New Breed of SPyware

[Ktronix]

Been keepin' a close eye on this thread guys as I'm havin' similar prob's as Ghettomoose and others...:grr: gonna try some of those tips given & will let ya know results...Gonna start with Chip2k tips thanks m8. Have already tried Hi-Jack this,(shangrula) but no luck so far....

[crack_it]

http://www.mozilla.org/products/firefox/central.html

yup use Mozilla Firefox its ace UNCLEX reccomended it 2 me `n` had no problems for months :thumbs

[Scottio200]

Think i got same as you mate, but this is called SearchMiracle.Elitebar

I got rid of it many a time but every 2 mins i get about 4 popups!
Oh and im using Firefox but the pop ups are in IE!
I even get em when i dont have IE/Firefox open!

Found some software that said it could get rid of it, it did! Woo Hoo!

THen a day later pop ups! Dunno how to get rid of it, checked the CP, nothing th

Really wanna get rid of this as its annoying as hell!!!

Cheers
scottio

[Ktronix]

Have now tried a few of these removal prog's but nothing as yet solved this nagging problem. which is now becoming a major issue.....:grr:

I wonder if any one out there really has any good clues on how to deal with this Brut of a Dialer. Right now I don't have much to spend out on this problem alone, so would really appriciate all directions pointing to Freeware and Similar types.


Formatting is not an option as I'd simple loose loads, and that means givin' up !!
Gonna try again right now. Thanks all so far for help and advice , more please , promise I'll keep trying!..:thumbs


Cheers All
C.U soon.

[MajorFU]

you can always use partition magic to create a new partition then dump all the stuff u wanna keep there. then reformat the main partition and re instal windows

[marcode]

I use IE and as long as you have a decent firewall, spyware, antivirus and XP sp2, then you should be ok

ffs.... that all? or you could just install a decent browser like opera/firefox and not need to have yer pc firewalled to the nackers just to stop some facking spyware. IE is officially shite.

Yeah I am using Opera now, but only things i dont like about it, is you cant have the links under the address bar

yes you can

when a new window opens, it opens in Opera rather than haveing to web pages side by side

did you even open the preferences??

[Ktronix]

you can always use partition magic to create a new partition then dump all the stuff u wanna keep there. then reformat the main partition and re instal windows

Thanks MajorFu,

Please let me know where I might get a copy of this prog' or similar. At the mo' AVG is handling what must be a Trojan or two!. They are still resident in my PC (only come alive when on the net), but the AVG prog is able to heal but remove it/them. Are there any Prog's available that will remove permenantly???

Thanks in advance.
Ktronix :thumbs

[waveydavey]

Ok, have not read the posts, just scanned them but if you need a tool to get rid of those re-occouring files, as long as you know what they are, try this its called Move On Boot and allows you to delete files before windows starts up, very useful in virus/spyware circumstances.. as usual, careful what you delete.


http://www.gibinsoft.net/gipoutils/

the one you want is "old Version" v1.95

wd

[Obliterator]

Just skimming the thread so forgive if I missed anything. I've seen loads of systems like this recently and you definitely do not need to format your system to get rid of it!

I don't know your experience so I'll just outline the tasks. If you don't know how to do anything just ask!

Boot into safe mode - this at least minimises the tasks that get started. Sadly your trojan is probably a browser helper object which bypasses this method of protection.

The browser helper object probably also has normal tasks which it launches. These will monitor for the object being deleted and put it back automatically.

You need to list the running process (Ctrl Alt Del) and end anything you dont recognise. Ignore system tasks that cant be stopped. Don't be surprised if the task restarts (or if new tasks keep starting with random names). If this happens you have one of the sophisticated blighters. If you're lucky, ending all the culrits fast enough will get you out of the cycle. But if not you'll need something like ERD Commander to edit them out of your registry before the system starts.

Once you've stopped the monitoring apps you need to deal with the browser helper object that installed it in the first place.

