
> keeps detecting and (supposedly) eliminating, but they just
> come right back. Plus there's that every popular WinHost32.exe
> (Winhost, actually sounds like a f**king legitimate file,
> doesn't it?) that just won't go away now matter how many times
> I hit the delete key.
(1) You might want to check your Startup folder for either the bad files or an installer of one or both of these files. You can delete the file, but when you reboot, the installer runs automatically and reinstalls it. Make sure your Windows Explorer is config'd to let you see hidden files.
(2) Check the Run and RunOnce keys in your registry. Entries in these keys will cause a program (such as an installer or the bad file itself) to run automatically upon system startup. If you don't know how to check this, send me an email.
(3) If they are just restarting after you delete them (ie, no reboot in between), you do have a problem. There's something hidden somewhere that is doing it. May be an OS install is the only 'easy' recovery.
>
> To top it off, I think I might have accidently deleted
> something important (that or one of the programs might have
> damaged it) as I occasionally get error messages from
> explorer.exe or my computer just freezes
You MIGHT be able to repair WinME with repair media. Personally, I've never had much success with this with ANY version of Windows, certainly NOT WinME! Anyway, it's worth a thought.
As you say, the windows file(s) themselves may not be corrupt if you can reboot and things are okay until the trojan code runs again. If you can find the malware that is causing it and get rid of it, windows may be okay. It's worth hoping.
>
> I'm about to the point where I'm thinking of buying a CD
> burner, burning my personal stuff and just del *.* the whole
> f**king hard drive and starting from stratch. (If I had the
> money I'd just get a completely new system, but, I'm not very
> wealthy at the moment.)
If you are considering a complete OS reinstall, might I suggest Linux? I happen to have here burned and ready to be mailed Mepis Linux, an EXCELLENT Debian based distro. Mepis is rather easy to use, comes with a BUNCH of software, and you can have it for free (I'll pay for postage). Rid yourself of the Windows nightmare, forever!!
If you want to learn more about Mepis: www.mepis.org
I just put Mepis on my old ThinkPad, which is currently sharing with Win98...but '98 is coming off next chance I get to monkey with it.
You can run Mepis "Live" from the CD (if your computer can boot from CD) without installing anything, so you can try it out for a while before installing. Installation of MEPIS is far easier than ANY Windows Install I have done (I have done numerous Windows 95, 98, ME, 2000 and XP installs while doing some tech service work for a friend that owns a computer company).
Depending on your ISP, too, you might be able to get them to set up Spamassassin or similar tool on the SERVER, so you would never even see the spam.
For example, my ISP has spamassassin (sa) set up so individual users can activate it and configure it. sa scores email by a bunch of spam tests, and you can set the score you want to use as your threshold. You can also specify if you want them delivered to you with "SPAM" the subject line or just deleted.
http://www.spamassassin.org
We also have sa on our mail server. Our email clients cannot set sa up themselves, but we will do it for them if they ask. We can do a variety of things with the mail (put it into a 'spam' folder for them, simply mark it, or delete it completely), but most just want it junked.
Since activating sa on my email account, I have gone from 100-200 spam messages a day to 5 or fewer. I have no way of knowing if any real messages are getting dropped due to my config, but I doubt it; I have a very conservative score setting, and it is still catching 95% of the just.
The only difference with this it is all being done on the server...the mail never touches YOUR computer to be handled by third party software or OE, which is a big plus if it has spyware or worm or whatever attached. I cannot imagine any reputable ISP NOT willing to set this kind of thing up for you if you ask.
Couple the server side spam tool with what you are currently doing, and your spam problem will be history.
I use SpamPal. It works pretty well. Once in a while you get an error when you check for new messages, but since the last SpamPal upgrade I haven't had very many problems. If I just let Outlook Express get the mail on its own, it works perfectly.
Just yesterday (3-27-04) I started to get this random download box that pops up on my screen.
It says it's an HTM.HTM document from www.achtungachtung.net (or .com I forget)
It looks like a legitimate Windows download box.
It just randomly appears every now and then no matter what site I happen to be on...and yes, it has popped up here to me on this message board once or twice.
Fearing that it's some kind of virus or spyware I always click the small x at the top right corner.
