Joho the Blog
|
|
|
April 12, 2004
Ah, what a perfect morning. Crispy matzoh for breakfast, a cup of delicious coffee, and then a couple of hours trying to clean my PC of adware and spyware, some of it fiendishly clever and as tough to pry out as a hermit crab that's grown into its shell. Adaware works pretty well - extremely well since it's free - but there are some objects that it can't delete because they are in use. And neither can I, even doing a safe mode start-up. Die 3avxfmcodec.cpy.dll, die! Some of the little wankers get loaded via my Hosts file, and then reload themselves after I manually delete them. WinPatrol - also free - has been doing a good job of monitoring the various soft startup bellies of XP, notifying me when a program is trying to add itself to auto-start, hijacking my home page or is juist hanging around the schoolyard asking kids leading questions. Their persistence is almost admirable. Get a Mac? And miss the thrill of editing the Registry? Not on your life! Thanks to Jason Lefkowitz's comment, I got a copy of SpyBot. It's good, but not good enough to get rid of two of the vermin on my system: Something continued to overwrite my HOSTS file, putting in redirects, and something was causing IE to spin up an unwanted page. Even running it while in Safe mode didn't work. I'm crossing my fingers that I've got it licked. I saved a fixed version of the HOSTS file and locked it against alteration, and I hand edited the Registry, especially some of the funky entries in HKey_USERS/S-1-5-21...etc/Software/Microsoft/Internet Explorer. (The middle set of numerals is too long to write out.) Check entries like SearchUrl and Toolbar. And good luck to you. PS: Remember to set a savepoint and to save your Registry before mucking about with it. Posted
by D. Weinberger at April 12, 2004 09:38 AM
TrackBackListed below are links to weblogs that reference Damn you, Spyware!:
» Spywear from AKMA’s Random Thoughts Tracked on April 12, 2004 10:19 AM
» people put up with this? from Teal Sunglasses Tracked on April 13, 2004 01:38 AM
» Spy Sweeper Review from Adware Report Tracked on September 7, 2004 10:46 PM
» Damn You, Spyware! from aka W. 'Ian' Blanton Tracked on October 1, 2005 10:22 AM |
Comments
I've found Spybot Search and Destroy to be the cream of the crop of spyware removal tools:
http://www.safer-networking.org/
It's free, and offers way too many tools for spyware killing than I can recount here. Spybot passed the free version of AdAware in power a while back and hasn't given up the crown since... you should check it out if you're running into issues AdAware can't resolve.
Posted by: Jason Lefkowitz | April 12, 2004 09:47 AM
I've found just not using IE and Outlook to be a great help in avoiding viri and spyware. My windows boxes are very clean, and I don't do anything special other than not use IE and Outlook. I run AdAware every once in a while as a sanity check - but it never finds anything to be concerned about.
Posted by: Chris O'Donnell | April 12, 2004 10:22 AM
A tool I've found usefull is dellater http://www.diamondcs.com.au/index.php?page=dellater that pretty much deletes anything you tell it to. It doesn't get deleted until a reboot is done, but it's pretty much guaranteed to get rid of it.
My worst experience was some malware that kept three copies of itself running. Kill one, and one of the other two would copy itself and start another instance. Luckily, safe mode allowed me to get rid of all 3, and then I found this little pearl, which I would have used on all running ones at once, then rebooted, then cleaned up the startup.
Posted by: Bryan Price | April 12, 2004 12:57 PM
Before you get a Mac, read what hell Zeldman went through while you were having fun with XP.
It begins like this:
In hindsight, Good Friday may not have been the most propitious day to upgrade my operating system.
My journey into Panther killed my Titanium Powerbook in stages. First came software failure: Apple applications such as Safari quit on launch; the machine could not find the network. Then came kernel panics.
http://www.zeldman.com/daily/0404d.shtml
Posted by: Hanan Cohen | April 12, 2004 04:55 PM
DL and run Hijack This
If Hijack This closes without you actively closing it, read his note under the first entry about how to fix that.
