I’m plagued by an evil SpyWare problem at the moment, which neither SpyBot S&D nor AdAware detects. (Norton AV also says I’m virus free.) The problem is an occasional launch of an Internet Explorer window, linking to this site or that site. Perhaps installing XP SP2 would solve this, but my last attempt just hung my system mid-install (and I needed to do a lot to recover). I’m tempted just to rename the IE exe file so that the program won’t run, but since evil Microsoft may have programmed in all kinds of subterranean connections between the browser and the OS, I’m wary of doing so. Any advice? (Advice of the form “You should buy a Mac” will not improve my immediate situation or mood.)
{ 51 comments }
Greg 10.15.04 at 9:49 am
Hijack This! is useful for tracking problems of this sort. You’ll have to trawl through your registry and such to make sure though.
Also, it can be worthwhile running your program manager to see what exactly is causing your system to be hijacked.
That’s my experience anyway.
philip 10.15.04 at 10:15 am
Mabye a Mozilla browser would work. Seems worth a try.
Chris Bertram 10.15.04 at 10:21 am
Thanks Philip, but I always use Mozilla Firefox anyway — it isn’t me that’s opening the the IE window, it is whatever’s hijacked the system.
And thanks Greg, but no suspicuous process shows up in Program Manager (just iexplore.exe when whatever launches it launches it). I’ll try Hijack This!
Mike Hoye 10.15.04 at 10:24 am
The ANSI Standard Windows Fix: Download SP2 locally. After determining the name of the program that’s doing the dirty work (typically with control-alt-delete -> task manager and a little experience knowing what should be running and what shouldn’t) reboot, hit f8 when the computer passes the BIOS part of things, and pick “safe mode”.
In safe mode, start-> run-> regedit. Look in the following places:
for the name of the offending program. Remove those registry keys, and locate and delete the offending program. You may need to change your options under “view” in your file browser to show hidden files.
Unplug your network cable and reboot. Install SP2, reboot. Plug network cable back in, Windows Update, reboot.
Good luck.
philip 10.15.04 at 10:26 am
Mabye Mozilla would work. Seems worth a try. In case you don’t know what Mozilla is, it’s compteting browser. Free and very familiar.
Matthew 10.15.04 at 10:29 am
I had a similar problem — the only thing that worked was Hijack this as Greg says.
It looks a bit daunting as ‘fix’ just means ‘delete’. But if you go through it with this guide it’s quite simple
http://forums.majorgeeks.com/showthread.php?t=38752
philip 10.15.04 at 10:29 am
Mabye Mozilla would work. Seems worth a try. In case you don’t know what Mozilla is, it’s compteting browser. Free and very familiar.
philip 10.15.04 at 10:33 am
Sorry about posting twice but I’m having my own problems with my browser and ISP.
philip 10.15.04 at 10:43 am
Sorry about posting twice but I’m having my own problems with my browser and ISP.
Now I understand. IE just loads by itself. Once it opens, does your computer start sending signals? Mine did that. Drove me crazy. It just kepe uploading, or so it appeared. I think it was most likely some kind of denial of service trojan. Norton told me everything was fine. I tried everything I could think of. Consulted people who get paid for their computer advice. In the end I endep up having to reformat my HD and starting again. Then a month later it all starte again. Here’s what ended up fixing it. Through PC Magazine found a an Anti-virus manufacturer website that checked for viruses for free, from their website. Within a mintute or two it found a virus that Norton had missed several times. I can’t remember if it cleaned it up itself or if it advised an software update, but the problem was gone and hasn’t come back. I tried to buy the Anti-virus program but they don’t sell to indivuduals. If I remember right, just to companies. I’d love to tell you what the site was but the computer is in my son’s room and he’s asleep.
I highly adivise trying other anti-virus software. Norton did not work for me.
– Philip
Philip 10.15.04 at 10:48 am
Jesus Christ!! I apologize for posting my message so many times. No should take computer advise from a dunce like me, but I’ll say it again. Norton missed the virus that was making my life a living hell.
aracne 10.15.04 at 10:50 am
For what I understood, you already have searched through taskmanager, but maybe you need to get sure all the processes are needed (and not only look for suspicious ones).