It's popped up on my screen at least 10 times in the last day or so.
Have any of you had this happen and do you know anything about it?
Post Edited (03-28-04 02:02)
Skaboi wrote:
As Trek_Geezer said, run both Adaware
> (http://www.lavasoftusa.com) and Spybot which you should be
> able to find at http://www.download.com. I'm pretty partial to
> SpyBot myself as it is extremely in depth. But Adaware will
> find things that Spybot misses.
I am partial to Spybot S&D myself....I have Ad-Aware on my p.c. but it is tame in comparison to Spybot.
Spybot S&D has an "advanced mode" that I use regularly.
Ad-aware, in my personal opinion, stinks.
It takes almost 15-20 minutes to run a deep scan!
Spybot can do the same and find more stuff in less than half the time.
Plus Spybot S&D offers WAY more features.....
Go with Spybot S&D.
Well I did a bit of searching and reading on this achtungachtung download box.
Very little information is available on it but from what I can tell, it appears to be a Trojan virus in disguise as a legitimate download so BEWARE!
If any of you come up with anything more on this please post it here.
It makes me worry if I actually DO have that trojan on my p.c. because that box still keeps popping up.
I ran both Spybot S&D and Ad-Aware and both came up with nothing.
I also ran Hijackhis and found nothing unusual on the list it produced.
I shot off an e-mail to the admins at Spybot S&D to inform them of this but I believe that I'm not the only person to have done this.
Hopefully they're producing a countermeasure to this freakin' annoying pop-up box!
HELP!
ASHTHECAT wrote:
> Spybot can do the same and find more stuff in less than half
> the time.
> Plus Spybot S&D offers WAY more features.....
> Go with Spybot S&D.
Ash, it is well documented by people that do Win based sysadmin for a living that Spybot WILL miss things that Adaware catches. The two together are, in fact, the most powerful tool. I don't know anyone that recommends Adaware OVER spybot, but the two together.
It's funny, too, because I cleaned a computer recently of HUNDREDS of spyware programs that Spybot took WAY, WAY longer to scan than Adaware did. But, I did use both.
Ash, a few quick points.
(1) You said it looks like a normal Windows download box. That's because the program is using the Windows code to generate it. That's easy to do, and is quite common (even for legit programs). Just because it looks 'normal' in that sense, does not mean the program CALLING the download box is legit.
(2) If it is a true trojan, Adaware, et al, probably won't catch it. Here's where your antivirus software comes in, and you will need your definitions up to date. If you are running NAV or McAfee, you should be able to find it.
(3) If your antivirus software doesn't catch it with updated definitions, send THEM an email. If this is really new, or undocumented, you will probably do a LOT of people a BIG favor by reporting it.
(4) Which version of Windows are you running? If you are running 2000 or XP, you should be able to pull up all running processes on your computer in Task Manager. Go through the list one by one and verify that each is a legit process (if you are not familiar with the 'normal' windows processes, you can do a google search for the name of the process, like systray.exe for example, and you will be able to find info about legit ones). I *HAVE* heard of a virus running that managed to hide itself from the process list, but this is relatively rare. Once you know the actual name of the process (like xyz.exe), you may be able to find more information on it, or at least kill it. Also, once you have the name of the running file, you will have the information you need to find it (on disk and in registry) and clean your system.
Hope this helps, some. Good Luck.
I just thought of two more things to mention:
(1) Do you have a port scanner on your computer? If not, get one and scan your box for open ports. micronet utilities has a free one that works pretty good. If you box is backdoored, this may help you find it. Port scans can take a very, very long time, so set it up to run when you won't be using your computer for several hours.
(2) If the code doing what you describe is a true virus, it will not show up in the task manager as it's own process. A virus attaches itself to another process and runs from there. If that's the case, a file-file compare between your files and known good ones will the only way to catch it if your av software does not catch it. Most versions of Windows have a way to do this for important system files, but again, it will take a while.
Good Luck.
I ran an online virus scan (because I have no virus prevention software on my p.c.) and here's what it came up with which seems to be the culprit.
I don't think it is a trojan at all but a newer type of spyware that neither Spybot S&D or Ad-Aware can detect yet.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_RULEDOR.C
I found this ClrSrch crap in several different places on my p.c. and deleted it all.