Once Hijack This finishes the scan, save the full log. Paste the entire, unedited log contents to one of the forums listed on his Help Forums page (left nav box). I've linked a few below.
When you're posting, look for the right forum (for Hijack This logs, or something similiar), then start a new thread in it so logs (and help instructions) won't be confused.
Spyware Info
Computer Cops
I think SpywareInfo (his host) and ComputerCops are both very helpful with Hijack This logs. I'd guess it will be less than a day before a helper comes along (depending on the time of day you post it).
Here's a 'tutorial' that explains what all the codes mean (so after you're more comfortable with Hijack This, you'll know which things are supposed to be running, and put them into the ignore list [after checking with the code meanings]).
I agree with Chris O'Donnell too. Also consider checking out Spyware Blaster, and Spyware Guard. They're both highly recommended, and are freeware/donationware.
I think Blaster might charge for automated updates, not manual. It's installed on hubby's pc since he insists on surfing with IE/AOL. I can't check his pc now since he's playing with his music 8^)
Good luck
Posted by: Sherri | April 12, 2004 05:23 PM
I'd run across HijackThis when googling around. I just ran it and it found some reg entries I'd missed (or that - scarily - recreated themselves after I thought I'd purged my system, so to speak).
I'm wondering if Infacta Group Mail is in fact an infecter. It's a very slick tool for mailing out a newsletter. Too good for free? I haven't encountered anything except praise for it, though.
Posted by: David Weinberger | April 12, 2004 06:45 PM
I did a few searches on Google (combining Infacta with spyware, ect), then on Spyware Info's Spywatch Forum. I'm thinking I would have seen something if it contained spyware, usually if a program that's been around a while has spyware, it's easy to find in searches. Most of what I was were very good recommendations.
When I became hijacked with xxxtoolbar, I saw it happening and turned off my internet connection. I booted to DOS and emptied my temp and TIF and it still got me even though the first thing I did when windows booted was to run AVG (clean), SSD (clean), AdAw (clean). That's how I found Hijack This, it's the only thing that removed it completely (after I spent an hour in the registry).
I switched to Firebird that same day (I'd already been using Eudora). I like WinPatrol too (doggie's so cute).
Posted by: Sherri | April 12, 2004 09:11 PM
Spyware continues to hound me..I have Ad-aware 6.0, Webroots Spysweeper & Spybot Search and destroy and i keep on getting more and more..
Posted by: Liam | April 25, 2004 03:57 PM
so if hijackthis keeps closing itself after 20 odd seconds, what do i need to do to fix it? btw the same happens for regedit.
Posted by: jambo | May 30, 2004 08:04 AM
I've been flamed before for saying this, but Spybot S&D and AdAware don't work all that well. While they are definitely reputable companies, there are much better products out there. I recommend Aluria's Spyware Eliminator and Webroot's Spy Sweeper (that is, for the people who have better things to do than tinker with registry settings and obscure utilities). Sadly, most of the tools on the market are scams and marketing ploys designed more to separate fools from their money than to remove spyware.
You can read about my tests of both tools along with eight others at http://www.adwarereport.com/mt/archives/000004.html.
Posted by: Rich | July 12, 2004 04:05 PM
Help! Seems likes Hijackthis is losing its usefulness as i'm unable to keep it open. Everytime i open the program, it closes within 3 seconds. Can anyone help with this problem?
Posted by: Nekosan | July 13, 2004 11:25 AM
Disgusting Spyware Methods! Disgusting Anti-spyware methods!