If your running XP with service pack 2 they have a dedicated section that lists these objects for you and allows you to remove them. If not, go tools menu, internet options, general tab, temporary internet files - settings, view objects.
Look for suspicious items in there. Whilst you're in the internet options be sure to set your homepage to blank (it may have been hijacked which is reinstalling the thing each time).

Next you'll need to stop the apps being started again upon a restart. Look in the 3 places where apps are started automatically. The system ini, start folder and run section of your registry. Check these for suspicous entries.

Look in ctrl panel->add remove programs. You never know the damn thing might be decent enough to list itself their (unlikely).

Empty your temp directory (type %TEMP% as the folder name into explorer address). Be sure your options are not set to hide any files. Ignore any files which cannot be deleted because they are in use.

Restart, again in safe mode.
See if the suspicious objects / processes / spyware has returned. If so, you did not erradicate it completely - you must have missed something. Run through the above again.
If it does not reappear, so far so go. Now reboot normally. If it returns now you missed something in one of the startup places (system ini, start folder, run section). Repeat the whole lot once again!

Once you've got rid of it. Run regular sweeps with the likes of adaware from lavasoftusa.com. Avoid installing hundreds of spyware removal programs from all over the place. Many of them actually are spyware masquerading as spyware removal tools - some with similar or identical names to genuine products. Be sure to use only trusted products obtained from trusted sources - ie directly from the authors website. And make sure you are definitely on their website!

Let me know how you get on. Also if you need more help tell me what flavour of windows your using and whether any service packs have been installed.

[peggle]

I've been using Prevx Home for a few weeks. It stops or warns of things that other AV or Spyware progs may miss. AND IT'S FREE!!!

h**p://www.prevx.com/prevxhome.asp

[ABCMan]

i'd recommend using webroots spysweeper thats better than bps spyware remover (which is basicly a version of spybot anyway).

remember torrentspy.com is your friend

the full retail version can be safely updated online then boot in safe mode and run it.

[Obliterator]

Not that familiar with prevx. I remember looking at it and seeing it was *very* vague as to how it actually worked. I think it monitors key system files and registry keys for changes and block attacks which change them negatively. But I was very sceptical as to its claims of zero-day protection for all new kinds of attack. I'd also be very impressed if they can truly block all buffer overflow exploits as they claimed without a massive performance hit. Microsoft spent something like a year blocking such exploits in SP2 and they still missed loads!

From what I remember prevx sends information on attacks back to their servers which they sell on. This is fine itself, but they failed to convince me how they used such information to actually protect you!

Also, unless its evloved it doesn't provide any detection or help remove any existing spyware that is installed beforehand. This means its unlikely to help people already infected.

[GhettoMoose]

Well what a brilliant thread this is, I did manage to get rid of it using the various programs, (cant remember which one did it ) but its gone. I am now using Opera and have realized IE is a load of shite only took me few years haha SO thanks for everyones help on this..


I now have a HIjackthis torjan which infects the windows file httpfilter.dll with a trojan.

There was a long ass list on how to remove it, which I thought it would be better to re format. which I did. backed up on dvd'rw's and formatted both HDD's and re installed windows and all my other bits and bobs. It it was best thing I ever did, PC runs like it should, fully protected via few programs....Brillaint start to new year

[peggle]

Not that familiar with prevx. I remember looking at it and seeing it was *very* vague as to how it actually worked. I think it monitors key system files and registry keys for changes and block attacks which change them negatively. But I was very sceptical as to its claims of zero-day protection for all new kinds of attack. I'd also be very impressed if they can truly block all buffer overflow exploits as they claimed without a massive performance hit. Microsoft spent something like a year blocking such exploits in SP2 and they still missed loads!

From what I remember prevx sends information on attacks back to their servers which they sell on. This is fine itself, but they failed to convince me how they used such information to actually protect you!

Also, unless its evloved it doesn't provide any detection or help remove any existing spyware that is installed beforehand. This means its unlikely to help people already infected.

I haven't noticed any performance hit.

It does monitor the registry. Its best to shut down Prevx when installing programs or you get swamped with alerts. Other than that there are very few false alarms. Then again I don't visit many dodgy sites.

