I've been hit - real HARD.

Yep… my Univ. laptop has been hit hard with spyware… I haven’t experienced this $hit before since my home computers have a firewall and all, but I can’t install one on my Uni. Laptop (desktop standards!) - so I guess it had to happen sooner or later.

However, I’ve tried most solutions posted on various websites including our own GS Spyware help sticky thread. They all seem to work temporarily but the next time I reboot my system, its all back to the way it was.

I’ve tried disabling Win XP Restore, and running the spychecker in Safe mode, still to no avail.

Specifically, the problem is a combo of:

1. sspmydoom.cih warnings,
2. a Shopping Wizard, and Search Extender program listing in my Control Panel that won’t be uninstalled, and
3. PowerScan that keeps getting reinstalled.

I somebody has more insight into these problems, please lemme know.

Ciao.

Re: I've been hit - real HARD.

try the new MS antispyware program. i think its more of an active protection againts these things, as oppsed to adware and spybot which work after the computer has been infected.

a hijackthis log will be very helpful.

Re: I've been hit - real HARD.

UT, try rebuilding your profile on Windows. Meaning rename your profile folder which gets recreated the next time you login. Then, If you have a dedicted network login tell them to create a new one for you and then migrate over all your settings to the new account (e.g. email address, favorites folder, my documents etc). Even on home computers that's the last resort. That's why its advisable to keep one account on your pc locked (e.g. Administrator)and not do any web browsing etc, then if something like this was to happen you just login to that account and blow away the trashed user and create another.

Re: I’ve been hit - real HARD.

Umar can you post a “Hijackthis” log here? and did you check it with the latest version of Hijackthis? it is now 1.99 I think..

get is from here:
Hijackthis
Hijackthis source 2

Re: I've been hit - real HARD.

After a certain point even HiJackThis doesn't help.

Re: I've been hit - real HARD.

It cant be that worse Tofibaba. Hijack this, or if that still doesnt help, then there is another similar tool (but its not free) That shows a lot more info about running processe than even Hijackthis.

Re: I've been hit - real HARD.

mother of all stoppers, FIRST thing i install is popup stopper free edition and modify it.. thats my FIRST step..

then i run msconfig, and take out EVERYTHING i dont recognize.. i run control panel, add remove programs and uninstall EVERYTHING i dont recognize.. i go to internet's options, (tools,options) and i delete EVERYTHING, and then ALL OFFLINE content.

then i go into installed objects, and delete EVERYTHING.. yes.. EVERYTHING!

then in internet explorer, i select my toolbars to be: STANDARD buttons and ADDRESS bar, and then i LOCK the toolbar.. (all this found under VIEW).

the handy lil popup stopper app is basically design for ANY new window to be opened.. it works by detecting ANYTHING that comes out from browser asking windows' system tray to open a new object (window or whatever) ... its so powerful that once u click UPLOAD of gupshup, u have to double-click the stopper's hand first to let it open new windows.. small lil free app.. works wonders..

MOST of these steps are used cuz i dont like performance decrease after we install the firewalls/antivirii :-) sometimes its unavoidable cuz of the scenario and peace of mind.. but still :-)

Re: I’ve been hit - real HARD.

^^You talk like you are from Toronto!!
OOPS, you are from Toronto. hehe

If we delete everything ALL problems would be solved

Re: I’ve been hit - real HARD.

LOL@toronto .. abay! kiya STAMP laga hota hay trouble shooting paragraphs parr?

Re: I've been hit - real HARD.

Faizy yaar, I've tried the msconfig route...removed Programs and stuff from Control Panel etc. and have popup stopper permanently configured for all sites except a few like GS.

I've also manually removed registry entries from Run and RunOnce.

Even with all this, the solution has been temporary, and things revert back to their notorious self on next reboot and after IE launch.

I'll post a hijackthis log here once I go home tonight.

Re: I've been hit - real HARD.

orite.. view ur active processes closely too.. see if anything thats launched by the "user" (you) that u dont recognize.. try seeing where its coming out from..

if u continously see a SYSTEM-launched task, try tracing that too.. check your "SERVICES" and put ALL the ones that are on AUTOMATIC to "manual" .. ones u MAY use versus u DONT use, get rid of them (disable+stop)

Re: I've been hit - real HARD.

yes please post the hijackthis log, how bad can it be

Re: I've been hit - real HARD.

Isn't it easier to just create a new user profile?

Re: I've been hit - real HARD.

bhai first thing first, a preventive step perhaps. Tighten the security to max on IE. Block/disable everything in the Advance tab.

