What to do when you have Spyware

[Glenn]

Okay, I can't believe there are still people here who don't know what to do when their systems start acting strange and slow. Chances are, you've got spyware.

But first, you also want to make sure you don't have any viruses lurking in your system. So if you don't have an anti-virus program that has up-to-date virus information, junk it and go download AntiVir. (If you have trouble accessing their website, try getting it from here.)


We have yet to see any single anti-spyware program that can find and remove all of the spyware that's floating around out there, but with the combination of the following programs, you should be able to detect and remove 99.9% of them. They are:

• Ad-Aware
• Spybot - Search & Destroy
• CWShredder

Download, install, run the updates for each, then the scans. You may be asked to reboot your system for a separate scan to remove files that are running in memory.


When you're done scanning and removing spyware with these three programs, install Hijack This! and reboot your system. Then run it, and post your log to this forum, and ask us to check it for you. Those of us who have time can go through your log and help you see if there are anything else still lurking around on your system that shouldn't be.


Edit: Forgot to mention--Make sure you disable Messenger Service for your Windows system. This is not the same as MSN Messenger.

[Bitter]

STICKY!

[Bitter]

screen cap of what processes i have running and what my msconfig looks like.


qttask wont die, it comes back everytime quicktime(the devil is a macintosh programmer) is ran and fucks my file associations. all i need is the qt codec media player classic does all my video

[LKNANML]

What is Spyware?

Spyware, also know as Adware, is basically software that is installed on your computer without your knowledge, and gathers information about you and your PC, sending it back to base for either Advertising/Marketing or selling to other companies.

How does it get on my computer?

Ways that spyware find its way on to your pc are through Warez, and Porn sites that can download the software without you even knowing. P2P software is also a main contender for carrying spyware, and is often installed as part of the program. Some websites may trick you into downloading a piece of software that they claim is required for the website to run properly, once you download/install it then that’s when ‘real’ problems can start.

Even software that you think is safe to download and use (Download Accelerator, for example) are actually considered spyware because they can check the websites that you have visited and then send back ads that are in relation to those websites. Other software such as Porn Dialers and Premium Rate Dialers are also a big problem.

What can Spyware do?

Once on your PC, its purpose is to gather information about you the user and your pc. Data like Personal details, Passwords, and Credit Card information can be stolen and sent to someone else via your internet connection, again without you knowing. Keyloggers are a form of spyware that can be installed on your pc and that can be used to trace and log all data that you type. Your PC and your web browser can also be hijacked, meaning that your browser's homepage could be taken over by certain unwanted websites.

How do I know I have spyware?

The symptoms are similar to those from a virus:


Your PC may be slower, with higher CPU usage than usual.

Unexpected icons and shortcuts may appear on your desktop, and extra bookmarks in your Favorites.

Your Web browser may have a search/tool bar that you’ve never seen before and a new home page.

Popup ads may appear even when a browser is not open.

These are all classic symptoms that you have been hijacked and are being spied on.

What can I do about it?

Thankfully there is software that you can use to eliminate Spyware and Hijackers.

First you should download, update and run both Ad-Aware and Spybot Search & Destroy. These will get rid of most of it.

Then you should download HijackThis, extract it to its own permanent folder. Run a scan, save the log. Then you will be able to post a thread in the security forum and we could take a look at the log for you, to see what else needs removing.

Another program called CWShredder should be used only if you have a variant of the Coolwebsearch hijacker.

About Blank homepage hijack help
If you disabled Zonealarm and have no other firewall enabled, you will experience
far more problems than what you have now. At the very least, enable the XP firewall.


Running these programs and running them correctly are two different things....

Before using ANY of these tools, do the following:
Delete TIF’s and history.
Empty your recycle bin.
Disable System Restore.
The reason you need to disable system restore is that many of these pests like to
hide within the restore files. These are protected by Windows, therefore the scans
can’t delete the pests.

An online scanner is available at:
Trend Micro
Panda
McAfee

Now scan for spyware/adware/malware:


Download, install, UPDATE, and run:

Ad-Aware 6.0
Spybot Search & Destroy 1.3

Close ALL browser windows before using these tools.
These will scan for, detect and remove most variants of spyware/adware/malware.

To prevent spyware/adware/malware from being installed on your computer, download,
install UPDATE and run these:

SpywareGuard
Spyware Blaster

SpywareGuard and Spyware Blaster are not scanners. These run all the time to prevent
scumware from being installed on your computer, much like
an anti-virus program protects from viruses/worms/trojans.

Download UPDATE and run:

CWShredder
Close ALL browser windows before using these tools.
This program searches for and removes many variants of the CoolWebSearch.

It is important to run a few of these programs, as each do something different and work together.
(Make sure to use the update feature of these programs often.)

