<font color=plum>I was browsing the internet last night when I got hit with a very agressive spyware program. A pop-up appeared on my screen asking if I wanted spyware protection (or something to that effect). Naturally, I clicked "NO", but I guess I should have just clicked the "X" instead.

My screen suddenly FILLED with all kinds a pop-up ads. When I finally got through those, I found several icons added to my desktop. Some of them implied they were spyware buster programs, but I didn't open any of them to find out.

My homepage has been changed to "about:blank". My Google Searchbar has been removed and replaced with a different one. When I tried to do a Search, I got a completely different Search Page than I'm used to. It said "Just Find It" at the top (I believe).

I finally just shut the computer off to prevent further infestation. When I turned it on this morning, it went through the same series of pop-ads and added all the icons I removed BACK to my desktop again. Anytime I go into a legitimate site, I automatically get a "Related Search" bar on the side of the screen. "STOPZilla" is the first entry that shows up there.

I didn't have my spyware-buster programs updated on this PC, so I am currently downloading them again. Even though I removed the icons from my desktop, I know the core programs are still there.

So, does anybody know the name of this particalur spyware hell-spawn? I am currently running Spybot:S&D on my system. I will be downloading Adaware, HiJack This and probably a couple of others (please feel free to recommend some you like). But I've learned from experience that spyware THIS agressive usually has to be removed manually. Any help in identifying this program would be appreciated.</font>

Sorry matey, I'd just go with the Spybot S&D solution. Couldn't really suggest anything else :(

There are too many varibables to tell you which it is, since there are so many..

For reference, never, and I mean never click inside the popup windows, then tend to be just images of buttons and so clicking anywhere on them is just asking for trouble..

Also, watch out for the double X windows, these are popup's that have a little X near to where the real X is, again this is a trick to try and get you to click in their window and thus "autherise" them to install junk to your computer..


Hmm, you could try Ctr+Alt+Del and check for processes you don't recogonise, there's only roughly 14 or so critical windows processes, maybe less maybe more depending on your configs..


Oh I'd suggest running Lavasoft Adware, that's pretty good these days..

Then run your fav virus scan..

Then restart and repeat above steps just to be sure.

[ 02-18-2005, 06:38 AM: Message edited by: Q'alooaith ]

NEVER click the ad it self!
it was probably just a picture and will take you to the same trouble whereever you click. Click the X... or to avoid pop ups altogether use Firefox. Ihavn't seen a popup on my screen for months now.

It's safe to say that anything that turns the mouse icon into a little hand (indicating a link unless you've been fiddling with your settings) AND comes unto your screen unwanted is bad. So if there's a hand on your screen instead of the normal mouse pointer, always think twice and wonder if you really want to click that link. Clicking the 'X' in the above right corner is always the safest thing to do when dealing with pop-ups, and if you still feel insecure, ALT-F4 will take the trouble even further away by enabling you to keep the mouse as far as possible from the nasty pop-up .

dont you have firewall?

i just want to add.. what website is it? so i will try and avoid it. I have 2 firewalls (zone alarm and norton) which more or less protects me of unauthorized actions. when i find out.. i just deny them [img]tongue.gif[/img]

About the only added thing I can suggest is heading over to techtv.com and check out their forums/links. They are *VERY* thorough and instructions for removal of "crap" on your system you don't want are very easy to understand.

They may even know if this particular one has a name. [img]smile.gif[/img]

Hope you get it all sorted, Cerek. I know what a pain it can be. Since switching to Firefox & Thunderbird, Mike and I have had no problems like this, so you just might want to seriously consider the above suggestion to switch. [img]smile.gif[/img]

<font color=plum>Yeah, I know I screwed up by clicking inside the ad instead of just clicking the "X". I just had a brain cramp and wasn't thinking.

