Tenacious Spyware Problem (Vanity)

6/16/04 | Me, Myself, and I

[Born Conservative]

Please excuse the vanity (this is my first vanity post). I am having a problem with spyware. It started when my 11 year old son installed a "really cool" screensaver on the computer (running XP Home) from "screensaver.com". As soon as he told me he did that, I knew that I was up the creek without a paddle. So, I ran Spybot, and then Ad Aware, and "fixed" my Spyware problems. Right. Needless to say, my computer is still infested.

I then did some searching on the web,and downloaded Hijack This, since my browser was hijacked to a different home page (msn.com). Since I wasn't sure which programs were spyware, and which were not, I haven't "fixed" them with Hijack This yet. I also downloaded Aluria's free spyware scanner, and it shows 17 spyware files. The files include Wild Tangent, IWon, Cydoor, 2020Search, Comet Cursor, WhenUSave, and MyWay Speedbar. I did re-run the SpyBot and AdAware, as well as CWShredder (run in Safe Mode), but the spyware persists. I am also up to date on all Windows updates. Any help would be appreciated. I do have a log file from the Hijack This if that would help.

[Mannaggia l'America]

Just to add yet another thing to try:

Autostart Viewer

There are numerous ways that malicious programs can embed commands to have them start automatically. This lists them and sometimes helps.

I just recently helped my daughter's teacher clean off her computer, which her son was using to download music files. Between Adaware and Spybot S&D, it found almost 600 files/registry entries to delete - I've never seen a system so dirty.

Even after Adaware and Spybot cleaned them, there was still something executing at boot time that was automatically generating a .exe file and inserting it into the "Run" folder in the registry, which automatically runs (usually legitimate) programs at boot time. I had a heck of a time getting rid of that.

One other thing to be sure you are doing is updating Adaware and Spybot S&D before scanning. The downloads are usually out of date, so click the "Check for updates" button to be sure you have the latest spyware signatures before scanning.

[GOPyouth]

Spy Bot may also zap some registry files that might screw up your internet connection

I ran into this problem this past weekend. It jacked my connection all up. The computer wouldn't recognize my modem or anything. I hadn't done a clean install of XP in about a year and a half, so I went ahead and reinstalled. It's amazing how fast this computer runs now. :)

[Deguello]

Bump for later research. One of our computers at work was hyjacked to mshp over the weekend. May have to do a total clean out of the system. Unplugged it from the server.

[Bloody Sam Roberts]

Slowed my cable modem connection by a factor of 100x, screwed up my registry, messed with my CMOS settings.

I don't doubt you had problems but I'm very surious as to how the executable for the Proxomitron could have caused CMOS problems. It also places nothing in the registry. What kind of problems did you experience, exactly.
Only if you care to share. Did you use version 4.5?

[Registered]

Trend Micro Sysclean Package http://www.trendmicro.com

[dbwz]

Reference bump

[Malsua]

>>vI ran into this problem this past weekend. It jacked my connection all up. The computer wouldn't recognize my modem or anything.<<

There's one spy program and I'm drawing a blank on it right now, but it's like "value shopping" or somesuch and it actually replaces your winsock.dll with it's own. If you use spybot and clean it, you have no connection any longer. You generally have to re-extract it from the cabs.

I clean systems almost daily(everyone brings in their kid's pcs for me to fix, rather unrelated to my job). There's not a single one I've not been able to return to like-new function.

[Revolting cat!]

I had a similar problem and took similar steps to remedy it about a month ago. With similar results. In the end, to get rid of the pests I had to go the IBM way ("It's Better Manual".) No drastic steps such as system restore were required. Since the spyware removal programs can identify the culprits but are unsuccessful removing them completely, jot the names down and google on them. You'll find pages explaining how to remove the things manually. Also google on the names of suspicious running processes. Reboot again and again.

It took me 5 days to completely clean up my machine - it had spyware, malware and several trojans. How did I catch the disease? By searching the net for cheap airfares to Europe and googling for advice on searching the net for cheap airfares to Europe. Nothing different than what I had done a year ago when I wasn't running any anti-virus or anti-spyware. Last year I found a reasonable airfare and went, this year - nada!

[don-o]

Unbeatable all right. Slowed my cable modem connection by a factor of 100x, screwed up my registry, messed with my CMOS settings.

Well, there we have it.

Caveat emptor.

[hunter112]

Between Adaware and Spybot S&D, it found almost 600 files/registry entries to delete - I've never seen a system so dirty.

Had a customer a few weeks ago who had over 900 items found by AdAware, and thirty five files infected by viruses detected by AVG antivirus! It was a miracle I could even start the machine, I had to do each in two swipes, I couldn't even connect the computer to the Internet (he had dialup) until I used months-old versions of those programs that I travel with.

Took about two hours of billable time, but I finally got him straightened out!

[b4its2late]

Yep. You're right. But with some patience you can achieve similar goals with Spy Bot. I'm not knocking it, it has it's benefits. You just have to know what you are doing (and that does not apply to me all the time either BTW).

[b4its2late]

How youthful are you, if you don't mind me asking?

[VOA]

bump

[Long Cut]

If this thread doesn't answer your questions, THIS ONE MIGHT. It's my account of a vicious spyware attack I suffered two months ago, and the steps I took to fix it, and the subsequent advice I got from some knowleageable FReepers. I highly recommend it.

[snooker]

The easiest thing to do is do a system restore to an earlier date.

Spybot has a deep scan option, takes a long time, but digs out a lot more of the offending programs than the quick scan.

I would also run Norton anti-virus, or another good anti-virus on your complete computer.

System restore is your friend. It allows you to back out changes. Spybot has a similar mechanism, just in case it deletes something you needed.

Once you get it fixed, the Norton utilities contains a program called clean sweep which will back out these kinds of problems and detect and prevent them from being installed. You can set it so your family can't install.

BTW, you are running the computer as a user not as the 'OWNER' account. If you aren't I suggest you make a special account for your family that does not allow program installation. Many problems can be prevented by just making a separate account with restricted privileges.

[RightWinger]

Try:
www.techguy.org
www.cybertechhelp.com

[No Blue States]

"System restore is your friend. It allows you to back out changes."

Absolutely great way to fix this problem, I did a Restore to June 1st and Im back where I was before this problem arose.

Took half an hour maybe, 1st time I used it but certainly not the last.

Just searched files for Restore and there it was.

[M. Peach]

How did you do it in 2 hours? It usually takes me days.

[jokar]

Bump

[Old Professer]

I am pinging this open because I have been days trying to eliminate belt.exe and its associated files and decided tonight to manually delete them per Symantec's instructions; when I opened the hidden files I saw that belt.exe had been last modified 8/13/2003; the only thing is, I bought this cpu new 02/12/2004.

In other words, either CompUSA sold me a refurbished computer without wiping the drive or COMPAQ pre-installed a trojan adware pgm.

Anybody have any ideas about this before I yell at CompUSA?