When I had to fix something like this, I restart the computer and, only opening the browser, google for all the names. Sometimes spyware hides with the same process name as a graphics driver you don´t have or something similar. With this method, I have solved all the problems in my friends’ computers, but I have heard that sometimes the processes have found a way to escape being listed.
Hijack this is better but is not that easy to use.
Good luck!
dhartung 10.15.04 at 11:25 am
Safe mode. Safe mode. Safe mode.
Many Trojans can disguise themselves or hide entirely from Task Manager. You should note what tasks are running, anyway, and check it against the tasks running in safe mode — then double-check all those files. (Sort of a manual version of what HijackThis does.) Look especially for a SCVHOST file — the real name is SVCHOST. Having this is a sign of infection by an Agobot variant, of which there are many. Check for modifications to your HOSTS file, while you’re at it — some of these actually block the IPs for Norton and other virus program mfrs.
Henry 10.15.04 at 11:29 am
http://www.spywareinfo.com is also a good reference site. You can download HijackThis and other tools here. Also an online spyware detection tool.
Andrew Brown 10.15.04 at 12:00 pm
Fopr future prevention, it’s worth getting hold of a little thing called “Startup control panel” by Mike Lin, which keeps a record of everything started from a registry key. this not only lets you see what’s there now much more easily than bymanual fiddling; it also warns you whenever these entries are changed, and lets you stop the proposed changes.
Kerio Personal Firewall (free to private users) does the same thing.
teep 10.15.04 at 12:57 pm
I’ll vote for HijackThis, and the linked tutorial is pretty good. If you have a HJT entry that you don’t know what is, try google… if you can pull up three or four links (don’t always trust the first one) claiming it’s badstuff, it probably is.
Also, AVG Antivirus has a pretty decent free version if you’re willing to jump through some not-terribly-difficult hoops, and it’s more polite and obedient than most others I’ve tried.
You really should not *need* to pay for anything to clean this up. Ad-Aware, Spybot S&D, Hijackthis, AVG — all are free, good tools for addressing this sort of thing. And, since I’ve seen people do this (I work in tech support), please DO NOT buy a spyware ‘cleaner’ that advertises itself via pop-up ads.
tim 10.15.04 at 1:01 pm
Install ZoneAlarm and, since you aren’t using IE as your browser, prohibit IE from access to the net. Doesn’t remove the spyware, but prevents it from acting, and keeps the IE code handy, so Windows doesn’t punish you for removing it.
jet 10.15.04 at 1:25 pm
This has nothing to do with spyware but this is about as technical an article I’ve seen on here, so I thought I’d post this.
There appears to be a common problem of multiple posts on this site. Putting a tiny amount of javascript in your template could solve this problem.
Here’s a link to some fairly simple code that can be peared down or used as is:
http://willmaster.com/possibilities/demo/DoubleClickTrapper/DoubleClickTrapper.html
Matt McGrattan 10.15.04 at 1:27 pm
It’s also worth being aware that some of these apparent pieces of Spyware are in fact trojans and while the only apparent symptom is unwanted pop-up windows they can leave your computer vulnerable to an attack.
Things like these, for example:
http://www.sophos.com/virusinfo/analyses/w32rbotlb.html
Mike Hoye’s instructions for removing them, above, are excellent.
sPh 10.15.04 at 1:30 pm
In the end, I think you will have to reformat and reinstall. When a spyware infection gets that deep into a Windows system you can never be sure that it is fully eradicated.
After reinstalling, do not connect your system to the Internet until you are behind a hardware firewall (D-Link is fine for home) AND have ZoneAlarm installed and anti-virus installed. Then IMMEDIATELY download and install all Windows updates. Finally download Mozilla and use that for everything except Windows Update.
BTW, Bill Gates said in an interview yesterday that the security holes in IE are not Microsoft’s fault – it is the stupid users who install the spyware.
sPh
joejoejoe 10.15.04 at 1:34 pm
The Microsoft SP2 download is massive and I had the same problems with hangups. You can order the CD free from Microsoft…it came in about 1 week for me.
joejoejoe 10.15.04 at 1:35 pm
The Microsoft SP2 download is massive and I had the same problems with hangups. You can order the CD free from Microsoft…it came in about 1 week for me.
