god damn spyware

Discussion in 'Windows Desktop Systems' started by lancer, May 16, 2005.

  1. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    Please read and be astonished, i just formatted and reinstall xp pro at work and within 5 mins my computer was ransacked by spyware, i updated it fully sp2 etc.. then antivirus norton. Then i downloaded both ms antispyware and spybot ran both, and they found about 50 instances between them, now there are a few sons-a-bi'atches still clinging on, anyone have any suggestions about which programs to use to get all the spyware out. oh and yes it was ms internet explorers fault, as i opened it for the updates, now i'm using firefox again.

    please help, i'm on my 5 scan and its still finding the buggers.:cry:
     
  2. VenomXt

    VenomXt Blame me for the RAZR's Folding Team

    Messages:
    3,453
    Location:
    Houston, Texas
    did you do a zero out formate?
     
  3. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    you should run the spybot resident to have real time protection against spyware

    if you want to post a highjack this log, there are some people here that will try to help you clean the computer

    as far as what happened being ie's fault, I don't think this happens while getting updates.
     
  4. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    i dont see how you can get spyware within 5 mins after reformatting. are you sure you formatted it?
     
  5. VenomXt

    VenomXt Blame me for the RAZR's Folding Team

    Messages:
    3,453
    Location:
    Houston, Texas
    why i asked if he zero the drive out? or just uses a quick formate. Have seen weird thinsg happen with a quick formate. (IE files that shoudnt be there show up) and how many drives you have any chance you installed something to another drive laced with spyware?
     
  6. muzikool

    muzikool Act your wage. Political User

    Hard to believe that spyware could even hold on with a quick format.

    There has to be something you're doing to have that junk showing up after 5 minutes. It's not like you plug a network cable in and all the bugs on the internet run straight toward you! :p In all my reformat/reinstalls, I never plugged into the network before loading my antivirus, firewall and spyware programs. I always kept those installers available on a disk so that I wouldn't have to get online to download them first.
     
  7. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    Both A Quick format and a non quick format will erase all files on the drive. The only difference is wether or not the hard disk will be scanned for bad sectors or not.
     
  8. _kC_

    _kC_ Moderator

    Messages:
    514
  9. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    yeah i know all this thats why its so strange, the spyware attached itself when i went onto msn, not during the updates, just to clarify.

    i did a full format, so no chance old stuff could ave stayed. heres a hijack log
     

    Attached Files:

  10. muzikool

    muzikool Act your wage. Political User

  11. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    hahaha, but nooo :) try again :)
     
  12. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    I'm not sure yet, but this may be what cruised in:

    http://securityresponse.symantec.com/avcenter/venc/data/adware.elitebar.html

    Fix these:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = //searchmiracle.com/sp.php
    F2 - REG: system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [tF4f3nS] pifupapi.exe
    O4 - HKLM\..\Run: [xchgil] c:\windows\system32\otgbctq.exe
    O4 - HKCU\..\Run: [covpRhe3W] penecsnp.exe

    oh, and do this in safe mode. then run adaware, anti-spyware, and spybot in safe mode.
     
    Last edited: May 16, 2005
  13. muzikool

    muzikool Act your wage. Political User

    Nail.exe is a bad one. It adds randomly generated files into the Prefetch folder. Not easy to get rid of the traditional way.
     
  14. zeke_mo

    zeke_mo (value not set) Staff Member Political User Folding Team

    Messages:
    1,984
    Location:
    Placerville, CA
    If you downloaded a key thingy for norton, sometimes they come with something called crack.exe....when you open it you will have 50+ spyware files to deal with. Its worth it to format again
     
  15. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    disable prefetch. done. am I wrong Muzi? I could be... ;)

    From command prompt: del c:\windows\prefetch\*.* /q
    then head into regedit -


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

    Change the value of EnablePrefetcher to 0

    Possible settings:

    0—Disable
    1—Application Launch Prefetch
    2—Boot Prefetch
    3—Prefetch everything
     
  16. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    then he'd be left without prefetch...and whatever was putting data in pre fetch would still be on the box
     
    Last edited: May 16, 2005
  17. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    temporarily for sure. I don't think it's enabled in safe mode anyway. Once all cleaned out, just reenable in the reg.

    If you have less than 512megs of RAM - leave her disabled.
     
  18. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    I think whatever is entering data to prefetch would still be active when he turned it back on
     
  19. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    exactly perris. so we would only reenable it once she's cleaned.
     
  20. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    ah...I'm at work skimming and I missed that part of your post...good job