The "spybuster" icons come back on my desktop after each restart. Here is what is showing up:

<font color=lime>Evidence Eraser</font>
<font color=red>Popup Blocker</font>
<font color=dodgerblue>Spyware Avenger</font>
<font color=yellow>Virus Hunter Security</font>

I don't have my own firewall installed, but I just got DSL service this week - and it is supposed to come with MSN Premium, which provides a firewall, popup blocker and virus scanner.

Maybe these new icons are actually legit and part of the MSN package - but they didn't show up when I activated my DSL connection. They showed up after I got hit with the spyware last night.</font>

Hmm. How about Zonealarm or the default XP firewall?

get zone alarm and winxp SP2 firewall. it will protect you..

If those icons return after boot they're in your registry. If adaware and spybot try HiJackThis. It'll give you a list of what starts up. Then you can clean out the spyware from there. But be careful with it, if you're not sure what an entry does don't delete it and google or ask.

Do you have a restore point available from before you launched into this sorry mess? If so, restore to it. If not, you've learned (as I recently did) that there's really no such thing as too many restore points... [img]smile.gif[/img]

You might also try booting up in safe mode instead of logging in normally. They may not have infected you there.

For reference, I also have Popup Killer, a piece of freeware that's really no longer supported or maintained, but does a good job of nuking popups. When one of these critters comes up, I go in to Popup Killer to close it -- it has a nice display of everything that's running, and when I close it, it also adds it to the blacklist, preventing it from darkening my doorway ever again.

Good luck. You have my sympathies.

I only have a small bit to add, with Spybot S&D if you go into advanced mode there is a startup button on the tools tab, that will let you change the registry values of anything trying to start-up on your computer. Also the IE tweaks there can help prevent your browser's home page from being changed without your permission.

Being on DSL having a firewall is critical, if you've had DSL for a week with no firewall running, you can be sure that someone else has been using your computer for something. Zonealarm is a free firewall you can get from download.com

Avast Anti Virus has stopped similiar malware in it's tracks on my PC and it is free! I use it in conjunction with Spybot, Adaware, ZoneAlarm and others. My weekly spyware/virus scans always turn up with nothing.

[ 02-19-2005, 01:11 AM: Message edited by: Chewbacca ]

Sounds like a coolwebsearch variation, especially witht the about:blank homepage. Try CWSshredder, it got rid of the problem last time. other that that i use the above mentioned adware, spybot and zonealarm and have had no problems since installing them, particularly the zone alarm firewall.

What's Spybot S&D? Where do I get it?

Its a malware and spyware remover, and it tends to pick up what adware sometimes doesn't, giving you better all-round protecion. As for where to find it, can't remember exactly but try googling it.

Cool, thanks!

Good luck, Cerek. Sorry to hear about your computer.

<font color=plum>OK - here's an update.

I did have the standard MSN XP Firewall installed and running. Sadly, I did NOT have System Restore turned on [img]graemlins/crying.gif[/img] (thought I did, but guess I was wrong). That would have made life SO much easier.

I have downloaded Avast, Hijack This, RegLite (works in conjunction with Hijack This) and Adware Away. These last two were recommended by the site I found with instructions on how to remove "about:blank". The Adware Away is supposed to remove "about:blank" and several other ultra-nasty hijackers and trojans that other software can't - but that hasn't been my experience. It seems to be a fairly comprehensive program and gives a menu choice of removing hijackers, spyware, adaware, or trojans. I can also scan the PC and send them a log of what shows up and they will provide a "custom cleanser" - but that sounds pretty "fishy" to me. In fact, I'm beginning to wonder if Adware Away might not be one of the sponsers of "about:blank" or "CoolWebSearch". That is the part that makes me the angriest - is that this hijacker recommends it's own spyware removal packages. These JERKS have the gall to infest my computer, then turn around and offer me spyware removal packages. Wish there was a way to send them a nice letter-bomb instead.