The problem seems to be solved now.
Post Edited (03-28-04 19:09)
ASHTHECAT wrote:
> I found this ClrSrch crap in several different places on my
> p.c. and deleted it all.
> The problem seems to be solved now.
>
Good Deal. Glad to hear youg got it fixed.
>I'm sorry...compatibility with what? I've been using Mozilla Firebird for a while
>now and I have only seen ONE web site that had some java script buttons that
>did not render properly. Moz is faster and TONS more secure. If there is some
Well, I looked at Mozilla/Firebird just the other day and they say that they don't handle ActiveX at all. Most of the time I don't let IE run ActiveX anyway, but on sites with any kind of streaming files in RM format, it seems to be required. At least if I deny it in Explorer, the player window just comes up with the graphic place-holder and the video never plays. Note that I don't actually view streaming files, I simply start them so that URL Snooper can grab the URL, then I download them with Net Transport.
To those of you having a problem with adware/spyware, or who just want some tips on making your system more secure, you might want to check out the discussion forums at Freedom List (http://www.freedomlist.com). It's primarily a site devoted to helping people find a cheap ISP, but the discussion boards (link in the top right of the front page) cover a variety of topics, and adware/spyware removal is a favorite of the regulars. In fact, some of the people behind AdAware read the forums and will help people diagnose and remove adware/spyware. Actually, sometimes I think they emphasize programs like AdAware a little too much as they're often recommended as the first step in diagnosing pretty much every problem. Also, in either the help or computer protection forums, there is a post at the top for freeware programs like antivirus and such.
JohnL wrote:
>
> Well, I looked at Mozilla/Firebird just the other day and they
> say that they don't handle ActiveX at all. Most of the time I
> don't let IE run ActiveX anyway, but on sites with any kind of
> streaming files in RM format, it seems to be required.
That's right, Moz is not ActiveX capable (for good reason). Real Media 8 did NOT recognize Mozilla, but RealOne does. Here's a Mozilla Plug-In faq with more details:
http://plugindoc.mozdev.org/faqs/firefox-windows.html
You could always do most of you general browsing with Mozilla, and if a site really did need IE, use IE for THAT site. That would be a far more secure approach than using IE for everything.
>Real Media 8 did NOT recognize Mozilla, but RealOne does.
I refuse to install RealOne.
>You could always do most of you general browsing with Mozilla, and if a site
>really did need IE, use IE for THAT site. That would be a far more secure
>approach than using IE for everything.
True.
JohnL wrote:
>
> I refuse to install RealOne.
>
Fair enough. As I read a bit more in that faq page (after I posted, sorry), I did see that RealPlayer 10 beta is supposed to be compatible with Firebird. If you want to use beta software (some folks have a problem with that..being into Open Source, I personally don't mind using beta software).
Good luck, in any case.
Sorry if I'm saying something thathas already been said, but I got halfway though the posts before feeling the need to post my own ideas here!
Whatever you do, DO NOT attempt to download any spyware killer programs from Kazaa like a friend of mine did. He told me that everytime he did so (he tried 3 times), his virus killer intercepted and stopped each download, reporting that the program had 2 or three viruses (1 worm and one trojan horse) in each, at least. Also, the spykiller programs were originally acceptible programs that had been doctored then put out for download by possible virus spreaders.
Keep on your toes...
>I did see that RealPlayer 10 beta is supposed to be compatible with Firebird. If
If I'm not mistaken, Real Player 10 is basically the same as RealOne, just renamed.
I know that Real Player 8 isn't exactly perfect, but I've seen several people say that RealOne is a huge piece of spyware that tries to connect to the Real servers at every opportunity, even when you just load the program.
>you want to use beta software (some folks have a problem with that..being into
>Open Source, I personally don't mind using beta software).
I don't mind beta software as long it's stable and does what it's supposed to. For example, I've tried about 10 different versions of ffdshow, which is supposed to play DivX and a bunch of other formats, and I never found a version that worked properly. Some just crashed, some crashed my system, some didn't play the formats they were supposed to, etc.
I have a one word answer.
proximitron