Posted on 06/16/2004 10:42:22 AM PDT by Born Conservative
Please excuse the vanity (this is my first vanity post). I am having a problem with spyware. It started when my 11 year old son installed a "really cool" screensaver on the computer (running XP Home) from "screensaver.com". As soon as he told me he did that, I knew that I was up the creek without a paddle. So, I ran Spybot, and then Ad Aware, and "fixed" my Spyware problems. Right. Needless to say, my computer is still infested.
I then did some searching on the web,and downloaded Hijack This, since my browser was hijacked to a different home page (msn.com). Since I wasn't sure which programs were spyware, and which were not, I haven't "fixed" them with Hijack This yet. I also downloaded Aluria's free spyware scanner, and it shows 17 spyware files. The files include Wild Tangent, IWon, Cydoor, 2020Search, Comet Cursor, WhenUSave, and MyWay Speedbar. I did re-run the SpyBot and AdAware, as well as CWShredder (run in Safe Mode), but the spyware persists. I am also up to date on all Windows updates. Any help would be appreciated. I do have a log file from the Hijack This if that would help.
Its pretty simple. Make a master Folder on your desktop and just drag everything into that and dump it on your disk (F drive). Diskette won't work well (it will, but it might take a few hundred of them). Then go to your email program and make sure nothing will be missed because that will be wiped clean. Next check any of your setting that you made in Start/Run (msconfig)/startup. After all that just do a full system resore from D drive of disc.
Set up Ad-aware like this - before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:
General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."
Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".
Reboot when done.
b
If the homepage of IE was changed, go into Control Panel/Internet Options and change the default home page to blank.
Spy Bot may also zap some registry files that might screw up your internet connection, so be ready to do a restore if that happens. Then pick and chose what to zap on each run until you can tweak it out...
I ran into a problem using Lavasoft’s Ad-aware, it hijacked my browser to MSN.com. It took me a long time to figure out what was happening. Lavasoft says coming versions of Ad-aware won’t do this.
If your home page is set to “about blank“ you might run into the same problem I had.
It seems that some hacker is using “about blank” as a way to get around spyware removal programs. So when you run Lavasoft’s Ad-aware it shows a “possible browser hijack” when you have set your home page as “about blank”. If you allow Ad-aware to fix this, it resets your browser to the Windows default of MSN.com.
If this is the problem you are having, instead of allowing Ad-aware to fix the problem, select the “possible browser hijack” and mark it to be ignored.
If you are worried that your system is infected, first run Ad-aware with your home page set to MSN.com, if it runs clean, then change your home page to “about blank” and run Ad-aware again, then mark the “possible browser hijack” to ignore.
Upon looking at your hijackthis log, it looks clean enough to me. You're running some stuff I wouldn't but none of it appears to be spyware.
One has to wonder how many of these are created by the people selling the fix..
A Spy Bot file restore, not a complete computer hard drive restore, that is......
of=or
You can get a "Startup Manager" program on download.com that will let you easily peek inside the registry and see what it wants to automatically run at startup (and make the things you aren't sure of over into dormant programs that don't autorun.) In the past I have removed programs, only to find that there is an automatic reinstall in the registry. I'll check for a link tonight, and also to one of those .pdf lists of valid and evil startup file names.
Bump to save.
At the VERY LEAST, the following processes should not be running:
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\ClipCache\clipc.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE
The following can be safely deleted:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PORTMA~1.EXE" -Run
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClipCache] C:\Program Files\ClipCache\clipc.exe /wait 3
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
The BHO's can be deleted, but you'll have to download a bunch of pluggins. Don't delete them the first try.
Advice-turn OFF System Restore. Use HijackThis! to fix the selected entries(NOT regedit, unless you spend time with regedit) AFTER making sure HijackThis!'s config is set to backup the registry.
Update all your antispyware defs, antivir defs, download registry mechanic and run after the running all previous category apps.
My guess is PortMagic, Aluria, ClipCache and PRISMXL.SYS are causing the problem.
System Restore to an earlier time. I had a bad redirect virus and that was the only cure. I honestly don't know why I even pay for Norton. It seems useless.
yeah, i had a bear of a time getting rid of 'ptsnoop' registry startup file. its for a pctel modem--which i don't use-- that took me an entire night to figure out. it kept reinstalling. i finally kicked its ass, though.
Port Magic, ClipCache, and Alluria are all legitimate programs, so I'll hold off on deleting them (Port Magic manages my ports for online gaming, Clip Cache is a clipboard program that will directly paste anything that is cut or copied into an email, and Alluria is a legit spyware scanner. I don't know what the prism program is, so that's what is probably causing the problem. Thanks for the advice.
http://www.javacoolsoftware.com/spywareblaster.html
It addresses misuse of ActiveX-based spyware and hijacking programs.
That is EXACTLY what is happening, although I am sure I still have spyware not being recognized by AdAware. Thanks for the info.
Bump
ping for later
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.