Re: adware/spyware

From: Jim Byrd (jrbyrd_at_spamlessadelphia.net)
Date: 06/26/04 

Date: Fri, 25 Jun 2004 16:17:05 -0700

Hi VS - See this thread:
http://forums.spywareinfo.com/index.php?showtopic=7447 

-- 
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
 In news:F5001AB3-51F0-4A41-A1FB-A3E90E77D0B2@microsoft.com,
VS <VS@discussions.microsoft.com> typed:
> I have tried many different things to correct the home page in IE changing
back
> to res://drswi.dll/index.html#96676.  I have run Norton in safe mode,
turned off
> system restore, deleted items in the registry and run Spysweeper, Adware 6
and
> Spyblaster.  All of them keep finds files to delete, but my home page
keeps
> switching from MSN to the above descriptions and has pop-ups.  Does anyone
have a
> solution for how to get rid of this?  VS
>
> "Bruce Chambers" wrote:
>
>> Greetings --
>>
>>     The DSO exploit was patched long ago by IE Cumulative Update
>> MS02-015, in March of 2002.  If you've installed this specific patch,
>> or any subsequent IE Cumulative Updates, or Service Pack 1, you're
>> safe.  It would appear that the latest version of Spybot S&D is only
>> checking for Internet zone settings in the registry that could be used
>> as work-around protection, and not for the presence of any corrective
>> patches.  Hopefully, the makers of Spybot will soon fix this bug.
>>
>>  MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182
>>
>>     If you like, you can test your system for this particular
>> vulnerability at this web site:
>> http://www.greymagic.com/security/advisories/gm001-ie/
>>
>>     The makers of SpyBot S&D have acknowledged the problem and will
>> fix it on their next update:
>>
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs
>>
>>
>> Bruce Chambers
>> --
>> Help us help you:
>> http://dts-l.org/goodpost.htm
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>
>> You can have peace. Or you can have freedom. Don't ever count on
>> having both at once. - RAH
>>
>>
>> "VS" <VS@discussions.microsoft.com> wrote in message
>> news:A24176E2-6CF5-495A-A804-6037AC51E747@microsoft.com...
>>> Thanks for the info.  I keep running Adware and Spybot.  Spybot
>> finds the file DSO Exploit all the time.  It says it fixes it, but the
>> next time I run it, it returns again.  I am debating whether to do the
>> clean boot.
>>>
>>> "Jim Byrd" wrote:
>>>
>>>> Hi VS - Although there are several possible causes, this sounds
>> like this
>>>> might be a variant of some malware called CoolWebSearch (if
>> CWShredder
>>>> doesn't fix it, then see AdAware, SpyBot, and HijackThis, below,
>> in that
>>>> order). Do the following:
>>>>
>>>>
>>>>
>>>> Before you try to remove spyware using any of the programs below,
>> download a
>>>> copy of LSPFIX from any of the following sites:
>>>>
>>>> http://www.cexx.org/lspfix.htm
>>>> http://www.spychecker.com/program/winsockxpfix.html (if your OS is
>> Win2k or
>>>> XP)
>>>>
>>>>
>>>> The process of removing certain malware may kill your internet
>> connection.
>>>> If this should occur, this program, LSPFIX, will enable you to
>> regain your
>>>> connection.
>>>>
>>>>
>>>> Download, UPDATE before running, and run:
>>>> http://209.133.47.200/~merijn/files/CWShredder.exe to remove the
>> parasite.
>>>> Be sure to close all instances of IE and OE.   You may also get it
>> here if
>>>> that link is blocked:
>> http://www.zerosrealm.com/downloads/CWShredder.zip
>>>>
>>>> BE SURE that you get v.158 or later!
>>>>
>>>> You will need to show Hidden files first and then at the end clear
>> the
>>>> malware garbage from your System Restore backups after you've
>> cleaned up.
>>>> It's best to perform CWShredder (and most other malware fixers
>> too) from
>>>> Safe mode and then reboot. AFTER cleaning things up, then you can
>> disable
>>>> and then re-enable System Restore.  See ******** below.
