Re: Getting rid of residual adware/spyware elements

From: Jeff Conrad (jeffc_at_ernstbrothers.com)
Date: 02/11/04 

Date: Wed, 11 Feb 2004 10:15:32 -0800

Hi Mike!

I killed the other files as directed.

I'm in the process right now of scanning with Ad-Aware.

On updating the browser, I have a quick question.
Please remember this is NOT my computer!!
This computer is one of three that belongs to another business that shares
office space with us.
They are in the real estate business.
Most of their listings and postings are done through the web.
I REALLY don't want to screw up their browser for obvious reasons!
I have seen posts in IE newsgroups from people that say they would not run
6.0 or 6.0 SP1 on Win 98.
I'm totally serious.
So I've been hesitant about updating their browser.
You're the expert: Will 6.0 SP1 work 'OK' on 98??

I can install in a heartbeat, I already have the files on the server, I just
want to be sure.
I also need to do a quick check with their real estate software for
compatibility.
I'm pretty sure there won't be a problem, but it doesn't hurt to check!
I will need to get their OK before installing.
If I tell them an MVP said INTSTALL IT I'm sure they'll be fine with it.

So, what do you think? Green Light?

Thanks,
Jeff

"Mike Burgess" <winhelp2002@spamthis.com> wrote in message
news:#sVu6KM8DHA.1632@TK2MSFTNGP12.phx.gbl...
> Jeff,
> > Do you happen to see anything wrong now?"
> Nope .... looks good, just follow the last set of instructions.
> Then update your browser!!
> --
> > Your reg file worked perfectly!!
> FYI: there is a small program "SpywareBlaster" that does the
> same type thing as that reg file. I would recommend installing
> that, to help prevent this type infection in the future.
> http://www.wilderssecurity.net/spywareblaster.html
> ____________________________________________________________
> Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
> Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
> http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04]
> Please post replies to this Newsgroup, email address is invalid
> --
>
> "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
> news:uVcwE3E8DHA.2752@TK2MSFTNGP09.phx.gbl...
> > Hi Mike!
> >
> > YES, these things can be stubborn!!
> > Your reg file worked perfectly!!
> > No more things show up in Spybot scan at all now! Yee-Haa!
> > Please see my latest post in the forum for all the latest information
and
> > log files.
> > Do you happen to see anything wrong now?
> >
> > THANK YOU for your help!
> > Jeff
> >
> > "Mike Burgess" <winhelp2002@spamthis.com> wrote in message
> > news:#YDbERC8DHA.3648@TK2MSFTNGP11.phx.gbl...
> > > Jeff,
> > > These things can be stubborn ... huh?
> > > http://forums.spywareinfo.com/index.php?showtopic=31596&hl
> > >
> > > Looks like you're in good hands at SWI .......
> > > --
> > > Yes I would delete the existing files re: "Troj_Iefeats.A"
> > > I'm surprised that SpyBot didn't clean things up a bit better?
> > > Is SpyBot's definitions up to date?
> > > --
> > > If you're still having trouble with: (see attached)
> > > {DDFFA75A-E81D-4454-89FC-B9FD0631E726}
> > >
> > > Add the following Registry entry to prevent that CLSID from
registering
> > > again:
> > >
> > > REGEDIT4
> > >
> > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> > > Compatibility\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}]
> > > "Compatibility Flags"=dword:00000400
> > >
> > > ____________________________________________________________
> > > Mike Burgess [MVP Windows Shell\User]
http://www.mvps.org/winhelp2002/
> > > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS
> file
> > > http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04]
> > > Please post replies to this Newsgroup, email address is invalid
> > > --
> > >
> > > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message
> > > news:e%23MlEYA8DHA.488@TK2MSFTNGP12.phx.gbl...
> > > > Hi Mike,
> > > >
> > > > Making progress now I think.
> > > > Thanks for the links and looking at the log file.
> > > > I have some time to work on their machine today.
> > > >
> > > > I did as you and the other person in the spyware forum requested.
> > > > The NewtonKnows thing now seems to have gone away.
> > > > The ONLY thing Spybot detects is the Class ID for Look2Me:
> > > >
> > > > HKEY_Classes_Root\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}
> > > >
> > > > This key also remains, but is not detected by Spybot:
> > > >
> > > >
> > >
> >
>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellExtensions
> > > > {same number}
> > > >
> > > > If I delete them they still come back.
> > > >
> > > > I printed out the link on Troj_Iefeats.A you provided.
> > > > I verified that the following elements are still present:
> > > >
> > > > Dict.Dat
> > > > Keywords.Dat
> > > > Msiesh.dll (2 of these)
> > > > Submit2.exe
> > > >
> > > > Uninstall.exe
> > > > Uninstall.ini
> > > >
> > > > These files are located in the directories specified in the article.
> > > > There is no Submithook.dll
> > > >
> > > > I did not check all the registry entries.
> > > > What should I do at this point?
> > > > Do I manually go delete all the registry entries listed in the
> article?
> > > > Do I run the uninstall.exe in that folder?
> > > > Will they return after a reboot?
> > > >
> > > > I also replaced their Hosts file with mine so that's taken care of.
> > > >
> > > > There is one other thing I'm wondering about.
> > > > There is a file called:
> > > > Update_Hosts.dll in the Windows\System directory
> > > > Is this something good or bad?
> > > > I do not have this file on my 98 machine.
> > > > It is 49K with a date of 11/12/2003 8:49 AM.
> > > > Going to the version tab says:
> > > > File Version 5,0,0,2
> > > > Company Name: iGetNet, LLC.
> > > >
> > > > Seems rather odd to me.
> > > >
> > > > I will post an updated HijackLog in the forum if you would like to
> take
> > a
> > > > look.
> > > >
> > > > Thanks again for your help, you're most generous.
> > > > Jeff
> > > <snip>
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Some sites dont work with Firefox (FC3)?
    ... > tells me I must use a browser with javascript enabled ... ... My USB thumbdrive locks up the USB subsystem. ... Perhaps you should consider updating the entire distribution, ... up and went back to core 2 until I got DSL and could get the core 3 ...
    (Fedora)
  • Re: ot: Guinness Viral
    ... The last few times I've clicked on a tinyurl my browser ... failed to establish a connection. ... with Updating XP with SP3? ...
    (uk.rec.motorcycles)
  • Re: Strange capture of my eth0 interface.
    ... >my computer, which is sending ACKs, apparently on port 32771. ... Are you running a browser that tries to be "smart" about updating ... cache copy of pages you have recently seen, ...
    (comp.os.linux.security)
  • Re: [PHP] [NEWBIE GUIDE] For the benefit of new members
    ... updating that with the correct information. ... find out the OS of the system on which the browser is running. ... PHP can only find out what the browser tells it - that ...
    (php.general)
  • Re: Having trouble with HyperText Transfer Protocol file type association
    ... after installing and uninstalling firefox. ... but also a box opening up asking me to locate my "link browser". ...
    (microsoft.public.windows.inetexplorer.ie6.browser)