DiamondCS is a reputable software firm that developed one of the best Anti-tojan applications I have seen, TDS-3. Unfortunately, DCS employs a hardcode technique that redirects the user to its site with numeric IP 64.91.255.87 upon pressing the F5 function key. Of course there is nothing wrong with this process. This fact could have remained unnoticed had it not been for a spate of really nasty IGN/CWS infections that showed the DCS redirects along with the nasties in hijacked Host files and shown below:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
A quick google search of "O1 - Hosts: 64.91.255.87 www.dcsresearch.com" will provide at least 1,500 links (Yup! that many!). It should be noted that an HJT 01 entry will only appear if a Hostfile hijack is involved. Redirecting to the local host to will not appear in the HJT log. When asked about this, representatives of DCS at Wilders Security Forum replied that this is perfectly normal since it simply redirects from an alleged "bad site" to the legitimate DCS IP.
If such were the intention, a simple redirect to the local host would have sufficed as this blocking technique is acceptable. However, redirecting to a preferred website is in any laguage, a hijack. This type of redirect is the method used by hijackers with the same objectives: redirecting to the chosen website. DCS cannot claim that since they are reputable, a redirect to their site is acceptable. No one has nor can given them that status. A hijack is a hijack is a hijack.... The method is absolutely wrong!
Now comes an interesting scenario.
Quote:
"It’s becoming such a sizeable problem in the US that the Government voted unanimously in Spring 2004 to approve the first-ever anti-spyware bill. The Securely Protect Yourself Against Cyber Trespass (Spy Act), approved by the US House of Representatives, would levy fines up to $3 million for those who illegally collect personal information, change a browser's default home page or bookmarks, log keystrokes, or steal identities "
Quoted from http://www.net-security.org/article.php?id=746
Do you realize that if I invested in TDS3, bookmarked www.dcsresearch.com or set my homepage to www.dcsresearch.com, the chances are I will be redirected to DiamondCS? This can be documented and I can then sue DCS for illegally redirecting my browser, right? And all because DiamondCS has chosen to adopt a Trojan method instead of a Hostfile block or Help update? Think about it.
Too, what are the chances of a crazy picking up this post and doing exactly the above? This is a possibility they brought upon themselves for insisting that what they were doing was simply protecting their interests. They chose the expedient/easier route now they are susceptible to para-legal issues.... Sooner or later, this will happen....
Your thoughts?
Posted by: True Orient | December 8, 2004 12:51 AM
I'm tired of spyware. I hope that major companies like yahoo with its antispy soft and Microsoft which recently bought antispyware application will win this spyware war.
If you are infected with spyware use Free programs like adaware and spybot to protect and clen the system. It they doesn't help and still see weird process or file in the system, you can check on it in http://www.2-spyware.com and remove manually.
Posted by: spyware removal | January 5, 2005 09:58 AM
computer security protections can be increased by installing one of the free anti-spyware programs. i'm using spybot - still have no problems :) try
Posted by: remove spyware | September 5, 2005 07:32 AM
Win Hound was downloaded to me also BUT. I also found a program on my computer Wild Tangent and had to remove that. That is the program that has the spyware in it. Once I also deleted that i have no further problems. YEAH....
Posted by: Brenda | January 2, 2006 04:05 PM
you suggest the free antispyware, really thanks!
i have suffered spyware, i just download ZoneProtect AntiSpyware at
http://www.shareware123.com/utility/antivirus/zoneprotect_antispyware_42653.htm
to solve the problem, seems ok!
Posted by: karl | August 31, 2006 03:46 AM
these motherfucker need to be infected strong
cause these wont give me a job
Posted by: ñijhfjshdjkh | March 19, 2007 03:17 PM
Theres loads of spyware removal software available on the shareware sites. Theres also some pretty good freeware tools as well SybotS&D etc.. Try this site:
The web is full of available spyware removal software some of which comes packed with adware removal as well. Just try the major freeware sites to download and try them e.g.
http://www.accelerated-ideas.com/SoftwareDirectory/aiFreeSoftwareSearch.aspx?stxt=spyware
Posted by: Stuart | March 27, 2007 07:20 PM