>>>>
>>>> The following links give instructions on how to do these various
>> functions:
>>>>
>>>>
>>>> HOW TO Restart in Safe Mode
>>>>
>> <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200105240942
>> 0406>
>>>>
>>>> HOW TO Enable Hidden Files
>>>>
>> <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200209271526
>> 2339>
>>>>
>>>> HOW TO Disable/Flush System Restore  (do this at the end AFTER
>> cleaning or
>>>> use the suggested procedure for XP at the ******'s)
>>>>
>> <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200111191227
>> 4039>
>>>> (WinXP)
>>>>
>> <http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/200101251312
>> 2239>
>>>> (WinME)
>>>>
>>>>
>>>>
>>>> Then download and run:
>>>> http://www.kellys-korner-xp.com/regs_edits/iegentabs.reg to
>> restore your
>>>> tabs and remove any restrictions that the parasite has put in
>> place.
>>>>
>>>> Now download and run:
>>>> http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG to
>> restore
>>>> your search functions if they've been affected (as they probably
>> will have
>>>> been).
>>>>
>>>>
>>>> Be sure that you also download and install hotfix Q816093, here:
>>>>
>>>> http://support.microsoft.com/?kbid=816093
>>>>
>>>> which blocks the exploit upon which this parasite family depends.
>>>>
>>>>
>>>>
>>>> However, this also indicates that you may have acquired some other
>> malware
>>>> along the way. If you go to this page at Jim Eshelman's site,
>> here:
>>>> http://aumha.org/a/noads.htm and wait a little bit (be patient),
>> an analysis
>>>> of a number of possible parasites on your machine will be made to
>> help you
>>>> identify and remove them. NOTE: You will need to disable Ad
>> Blocking in Zone
>>>> Alarm 3.x, if present or any other Ad Blocking software which
>> interferes
>>>> with Java Scripting for this scan to work. You should get a
>> message between
>>>> the two lines of **** giving the results of the scan.
>>>>
>>>> Get Ad-Aware 6.0, Build 181 or later, here:
>>>> http://www.lavasoftusa.com/support/download/.  UPDATE and run this
>> regularly
>>>> to get rid of most "spyware/hijackware" on your machine.   If it
>> has to fix
>>>> things, be sure to re-boot and rerun AdAware again and repeat this
>> cycle
>>>> until you get a clean  scan.  The reason is that it may have to
>> remove
>>>> things which are currently "in use" before it can then clean up
>> others.
>>>>
>>>> Another excellent program for this purpose is SpyBot Search and
>> Destroy
>>>> available here:  http://security.kolla.de/  SpyBot Support Forum
>> here:
>>>> http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi.   I
>> recommend
>>>> using both normally.  After UPDATING and fixing things with SpyBot
>> S&D, be
>>>> sure to re-boot and rerun SpyBot again and repeat this cycle until
>> you get a
>>>> clean "no red" scan.  The reason is that SpyBot sometimes has to
>> remove
>>>> things which are currently "in use" before it can then clean up
>> others.
>>>>
>>>> Note that sometimes you need to make a judgement call about what
>> these
>>>> programs report as spyware. See here, for example:
>>>> http://www.imilly.com/alexa.htm
>>>>
>>>> Both of these programs should normally be UPDATED and run after
>> doing any
>>>> other fix such as CWShredder and, as a minimum, normally at least
>> once a
>>>> week.
>>>>
>>>>
>>>>
>>>> If they don't fix it then start here:
>>>>
>>>> Download HijackThis, free, here:
>>>> http://209.133.47.200/~merijn/files/HijackThis.exe  (Always
>> download a new
>>>> fresh copy of HijackThis [and CWShredder also] - It's UPDATED
>> frequently.)
>>>> You may also get it here if that link is blocked:
>>>>
>>
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
>>>>
>>>> In Windows Explorer, click on Tools|Folder Options|View and check
>> "Show
>>>> hidden files and folders"  and uncheck  "Hide protected operating
>> system
>>>> files".  (You may want to restore these when you're all finished
>> with
>>>> HijackThis.)
>>>>
>>>> Unzip the downloaded HijackThis to any convenient folder, start it
>> then
>>>> press Scan. Click on SaveLog when it's finished which will create
>>>> hijackthis.log. Now click the Config button, then Misc Tools and
>> click on
>>>> Generate StartupList.log which will create Startuplist.txt
>>>>
>>>> Then go to one of the following forums:
>>>>
>>>> Spyware and Hijackware Removal Support, here:
>>>> http://216.180.233.162/~swicom/forums/
>>>>
>>>> or Net-Integration here:
>>>>
>>
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=d3c2c886d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
>>>>
>>>> or Tom Coyote here:  http://forums.tomcoyote.org/index.php?act=idx
>>>>
>>>> or Jim Eshelman's site here:  http://forum.aumha.org/
>>>>
>>>>
>>>>
>>>> Sign in, then copy and paste both files into a message asking for
>>>> assistance, Someone will answer with detailed instructions for the
>> removal
>>>> of your parasite(s).