Good selection of whats out there.....

Adaware

Adaware plugins

AVG Antivirus

Antivir Antivirus

Ewido Trojan Remover

F-Prot Antivirus

HijackThis and CWShredder

HijackThis Log Tutorial

Isearch toolbar uninstaller

Searchpage

SpyBot

SpywareBlaster

SpywareGuard

Stinger

TrojanScan

VX2Finder

WinsockXP Fix


Forum sites with good info

[LKNANML]

This seems to be popping up more and more so I thought I would post the fix just in case...

Ive seen a few comps with the following in the Hijack log
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

In this current state its more of an annoyance but can become a major prob very fast... You can go from that to this in a hurry
""""O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM) """"


And then your hurtin in a bad way....
Now I use Firefox so it really doesnt effect me but IE users will be hit hard.. (Yet another reason to use Firefox till old Bill shares IE)

Here is an ez fix you can all do.... Rem to always back up your reg before fixing anything and rem to save that backup for a few months.....

FIX............................................... .................................................. ...
Run Notepad (or sim), and copy the info below and save it as file name:
"fixme.reg"
Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000


Close Internet explorer, double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information.
Once you get a successful message delete fixme.reg.
Run hijack this to see result.. Should be good to go.....

[Bitter]

CWS is the absolute worst. antivir removes it after my dads computer reboots and he opens IE, cws shredder takes it off too. but it comes back. tho i havent tried cws shredder since the firewall...hmmm....brb

[LKNANML]

IE? wow.. Use anything but IE.... 90% of my probs were gone when I del IE and Used another browser.....

[Bitter]

Quote:

Originally Posted by LKNANML

IE? wow.. Use anything but IE.... 90% of my probs were gone when I del IE and Used another browser.....

its my dads computer not mine. i still use IE, but thats because im waiting for more annoying kinks to be worked out of FF, my firewall blocks most things, my hosts file blocks evenmore, and my antivirus catches the rest. also ive installed several "innoculations" that fix some of the holes in IE. i havent had any problems with IE on this xp install thus far, but when i do or FF is more complete i'll switch.

[LKNANML]

I hear ya.. Took me awhile to get FF running they way I wanted it to.. Now it runs smooth with 0 probs or blocks... Lots of tweaking info out there.. Once its tuned up it runs strong...

[Glenn]

To update Ad-Aware, click on "Check for Updates Now"


Then click on "Connect"


To run the scan, click on the "Start" button (seen in first pic), and choose a scanning method (the default is typically good enough).

Ad-Aware places items it finds in two major categories: Harmful object, and Negligible Objects. You can right-click on the items and choose to select all if you want to save time.

It would be a good idea to actually go through the list of harmful objects found to see if there's anything that you might want to keep.

[Glenn]

When you first run Spybot - Search & Destroy, it should download all the updates for you as you follow the instructions. In the future, you'll have to check the updates yourself.



You'll have to check each update manually, then click on the Download Updates button. If you get checksum errors, try downloading from a different server (there's a drag-down list you can choose from)



After you've gotten all the updates, you can run the scan and "Check for Problems." When the scan is complete, you can expand the items to see what they are, and if you really want to remove them. You can uncheck anything you don't wish to remove, and click on "Fix Problems" button.




Be sure to run the immunization:



By default, Spybot has a few items in its "Ignore" list. That is, if it finds someting according to its rules, but the program is listed in the ignore list, the the program will not show up. It would be a good idea to uncheck these programs, so you get the full protection from Spybot (unless you actually want those programs).

To get to the ignore list, you'll have to switch to "Advanced Mode."



Click on "Settings," then go to "Ignore products." Scroll down the list to find the ones that are checked.



By default, during the installation, Spybot's "Tea Timer" service is no enabled. Tea Timer can block "bad processes," and alert you when something tries to chhange your system settings.

So if you want, you can enable Tea Timer. To do so, go to the "Tools" section and click on "Resident."



Then, just click on the checkbox to enable Tea Timer.

[Glenn]

CWShredder is pretty self-explanatory in usage. Its purpose is to look for browser hijacks from "CoolWebSearch," and remove them. "CWS" employs many different methods to try and hijack IE, so CWShredder is updated often to remove all the variants.

[Chase2000gt]

Sticky! I would also like to nominate Glenn for Gaming & IT mod

[Glenn]

Quote:

Originally Posted by Bitter

screen cap of what processes i have running and what my msconfig looks like.


qttask wont die, it comes back everytime quicktime(the devil is a macintosh programmer) is ran and fucks my file associations. all i need is the qt codec media player classic does all my video

You can remove those with Hijack This.

If you want to be able to play QuickTime files (and Real files) without having to have QuickTime (and Real Player) in your system, I would suggest downloading K-Lite Mega Codec Pack.