Re: Getting rid of residual adware/spyware elements

From: Jeff Conrad (jeffc_at_ernstbrothers.com)
Date: 02/11/04

• Next message: David H. Lipman: "Re: Question on MSC0NFIG.BAT"
• Previous message: Jupiter Jones [MVP]: "Re: patch email"
• In reply to: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Next in thread: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Reply: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 10 Feb 2004 19:18:34 -0800

Hi Mike!

YES, these things can be stubborn!!
Your reg file worked perfectly!!
No more things show up in Spybot scan at all now! Yee-Haa!
Please see my latest post in the forum for all the latest information and
log files.
Do you happen to see anything wrong now?

THANK YOU for your help!
Jeff

"Mike Burgess" <winhelp2002@spamthis.com> wrote in message
news:#YDbERC8DHA.3648@TK2MSFTNGP11.phx.gbl...
> Jeff,
> These things can be stubborn ... huh?
> http://forums.spywareinfo.com/index.php?showtopic=31596&hl
>
> Looks like you're in good hands at SWI .......
> --
> Yes I would delete the existing files re: "Troj_Iefeats.A"
> I'm surprised that SpyBot didn't clean things up a bit better?
> Is SpyBot's definitions up to date?
> --
> If you're still having trouble with: (see attached)
> {DDFFA75A-E81D-4454-89FC-B9FD0631E726}
>
> Add the following Registry entry to prevent that CLSID from registering
> again:
>
> REGEDIT4
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}]
> "Compatibility Flags"=dword:00000400
>
> ____________________________________________________________
> Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
> Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
> http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04]
> Please post replies to this Newsgroup, email address is invalid
> --
>
> "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
> news:e%23MlEYA8DHA.488@TK2MSFTNGP12.phx.gbl...
> > Hi Mike,
> >
> > Making progress now I think.
> > Thanks for the links and looking at the log file.
> > I have some time to work on their machine today.
> >
> > I did as you and the other person in the spyware forum requested.
> > The NewtonKnows thing now seems to have gone away.
> > The ONLY thing Spybot detects is the Class ID for Look2Me:
> >
> > HKEY_Classes_Root\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
> >
> > This key also remains, but is not detected by Spybot:
> >
> >
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellExtensions
> > {same number}
> >
> > If I delete them they still come back.
> >
> > I printed out the link on Troj_Iefeats.A you provided.
> > I verified that the following elements are still present:
> >
> > Dict.Dat
> > Keywords.Dat
> > Msiesh.dll (2 of these)
> > Submit2.exe
> >
> > Uninstall.exe
> > Uninstall.ini
> >
> > These files are located in the directories specified in the article.
> > There is no Submithook.dll
> >
> > I did not check all the registry entries.
> > What should I do at this point?
> > Do I manually go delete all the registry entries listed in the article?
> > Do I run the uninstall.exe in that folder?
> > Will they return after a reboot?
> >
> > I also replaced their Hosts file with mine so that's taken care of.
> >
> > There is one other thing I'm wondering about.
> > There is a file called:
> > Update_Hosts.dll in the Windows\System directory
> > Is this something good or bad?
> > I do not have this file on my 98 machine.
> > It is 49K with a date of 11/12/2003 8:49 AM.
> > Going to the version tab says:
> > File Version 5,0,0,2
> > Company Name: iGetNet, LLC.
> >
> > Seems rather odd to me.
> >
> > I will post an updated HijackLog in the forum if you would like to take
a
> > look.
> >
> > Thanks again for your help, you're most generous.
> > Jeff
> <snip>
>
>
>

---

• Next message: David H. Lipman: "Re: Question on MSC0NFIG.BAT"
• Previous message: Jupiter Jones [MVP]: "Re: patch email"
• In reply to: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Next in thread: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Reply: Mike Burgess: "Re: Getting rid of residual adware/spyware elements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Getting rid of residual adware/spyware elements ... I'm surprised that SpyBot didn't clean things up a bit better? ... Please post replies to this Newsgroup, ... "Jeff Conrad" wrote in message ... > Do I manually go delete all the registry entries listed in the article? ... (microsoft.public.security.virus) Re: Getting rid of residual adware/spyware elements ... I did as you and the other person in the spyware forum requested. ... Do I manually go delete all the registry entries listed in the article? ... I also replaced their Hosts file with mine so that's taken care of. ... (microsoft.public.security.virus) Re: OT: Computer Problem ... I seem to have picked up a nasty spyware-redirect thing on my ... and delete all the odd *.exe files. ... This is an area in which a registry program like Spybot works well. ... It looks for, reports on, and deletes registry entries. ... (misc.fitness.weights) Re: Spybot DSO Exploit ... >Once you've done all the registry entries showing in SPYBot's DSO ... A much easier way to avoid SpyBot S&D constantly showing the DSO ... Exploit, which does not require Registry entries, is outlined below: ... (microsoft.public.windowsxp.basics) Re: OT: Computer Problem ... I seem to have picked up a nasty spyware-redirect thing on my ... and delete all the odd *.exe files. ... This is an area in which a registry program like Spybot works well. ... It looks for, reports on, and deletes registry entries. ... (misc.fitness.weights)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)