>>>>
>>>>
>>>> *******
>>>> ONLY IF you've successfully eliminated the malware, you can now
>> make a new,
>>>> clean Restore Point and delete any previously saved (possibly
>> infected)
>>>> ones. The following suggested approach is courtesy of Gary
>> Woodruff:  For XP
>>>> you can run a Disk Cleanup cycle and then look in the More Options
>> tab.  The
>>>> System Restore option removes all but the latest Restore Point. If
>> there
>>>> hasn't been one made since the system was cleaned you should
>> manually create
>>>> one before dumping the old possibly infected ones.
>>>> *******
>>>>
>>>>
>>>> Once you get this cleaned up, you might want to consider
>> installing the
>>>> SpywareBlaster and SpywareGuard here to help prevent this kind of
>> thing from
>>>> happening in the future:
>>>>
>>>> http://www.javacoolsoftware.com/spywareblaster.html (Prevents
>> malware Active
>>>> X installs) (BTW, SpyWare Blaster is not memory resident ... no
>> CPU or
>>>> memory load - but keep it UPDATED) The latest version as of this
>> writing
>>>> will prevent installation or prevent the malware from running if
>> it is
>>>> already installed, and it provides information and fixit-links for
>> a variety
>>>> of parasites.
>>>>
>>>> http://www.javacoolsoftware.com/spywareguard.html (Monitors for
>> attempts to
>>>> install malware) Keep it UPDATED.  Both Very Highly Recommended
>>>>
>>>>
>>>> Finally, go to Windows Update and ensure that ALL Critical updates
>> are
>>>> installed.
>>>>
>>>> --
>>>> Please respond in the same thread.
>>>> Regards, Jim Byrd, MS-MVP
>>>>
>>>>
>>>>
>>>>  In news:ED3238D1-E2A7-40EE-BFA6-E39AD405FF0A@microsoft.com,
>>>> VS <VS@discussions.microsoft.com> typed:
>>>>> My home page will not stay set to MSN.  I have run Adware and Spybot.
They
>>>>> detect threats and show them fixed.  I was also getting a pop-up
called only
>>>>> the
>>>>> Best.  That is not coming up now, but the home page still keeps
changing. I
>>>>> also
>>>>> ran Norton and that discovered several bad files, some which I could
delete.
>>>>> I
>>>>> am wondering if I should run a clean boot in Windows XP.  Can anyone
give me
>>>>> an
>>>>> answer.  Thanks
>>>>>
>>>>> "Tom R" wrote:
>>>>>
>>>>>>
>>>>>> "j hunt" <john.hunt5@btinternet.com> wrote in message
>>>>>> news:1ef8901c457a1$949d6270$a601280a@phx.gbl...
>>>>>>> can anyone help with a programme that eliminates
>>>>>>> adware/spyware popups and virus
>>>>>>    I would download and run Ad-Aware, (free) be sure to
>>>>>> update it after you install it.
>>>>>> http://www.lavasoftusa.com/software/adaware/
>>>>>>
>>>>>>  You should also run Spybot Search and Destroy, (free)
>>>>>>  http://www.safer-networking.org
>>>>>>
>>>>>>
>>>>>> Then run at least one of these free online virus scan programs,
>>>>>>
>>>>>> RAV
>>>>>> http://www.ravantivirus.com/scan/
>>>>>>
>>>>>> Panda:
>>>>>> http://www.pandasoftware.com/activescan/
>>>>>>
>>>>>> BitDefender
>>>>>> http://www.bitdefender.com/scan/license.php
>>>>>>
>>>>>> After you are sure the machine is clean download
>>>>>> and install SpywareBlaster(free) to help keep it that way
>>>>>>
>>>>>> http://www.javacoolsoftware.com/spywareblaster.html
>>>>>>
>>>>>> Good Luck,
>>>>>> Tom