Sam 10.15.04 at 1:42 pm
Mike Hoye’s advice is good, but with one BIG caveat. Manually editing registries is dangerous; it is very possibly what you need to do in this case, but do it wrong and your computer will become unuseable, and the only thing that will fix it will be to reinstall Windows.
Before manually editing registries, BACK everything UP thoroughly. Make a list of all the programs you use, and make sure you have installation disks for them (or know where to download them). Save all your data to CD’s or some other off-disk storage mechanism. Then, and only then, follow Mike Hoye’s instructions.
cw 10.15.04 at 2:47 pm
What a lot of rigamaroll. Are you SURE you don’t want to get a Mac?
red 10.15.04 at 2:49 pm
Warning about SP2 — two people I know say it caused their computers to no longer recognize video projectors. I think they were using dell projectors and thinkpad laptops that worked fine together before the SP2 install.
Doug 10.15.04 at 3:37 pm
cw, if they all get Macs, then we’ll have this sort of problem too. let’s keep quiet, ok?
SJDoss 10.15.04 at 4:01 pm
Been there, done all that. SpyBot, Hijack This, Ad-Aware.
The best course of action is to pony up the $40 and buy yourself a copy of Pest Patrol.
Jason 10.15.04 at 4:15 pm
Here is a government sys-admin site I had bookmarked. If you’re going to start to do these things manually, it’s a good place to start.
http://www.governmentsecurity.org/articles/Placesthatvirusesandtrojanshideonstartup.php
I’m at Stanford, and they have some pretty good software downloads (in addition to Nortons) that check for all sorts of vulnerabilities. Have you asked your departments sys-admin what to do?
Alex 10.15.04 at 4:57 pm
easy:
Install Mozilla (which you’ve done)
Uninstall Internet Explorer
Ruben R. Puentedura 10.15.04 at 5:16 pm
The website for virus checking that Philip mentioned earlier is run by Trend Micro, and is at:
http://housecall.trendmicro.com/
I would _strongly_ recommend installing SP2 – there are definitely some compatibility and performance problems with it, but overall it improves Windows security measurably.
BJC 10.15.04 at 5:20 pm
Winpatrol is a useful tool. It enables you to check what kind of software/spyware are automatically loaded when you boot your computer.
(and you can switch)
Ragout 10.15.04 at 5:37 pm
From Spybot S&D, check which Browser Helper Objects are installed. This isn’t part of the automatic scan. If you see one that’s unfamiliar, tell Spybot S&D to delete it. This worked for me recently.
scott 10.15.04 at 5:57 pm
I’m a Mac person, but I have heard several times on a computer radio program I listen to in LA that Spysweeper is really great. It costs about $30 and is available from
http://www.webroot.com/
Good luck.
Joe O 10.15.04 at 6:16 pm
Try an anti-virus program. I had a spyware issue that none of the free anti- spyware programs could get rid of. AVG anti-virus got rid of my problem. AVG anti-virus is free to individuals.
I also second the vote for SP2.
Publiua 10.15.04 at 6:19 pm
I know this is a facile, dismissive, overly-simplistic answer, but, I’m sorry, it is my answer:
Screw Windoze and install http://linspire.com or http://xandros.com
You will then have full control over your system, and avoid 99% of viruses, spyware, bots, etc.
There is a time-investment for data conversion, but if you add up the time you spend fighting viruses, it’s probably easier even in the short run to wipe out Windoze and convert over.
dsquared 10.15.04 at 6:40 pm
If you’ve got WIndows XP then “System Restore” does the trick for me.
Jack Lecou 10.15.04 at 6:49 pm
Grisoft’s AVG is good. I believe the free for personal use version is the older 6.0, whereas the commercial one is 7.0 — though presumably the signatures are more or less up to date in either case.
Lately I’ve been pointing people at ClamWin (clamwin.net), which is entirely free software and works very well.
Publiua is right though, the ultimate solution is obvious (FWIW, my vote is for http://debian.org, though I suppose it’s not for beginners).
Randolph Fritz 10.15.04 at 7:12 pm
Hire an expert.