It should help controll an already infected system by say CoolWebSearch by preventing new registry entries. So after manually deleting the ones you find it shouldn't create any more...I think!

[Obliterator]

Glad to hear your sorted! Shame you had to reinstall, but its something worth doing every now again if you can spare the time. Everything runs like lightning again - at least for a few weeks!

Also, don't be fooled into thinking alternative browsers like opera are immune - they're not. They're just exploited less! Components are so embedded these days that by using an app you could still be using IE (or other flawed components) without realising it.

In short, keep visiting windows update and install all the security fixes.
Install the latest service packs for you're OS and major apps like Office, etc.
And of course install a firewall (like ZoneAlarm) and antivirus and keep them both up to date.

[Obliterator]

Originally Posted by peggle
I haven't noticed any performance hit.

It does monitor the registry. Its best to shut down Prevx when installing programs or you get swamped with alerts. Other than that there are very few false alarms. Then again I don't visit many dodgy sites.

It should help controll an already infected system by say CoolWebSearch by preventing new registry entries. So after manually deleting the ones you find it shouldn't create any more...I think!

I'd love to know *how* they block the buffer exploits then. I figured they'd have to hook practically every system call which would bring things to a crawl, but I guess have they some other clever method then.

Certainly monitoring the registry for such attacks is a logical step - you'd think the firewalls would do this as standard. But I suppose its too difficult to avoid alarms particularly when installing new apps (as you point out).

I guess its something I may take a more detailed look at in the future but I like to understand the details behind how it works before it gets my vote!

Cheers

[peggle]

I'd love to know *how* they block the buffer exploits then. I figured they'd have to hook practically every system call which would bring things to a crawl, but I guess have they some other clever method then.

Certainly monitoring the registry for such attacks is a logical step - you'd think the firewalls would do this as standard. But I suppose its too difficult to avoid alarms particularly when installing new apps (as you point out).

I guess its something I may take a more detailed look at in the future but I like to understand the details behind how it works before it gets my vote!

Cheers

Cannot help with the way it works. Their FAQ isn't much help. h**p://www1.prevx.com/prevxhomefaqs.asp#q5

As for privacy you can always deny it Internet rights with your Firewall.

Its free and has an uninstaller so why not give it a try?

[Ktronix]

Thanks alot guys for your help so far in trying to tackle one of these Beasts . Will try tips given. Cheers. Would like to post the spec of wot my PC is like on a good day!!??!! Take a look at these shocking stat's:

TotalDiskDrives=TotalDiskDrives=4
DiskDrive0=DiskDrive0=Floppy Drive A:
DiskDrive1=DiskDrive1=HardDiskDrive C: FreeSpace: 14675 MB , TotalSpace: 19083 MB
DiskDrive2=DiskDrive2=CD-ROM Drive D:
DiskDrive3=DiskDrive3=CD-ROM Drive E:
Processor=Processor=AMD Duron(tm) Processor
SysResources=SysResources= 15% free:annoyed:
Memory=Memory=624 MB total (48% load):annoyed:
OS=OS=Windows 98 4.10 (Build 2222)
Video=Video=800 x 600 , High Color (16 bit)
Browser=Browser=Microsoft IE Build 6.0.2800.1106
Multimedia=Multimedia=CD-ROM , Sound
[NETWORK]
CPUMake=CPUMake=AMD Athlon
CPUSpeed=CPUSpeed=848
USB=USB=Detected

Don't know what these read like to everyone else but theres no doubt that mine is not well!. I know it is classed as an older version PC, but up till now she's always worked like a dream, and I'm one of those who works on the basis of "If it ain't broke don't try to fix it!!
What went wrong?? Am I dealing with a Memory or Processor problem?
Not ready for a new One yet so Upgrading at the mo' is a later option, for now it seems pointless whilst PC is in this condition.
First call must be the Trojan and any other brat that I caught up on whilst on dial-up!
Thanks for your tips on Freeware(more of these please!:thumbs ) Much appreciated.

See you back again soon.
(Ktronix)