Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#274885 - 24/01/2006 20:36 Beware of Spyware Strike
Gallagher419
journeyman

Registered: 14/12/2004
Posts: 95
Yesterday I inadvertantly d/l a Trojan called Spyware Strike which is closely related to Spyware Axe. Unfortunately for me this Trojan has just come out as of yesterday so all means of removal are not working as of yet and I have done a Google and tried just about everything known to man to get rid of this beast but it will not go away!

Top
#274886 - 24/01/2006 21:13 Re: Beware of Spyware Strike [Re: Gallagher419]
matthew_k
pooh-bah

Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
I say we take off and nuke the entire site from orbit. It's the only way to be sure.

Matthew

Top
#274887 - 24/01/2006 23:41 Re: Beware of Spyware Strike [Re: Gallagher419]
g_attrill
old hand

Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK

Top
#274888 - 26/01/2006 03:17 Re: Beware of Spyware Strike [Re: matthew_k]
gbeer
carpal tunnel

Registered: 17/12/2000
Posts: 2665
Loc: Manteca, California
Quote:
I say we take off and nuke the entire site from orbit. It's the only way to be sure.

Matthew


Affirmative
_________________________
Glenn

Top
#274889 - 28/01/2006 17:06 Re: Beware of Spyware Strike [Re: Gallagher419]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Up until early 2005, most common spyware had the same removal technique: boot in safe mode and scrub the typical spyware areas by hand. But when registry hiding and root kits became easy enough for kiddies, I'm no longer sure what is the method for spyware removal.

I think the recommended tools are regedt32 and SysInternals tools such as Rootkit Revealer. I don't even want to know what spyware is silent and invisible on the machines that I manage. Or maybe my anti-spyware (SpySweeper Enterprise) is keeping them safe... but I doubt it.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#274890 - 28/01/2006 20:12 Re: Beware of Spyware Strike [Re: FireFox31]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Quote:
I'm no longer sure what is the method for spyware removal.


Reload the OS. Removal usually takes too long, and reloding is sadly going to be faster. I have fixed two machines by booting to a BartPE disk, deleting the Windows folder, move data to a "Old" folder, then nuke every other folder/file in the root of the drive. I then boot to a Windows XP SP2 disk, install the OS, then patch it behind a router. Lastly, AVG Antivirus and Microsoft Spyware is loaded, along with Firefox. IE is set not to trust a single site except *.microsoft.com with anything beyond HTML, and icons to run it are removed.

My experiences with these last two systems though have me pretty unwilling to do any computer asisstance these days for people outside my close friends. I'm tired of the same issues on every machine, and now will just refer them to Best Buy or similar to wait a week to have their system reloaded.

Top
#274891 - 28/01/2006 23:26 Re: Beware of Spyware Strike [Re: drakino]
JBjorgen
carpal tunnel

Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
I've had good luck with Ewido with some of the more insidious malware. It removed stuff that Ad-Aware and Spybot couldn't touch.
_________________________
~ John

Top
#274892 - 29/01/2006 01:22 Re: Beware of Spyware Strike [Re: Gallagher419]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Yesterday I inadvertantly d/l a Trojan called Spyware Strike

I had an analagous experience Thursday night/Friday morning.

Peacefully browsing, my AVG went off, said virus alert, Internet Explorer shut down and wouldn't re-open until after re-boot, and then it defaulted to a bogus home page that helpfully offered me links to suppliers of virus and spyware removal tools. No doubt if I had followed those links I would have been in even worse trouble.

I ran AVG full scan, it found no viruses, but all on its own would pop up with a virus alert about the same file in Windows/Temp that no matter how many times I deleted it still came back.

I ran AdAware and SpyBot, and they very helpfully told me that I had tracking cookies which I don't care about (if someone wants to see a list of the porn sites I visit, they're welcome to it! ) but did nothing useful.

PC Magazine's website recommended very highly a program called Spyware Doctor. I spent $30 to buy it, and as near as I can tell it was money very well spent. Spyware Doctor found 51 "bad things" (this was after AdAware, Spybot, and AVG) including a list of about a dozen Trojans, a bogus toolbar to give access to the above-mentioned bogus website, and some new desktop icons to do the same. Spyware Doctor got rid of all of them, and after I set my IE home page back to Google, everything seems to be back to normal. I have noticed no anomalous behavior, and I am watching closely.

At Tony Fabris' suggestion, I downloaded and installed FireFox to run instead of IE (security is supposed to be a lot better) and so far I am quite impressed: FireFox seems to be designed by people who understand and love their product, as opposed to IE which seems to have come about by "...oh, by the way Mr Gates, we better stick something into Windows so people can see the internet."

