PC problems (spyware)

[axel]

After returning from my holidays i now find my PC has been infected by spyware. (OK i was lonely i clicked on some porno site!).

Everytime i clicked on the net it opened up lots more screens advertising 'adult' films. After using Spybot: Search and Destroy this got rid of the problem. Unfortunately my Internet link is running extremly slowly, or just refuses to work.

After checking the system again, Spybot tells me there are two remaining problems. It seems incapable of dealing with them.

1) Data Source Object Exploit  (in HKEY.USERS), a registry change
2) CoolWWWSearch Boookmark in my IE browser (WEEKEND FREE MOVIES)

Does anyone know any software/tips to get rid of these things permenantly?

I promise to stop being a sad wanker if anyone can help

[Incredible Monkey Doctor]

1) Data Source Object Exploit  (in HKEY.USERS), a registry change
2) CoolWWWSearch Boookmark in my IE browser (WEEKEND FREE MOVIES)

AFAIK, DSO exploit is a problem with IE and can't be fixed, but also you don't need to worry about.

CoolWWSearch is likely what's eating bandwith & PC power, and can only be destroyed by a program called cwshredder (i've had to use it, it's safe) - google for it.

[axel]

Cheers IMB, i've tried using CWShredder though. It gets rid of the CoolWWWSearch bookmark, but then after a while the bookmark returns. Anyone have anything else i could use. Cheers.

[sick as a pike]

Do you turn off 'system restore' before cleaning off the spyware stuff?  (if you're using XP) I didn't, and had problems recur because they were being reloaded by system restore somehow.

[axel]

Sorry, how do i do that?

[sick as a pike]

Start/Control Panel/System/System Restore tab, then tick the check box for "Turn Off System Restore on all Drives."

Then do the CW Shredder thing, then turn System Restore back on (if you want to). That way any naughtiness shouldn't hide in the System Restore bucket only to be restored after the CWShredder.  (As you can see my understanding of the precise technical terms isn't exact.)  

Anyway, hope that helps.

[My Giddy Aunt]

On a slightly different note.

I have norton systemworks and try to do a disk scan but it tells me another application has exclusive access to my hard disks. Whats that all about then? Any ideas?

[Tubgirl]

Hmm, perhaps try restarting in safe mode and running it?

With Spyware problems (although this method does not sort most of the new buggers) always check for and remove any errant entries in the startup area of the registry

Best thing to do is look at the EXEs (or BATs, COMs) listed in the following areas, search the web for them, and delete any that are obviously not supposed to be there. Be very careful with the registry though

HKLM\software\microsoft\windows\currentversion\run
HKCU\software\microsoft\windows\currentversion\run

[Tubgirl]

Also, I do now tend to recommend not just power users investigate alternative browsers such as Netscap, Mozilla or my favourite Opera

[JesusAndYourBush]

Get HijackThis from here (There's also CWShredder on the same page -  it's useful for some homepage hijackers).  Perform a scan with Hijackthis and then look at what it finds.  Be very careful what you delete as most of the list is legitimate stuff so you have to look through it and try and work out which are the nasties.

Also another thing to do is reboot first and don't open any apps apart from those that load on startup, so you're starting with a "clean" system.  Then ctrl-alt-del ONCE to bring up a list of tasks.  Look at all the running tasks then look them up on this page and then go to start-run-msconfig and disable any tasks from startup that you don't want by unticking the box.  You may have to kill the task first or otherwise it might add itself again on restart.  You can also disable from startup many things that load on startup that you don't need, such as realplayer (it'll open when you play a rm file, it doesn't need to pre-load on startup).  Then there's stuff like realplayers autoupdater which I think I renamed the whole folder to stop the little sod.

[skibz]

A good lil freeware program I use is Ad-aware, download it from:

www.lavasoftusa.com/software/adaware/

[Cheese Arse H Christ]

On a slightly different note.

I have norton systemworks and try to do a disk scan but it tells me another application has exclusive access to my hard disks. Whats that all about then? Any ideas?

it's because you are on windows XP with an NTFS formatted disk, the OS being the 'program' with the exclusive rights.

To check your disk, you need to go to START>RUN to get the prompt. then type chkdsk /f and press return. The /f bit is to tell it to fix any problems it finds.

It will say a similar message about how it can't check the disk, but will ask you if you want to schedule a disk check next reboot.  N for 'No' would not be the letter I typed at this point if I wanted the check to be scheduled

ps it's just another file in the evidence room marked "Norton are shit"

[My Giddy Aunt]

norton are shit nowadays are they?

O remember the old days when i knew things about computers and they were, i think, quite cutting edge.

Ho hum. as long as its not some evil viral thing using my hard disk for its maliscious 'exclusive' reasons.

[WoShade]

I second Tubgirl's browser recommendations. I can't think of a single reason for using the bloated, exploit-heavy mess that is IE.

[Gazeuse]

This is a variant of the CWS trojan which is VERY difficult to remove. The usual fixes (Adaware, CWSshredder, Hijack This etc...) don't work as yet. The clever people over at Spyware info are trying to kill it.

Have a look at http://forums.spywareinfo.com/index.php?showforum=18 where you may find a thread about the particular variant you have.

Be prepared to delve deeply into your computer's brain!!!

[The Man With Brass Eyes]

My firewall keeps shouting about "Invalid TCP segments in an existing TCP connection."  (Direction: Inbound)
The DSN name reports as "webcacheproxyB1.cache.pol.co.uk" on remote port 8080.  The alert comes up every few minutes.

Question is: is this just some regular contact from somewhere or is it some hack attempt?  Does it just need to contact the domain for run-of-the-mill web caching or is it more sinister?

[gazzyk1ns]

Are you on Freeserve? .pol.uk "is them", if I remember correctly. Things like this are usually harmless, although the usual method I employ is to deny things but keep a mental note I've done so, so I can reverse the process should anything slow down or stop working.

[The Man With Brass Eyes]

Are you on Freeserve? .pol.uk "is them", if I remember correctly. Things like this are usually harmless, although the usual method I employ is to deny things but keep a mental note I've done so, so I can reverse the process should anything slow down or stop working.

cheers, I shall give that a try.

anyway - how do you know I'm on freeserve?  Maybe it's you hacking me.
You seem to know an awful lot about my eating habits and which letters I'm pressing on my keyboard.

[gazzyk1ns]

Nah I don't know what you're on about.

By the way, you'll want to pay your Visa bill today otherwise they're going to charge you extra...

[The Man With Brass Eyes]

I prefer it if me buying Roger Moore's pants was kept firmly confidential.
(spy underware)