Chris 10.15.04 at 7:17 pm
Avast! anti-virus software is pretty powerful and free for private users. It caught several bugs on mine that Spybot S&D passed by.
Shai 10.15.04 at 7:26 pm
removing stuff from run in registry won’t damage your computer (it will merely stop the programs you remove from starting with windows). anyway, bring up the process list (ctrl-alt-delete -> processes) then look for suspicious exe files. especially ones with names like dfsdfwer.exe; ones with more regular names you can search google and maybe find how to remove it.
if not, it might be hidden in a dll somewhere. I used security task manager to identify and delete spyware hidden in a dll that norton, adaware, spybot didnt find.
if you get really desperate you can try mcafee antivirus or trend micro online virus scan. sometimes one can detect what the other can’t, especially when the virus/spyware isn’t widespread or dangerous.
SHai 10.15.04 at 7:28 pm
but about installing sp2, id wait until the spyware is removed; e.g. see this story
dan 10.15.04 at 9:57 pm
I had this same problem. I solved it by activating Windows XP’s own firewall. I also have separate firewall and virus detection software which did not do the job. To start XP’s firewall Go to Control Panel, then Network and Internet Connections, click on network connections, right click on icon for your internet connection, click on properties, go to advanced tab, check the box, and that’s it. I hope I explained this clearly
terry 10.15.04 at 10:18 pm
go to aumha.com, which has forums where people who know what they’re doing will examine your hijack this logs and walk you thru what to delete.
Jonathan Goldberg 10.15.04 at 10:48 pm
NB: if you take any of the suggestions involving editing the registry, BACK UP THE REGISTRY FIRST. It’s not hard to do; Microsoft’s site has instructions. The grief it could save you is enormous.
Phill 10.16.04 at 5:40 am
Yikes, sounds like its just adware, but we have been seeing a new type of spyware called theftware, this watches what you do and uses the information gained to either steal from you or to take out loans in your name. i am not kidding.
Renaming the IE executable should not have terrible consequences. It is only a thin layer over a large amount of library codes. What Microsoft thinks of as IE is the linked libraries, not the executable.
Adi 10.16.04 at 9:36 am
this isnt as far gone as regediting, but it should help a little anyway, if just to increase bootup time
go to start->run->msconfig
choose selective startup, then click on the startup tab. uncheck everything that is not located in c:\windows\[whatever]
things like qttask and ituneshelper and winamp agent are the things i find in this area.
also doublecheck that whatever is actually IN the windows directory is something you want upon booting up.
hope this helps
Adi 10.16.04 at 9:37 am
this isnt as far gone as regediting, but it should help a little anyway, if just to increase bootup time
go to start->run->msconfig
choose selective startup, then click on the startup tab. uncheck everything that is not located in c:\windows\[whatever]
things like qttask and ituneshelper and winamp agent are the things i find in this area.
also doublecheck that whatever is actually IN the windows directory is something you want upon booting up.
hope this helps
Adi 10.16.04 at 9:39 am
erm i forgot to mention that afaik this is a windows xp fix, not so sure about 2k or previous versions of the unwashed OS
Mike 10.16.04 at 8:05 pm
You’ve gotten some good advice. Top three suggestions: 1) Use Hijack This — a great program that helped me when I had a similar program; 2) Use ZoneAlarm — another great free program — to turn off IE’s access to the Net. This is an excellent plan; 3) Install SP2. It works, it has great pop-up protection, but use Hijack This first in case whatever-it-is tries to defend itself by screwing with your SP2 install.
bryan 10.17.04 at 12:20 am
what do these pop-ups look like, where do they direct you, anything distinguishing about them whatsoever?
gee jay 10.17.04 at 1:07 pm
Sounds to me like you may have Active Desktop turned on. If IE isn’t running and popups still occur, tne that is the problem. I know it sounds hard to believe, but simply turning AD off will stop this.
Chris Bertram 10.17.04 at 9:55 pm
Thanks everyone. I’m now happily popup and spyware free, and have installed SP2. HijackThis made the difference as well as blocking a list of sites using IE-Spyad (from the spywareinfo site).
Comments on this entry are closed.