PC Help Please: Rogue programs took over my PC...

Ok...I'll post while I am still a human.

Spybot on it's own doesn't find all the things. I also run Lavasoft's Adaware and Miicrosoft's (formerly Giant) Microsoft Antispyware. Also grab Hijack this.

http://www.spywareinfo.com/~merijn/downloads.html

To start.

 

Also, switch to Firefox for all browsing of websites that do not not require Active X controls.

http://www.mozilla.org/products/firefox/

 

You'll never get it all, even if you think you have.

Back your important data files (not programs) to CD, and rebuild the box from scratch.

Alternatively, get Ad-aware and hijackthis, run both in safe mode, and wipe out whatever they find (use the iamnotageek.com site to explain the hijackthis log). Then repeat in normal mode. Make sure you're not connected to a network or the internet during this process, to keep the machine from reloading it.

Then use regedit and get rid of all the spyware keys and such

Then, load the MS Spyware tool and let it do it's thing. It seems to be a decent product.

There seems to be a new variant on the scumware stuff that uses an older LSASRV vulnerability to push the junk to machines. No web browsing needed for infections. We've been fighting this for a few days at work, finally got it knocked back using the techniques above.

 

Rob,

If these are ISI search and/or other searchbar programs, you're pretty much screwed. I had them and within a couple days, the operating system crashed. Try to get as much off or your desktop and my documents as you can and reinstall windows. Sorry.

If not. the BEST spyware program out now is the Microsoft Beta. http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

This is your only shot. It blocks from all angles.

Good luck.

DL

 

You can load Zone Alarm which will notify you of all outbound requests:
http://www.zonelabs.com/store/content/home.jsp

Do this after you have scanned your system of all bugs with the programs listed.

Once you have done all this and you are still screwed, you are going to have to camp your ports and processes. Not fun. There's crap out there that flies under the radar of all this stuff, but it is *rare*.

If you are using XP, make sure to turn off System Restore, because you don't want it to folder those items you are trying to remove.

 

My favored program for removing spyware it highjack this. Reason being is because it scans your computer and brings up every little thing that could be spyware and then it lets you pick out the problem programs that needs to be deleted. Then it will delete the programs you want it to.
I also use the new beta Microsoft spyware scanner and I must say that I’m very impressed with it as well

 

Your link doesn't match what I see.

You're going to have to use a different machine to get the tools.

EDIT: You really should change your passwords from another machine also, like for Ferrarichat. BTW, do you do any electronic banking on this machine?

 

I had the EXACT same problem on my home PC about 3 mos ago. Hijack this took care of most of it after I dealt with Spybot and Adaware. I'll email it to you.

 

Bottom line: if you're still getting popups, then you still have rouge processes running on your machine that are not under your control. Those processes may be mildly annoying, or they may reload your machine with more junk. They may also be recording passwords, keystrokes, and other info and sending them to other people you don't know.

Personally, I consider a compromised machine junk, and it should be formatted and rebuilt. That's the professional paranoid perspective

 

Yes it did. First it killed AOL, Then it ultimately blocked my access to the web. At the end, I could not access my desktop, my documents or the control panel

That is why I mentioned saving what you can while you can.

DL

 

Rob - "System Restore" is extremely useful.

In your case, just "restore" computer to a couple of days ago. All that crap will be gone... because it was effectively never there.

We just did this with a computer that wouldn't stay on any longer than 5 minutes. Restored it to 3 months ago - *Voila*- nearly dead computer my future sis-in-law gave my gal's son 2 days ago now works flawlessly. She'd already bought a replacement rather than let someone actually (chuckles) maintain (chuckles) it.

 

Thanks for that perspective. I'm a paranoid amatuer and this confirms my suspicions. I already do this about once every 6 months, whether I'm having trouble or not.

 

Now, now Rob I didn’t post a link
But the Microsoft spyware beta link is http://www.microsoft.com/spyware

and you can get HighjackThis at http://www.spychecker.com/download/download_hijackthis.html

 

i had a similar problem about 6 months ago, since then i'm now running Kerio firewall, avg, adaware, etc.

here's the programs in my "_me_clean_me_clean" directory just in case it happens again and i can't access the web.

adaware (adware removal)
avg (anti-virus)
bugoff (CWS defender)
cws (coolwebsearch removal)
hijackthis (browser de-hijacker)
kerio (firewall)
spybot (spyware killer)
startuplist (list startup stuff)

i think you'll want to look into the "cool web search" shredding tool. the first thing that tipped me off to something wrong was that my homepage changed and i couldn't reset it, and my searches went automatically to somewhat unreputable sites.

 

Glad to see things are running smoothly again. Firefox is your friend (www.mozilla.org) if you aren't running it already that is.

So... those hacks should die slowly? Or shall you start with banning anyone who writes or even profits from loading that crap on your system? =D (sorry, just a personal peeve I have)

 

Glad your puter is feeling better

 

do a few scans in safe mode. I found a few items that don't show up unless they are not running, which would only exist in safe mode.

 

I would suggest that you download this too and run it

I did miracle for me. At work a person got like you the system compromised [not like you it was the employee fault] and I was able to have back the system without the need of formatting.

http://tds.diamondcs.com.au/index.php?page=download

There is the link and also be sure to overwrite the database file with the updated file

http://tds.diamondcs.com.au/index.php?page=update

Cheers ilo

 

Has anyone heard of neobar thats the biggest pain in the neck, ran every spyware program, delet program, rebooted neo bar was still there, tried hijack this didnt work, it was the most fustrating day of my life. I went to a site (i dont remember now) and they had a whole section on taking the neobar off. It finally fixed it, So Rob I feel your pain. good luck.

john

 

Sorry I came across this thread late.

If you put in a site and you're redirected to another site, do a search for the hosts.txt file and make sure to remove any entries in there that are resolving sites like www.symantec.com and www.microsoft.com to other pages where these malware objects reinstall themselves from. Normally, this kind of activity is virus, not spyware related, in my experience with programs that hack the hosts file like this.

Safe mode is your friend. Also, suspect ANY .exe that has a creation date and time when you had the "incident" and do a search on Google for information on the process. If its bad, remove it using regedit from the Run or RunOnce area of Local Machine\Software\Microsoft\Windows\Run and RunOnce and rename the file to .old or .000 because other programs might be triggering the file to load in memory.

If you rebuild, it would be a good time to stay off the net, load your programs, tweak your settings, and built an image file in case you have to restore at a future date. I don't like the system restore feature - I prefer using Norton Ghost or the like.

Sunny

P.S. block cookie generating sites like advertising.com etc in your IE cookie override area and raise your internet security zone to be maxed out/disabled for everything.