Install Firefox or Maxthon, make them ur default browser and enjoy the ride. For last 5 months, I have not seen a single spyware or adware or any parasite of likes. I do have full version of Adware, Spybot and Norton Antivirus installed and they are scheduled to update every week. My system flies like a rocket, even though its a six year old PIII 450 Mhz only with 256 DDR RAM on FBS 100 MHz bus. I compare it with my work laptop which is a ginnie P4 3.2 GHz with 1GB RAM. I don't see any big difference at all.

Before August, I was using IE, and had some 430 invisible (not detected by Task Manager or RegAnalyzer) Spyware and leechers, eating the CPU and Memory. My system was like an XT machine. Got frustrated, performed a backup of my own and known data and formated it. Since that day not using IE and living in peace so far.

Re: I've been hit - real HARD.

try starting in ' save mode' and sweep everything with some sweeper :D

Re: I've been hit - real HARD.

umar talib: i had the same problem..i had to delete my internet explorer and go through each folder manualy on my HD and search for file in safe mode and delete em...then reboot computer and it should help! Do install mozilla, it works like a charm! :)
Can u also post some of the file names of spywares which are causing this problem?

Re: I've been hit - real HARD.

thanks for the tips guys... unfortunately everything that's been mentioned in this thread and the spyware help thread is pretty much a standard, and I followed all the steps that I could think of.

The good news is that I have managed to undo the damage manually... it took about 3 - 4 hours but its done. I basically looked for anything new that had been installed on my computer in the last week and reverse engineered some of the .exe files to see what was going on. I must say the spyware/malware developers have actually gone to great lengths to make sure the problem never gets permanently removed by sweepers. The problem replicates itself using Win XP system restore features and some system level dlls.

I had to remove around 70 odd .exe .dll and .dat files from the windows and the sindows\system32 folders.

Here's the full procedure that I followed. I noted all the steps to post this as a how-to in the spyware help thread which I will shortly.

Enjoy: :)

Re: I've been hit - real HARD.

The following How-To guide elaborates the steps that can be followed (at your own risk) to get rid of spyware/malware that cannot be permanently removed by spyware sweeper programs.

I tried the following spyware removal applications without any luck:
spybot, lavasoft adaware, enigma software spyhunter.

All of the above successfully remove the “parasites” but a lot of the spyware replicates itself even after the infected files / registry keys / cookies are removed.

This procedure is especially useful for Home Search Assistent (HSA), Search Extender, Shopping Wizard and YourSiteBar. Even though you will see these entries in your Control Panel Add /Remove programs, you will probably be unable to remove them directly.

SO here’s what you should do (again, at your own risk):

1. Disable the System Restore option in Win XP (can be configured under System option in the Control Panel)

2. Open the Windows Task Manager (ctrl+alt+delete) and from the processes tab in Task Manager, arrange processes by UserName and for those processes that are running under your name, kill any that look suspicious. Most of the time, the process names themselves sound eerie (with 5 random letter names).

3. From the start menu, use the run prompt to invoke “services.msc” and disable the “Network Securtiy Service” (use the properties menu). This is the main culprit that helps spyware in replicating the files.

4. Use Windows Explorer to go to c:\windows and arrange files by “Date Created” (enable through the view menu and select choose details). For the latest files in your list, delete all files with random 5 letter names that have an exe, dll or dat file extension. A good way to check if you’re deleting an authentic file is to move your mouse over the filename and see if it has a tooltip description from a vendor.

1. Repeat step 3 for the c:\windows\system32 folder.

Steps 4 and 5 are cumbersome, but make sure you’re thorough. There may also be some recently created bat files. You can open these up in notepad to see if they invoke a spyware routine. Delete these as well.

1. Delete all the temporary files from** C:\windows emp** and also from your windows profile usually under the following folders:

C:\Documents and Settings{your username}\ Local Settings\Temp

and

C:\Documents and Settings{your username}\Local Settings\Temporary Internet Files

1. If you have a folder called C:\windows\prefetch, completely remove it!

2. Run hijackthis and get rid of all the BHO (Bad Home Page) entries and any other references you can pinpoint as malicious.

3. run regedit and search for some of the spyware names e.g. 'assistent' for home search assistent (HAS) and delete all the values/folders associated with them. Most importantly, delete those folders from HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall that are associated with the spyware names e.g. HSA, SW, SE and YourSiteBar.

4. Empty your Recycle Bin, Turn off your system and start in Safe Mode. Run any spyware removal and antivirus programs that your have.

5. Reboot in Normal mode and you should be ok! (hopefully).

Re: I've been hit - real HARD.

guys... if you have any clarifications / questions / comments on the procedure I've posted above, please let me know. I'll refine the wording etc. before posting it on the Spyware Help sticky.

I'll wait for comments until tomorrow.

Re: I've been hit - real HARD.

backup data
format all hdd's
reinstall operating system
restore data