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#274893 - 29/01/2006 08:01 Re: Beware of Spyware Strike [Re: tanstaafl.]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Okay, so now that you've got firefox, the best extensions to get are:

- Adblock, which blocks ads and popups to a greater degree than what's already built into firefox.

- The filterset.g updater for adblock.

- Plain Old Favorites, which places your IE favorites menu onto Firefox's menu bar, so that you don't have to convert all of your IE favorites over.

The extensions above are pretty much install-and-forget items. There is one other extension that I don't want to live without, but you might not care about its features, and its features are pretty complicated and pretty powerful. It's called Tab Mix Plus, and it lets you have very fine granular control over the Firefox "tabbed browsing" feature, which is a huge wonderful fantastic thing for me. It might not be your cup of tea. But if you get used to tabbed browsing, and want to control some of the features, then Tab Mix Plus is the answer. The "Undo Close Tabs" feature is worth a fortune alone.
_________________________
Tony Fabris

Top
#274894 - 29/01/2006 20:46 Re: Beware of Spyware Strike [Re: tfabris]
bonzi
pooh-bah

Registered: 13/09/1999
Posts: 2401
Loc: Croatia
Quote:
Tab Mix Plus

Ah, finally the tab tweaking extension with all the features I was looking for, and then some! Thanks, Tony.
_________________________
Dragi "Bonzi" Raos Q#5196 MkII #080000376, 18GB green MkIIa #040103247, 60GB blue

Top
#274895 - 30/01/2006 02:21 Re: Beware of Spyware Strike [Re: tfabris]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Okay, so now that you've got firefox, the best extensions to get are:

- Adblock, which blocks ads and popups to a greater degree than what's already built into firefox.

- The filterset.g updater for adblock.

- Plain Old Favorites, which places your IE favorites menu onto Firefox's menu bar, so that you don't have to convert all of your IE favorites over.


Y'know, I've been running the Google popup blocker for about a year now, and it seems to be doing an outstanding job. I almost never see popups. Your advice about getting FireFox was so good, however, that I'll certainly give Adblock a try.

My FireFox installation did a quite acceptable job of bringing my IE favorites over. A little tweaking to put them into appropriate folders and the order I wanted, and I am quite happy with them the way they are.

As always, your advice is appreciated.

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#274896 - 30/01/2006 06:19 Re: Beware of Spyware Strike [Re: tfabris]
Robotic
pooh-bah

Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
Quote:
Okay, so now that you've got firefox, the best extensions ...

I think there's a 'best firefox extensions' thread around here, somewhere.
Ah well, I'll mention my two favorites:
FlashBlock
and
ImageZoom

I haven't tried AdBlock- I use the built-in option of blocking ad servers as I go. I want to go read more about AdBlock, though... hmm...
_________________________
10101311 (20GB- backup empeg)
10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)

Top
#274897 - 12/02/2006 18:52 Anothe Firefox advice needed [Re: tfabris]
bonzi
pooh-bah

Registered: 13/09/1999
Posts: 2401
Loc: Croatia
My FireFox seems to be quite impatient (as in a second or two) when it comes to waiting for DNS to resolve an address (my ADSL router is probably a bit lazy about that). I quite often get that page suggesting I had mistyped the URL, but clicking on "retry" sorts the things out.

So, is there a way to specify longer DNS lookup timeout?

Thanks!
_________________________
Dragi "Bonzi" Raos Q#5196 MkII #080000376, 18GB green MkIIa #040103247, 60GB blue

Top
#274898 - 12/02/2006 22:36 Re: Anothe Firefox advice needed [Re: bonzi]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
It probably has more to do with your DNS server and its timeout, unfortunately. I can't seem to find anything to support this at the moment, but I remember that if BIND times out on getting a response from a remote DNS server, it sends a response to its client that the hostname does not exist. Meanwhile, it finally receives and caches the information about the initially requested hostname, so that when you try again, it immediately sends the correct response. It might be possible to configure Firefox to ask the DNS server more times than it currently does, but I'm not aware of any such option.

Edit: Okay, I found it now. BIND 8 and earlier fail to do a "query restart" when they encounter a glueless record during a recursive lookup. That is, if they look to see the correct nameserver for your request, and the response they get for that has that nameserver's name but not IP address, then it drops the initial query and tries to look up the nameserver's IP. That means that your client has to ask again, and this is probably what you're seeing. The DNS server never responds to your initial request, so your browser has to ask again.


Edited by wfaulk (12/02/2006 23:31)
_________________________
Bitt Faulk

Top