Anyway, I don't feel quite as bad about clicking on the Anti-virus popup now. It STILL comes up on a regular basis and the top address bar is <font color=grey>greyed out</font> - so there is NO WAY to click on the "X" at all. And even Alt-F4 won't remove it. I just have to leave it alone until I Restart the PC or Turn it OFF.

I've run Avast scans and finding LOTS of crap. Mostly getting Win32:Trojano-xxx, JS:Istbar, VBS:Malware and other viruses - most infecting the Win32 folder area.

Since removing "about:blank" automatically with "Adware Away" didn't work, I'm going to try doing it manually - but I really feel like I'm out of my league with this one. If nothing else, I may have to take the PC back to the shop and have them simply wipe the HD clean and re-install again. {sigh} I hope not. But I've spent over 4 hours (all told) so far trying to remove these programs and I can't see that I've made ANY progress.</font>

Cerek,

Rest mostly well assured that Avast will stop things like this from happening again. It's realtime scanner works great -VS- Virus and Malware. I wont say your are gauranteed set for life and Avast wont stop less insidious adware and tracking stuff. An anti-spyware program like SpyWweeper offers additional real time scanning and excellent removal... so I hear. I mention this more further down this post.

I would get ZoneAlarm ASAP to stop any already existing buggers from sending information out.

For a small fee I hear and have read that Webroots SpySweeper is the best anti-spyware. I plan on picking it up soon and I have seen it recently at Best Buy, Staples, and Circuit City for only 20 bucks. PC magazine gave it editor's choice. Obviously it is not perfect, but no AntiSpywar software is!

PC Mag review

excerpt from review:
Good Luck! [img]smile.gif[/img]

[ 02-19-2005, 10:06 PM: Message edited by: Chewbacca ]

I am suspicious as well. There is alot of crappy fake software out there that does exactly this. These worthless hunks of code may have a smooth presentation, but its bullcrap and worst on the inside.

One thing that makes me particularly suspicous is the name "Adware Away" Sounds like they are counting on the name recognizion of the reputable "Ad-aware" to fool people.

Stick to big name reputable freeware in the anti-spyware arena and use google to thoroughly reveiw any new freeware that comes your way.

[ 02-19-2005, 10:04 PM: Message edited by: Chewbacca ]

Cerek -- PM me with a good email and I'll send you Popup Killer. It's really handy for getting rid of browser windows without having to touch them. And it can generally kill them by title or URL -- quite handy, actually. It won't fix the rest of it, but it may help you get those annoying windows out of the way.

I just wanted to clarify that the Service Pack 2 firewall will not protect you - it still allows outgoing connections, simply blocks port scanning and programmes connecting in. One of the most common ways for your computer to be infected is a worm running on your computer that connects outside to download a virus. Change it! Either Zone Alarm or Kerio spring to mind.

You also need to change your browser. Really. Either Firefox or Opera, they're both ultra-secure compared to Internet Explorer. All your problems will go away once you switch...

If you're going to pay for a virus checker, get NOD32 - I understand its the only one never to have failed a VB100% test. If you want a free one then you can't go wrong with either Avast! or AVG.

By staying with Internet Explorer you're fighting an uphill battle - everytime you clean your computer, more crap will get dumped on. You need to make a clean break and switch.

I don't have time to write out all the links for those programmes, but they're all listed in the website in my sig.

Oh, and "about:blank" is simply Internet Explorer's way of telling you that it has no homepage set - this is what I have mine on and it is not a problem and not caused by spyware. Its when your homepage is set to www.buy_viagra_here.com that you have to worry ;)

[ 02-20-2005, 06:05 AM: Message edited by: shamrock_uk ]

Microsoft is giving away free downloads of their new antispyware cleaner. It's free thru July 31. But right now it might help. The friend who told me about it said it found things Ad-aware had missed.

Cerek, buddy. Get off the net, and rebuild your pc!

Asking for info. How long were you on the net 'un-protected' before you got hit?

Another forum I frequent is trying to say less than 5 minutes.

In the future. Use the other non targeted web browser, Firefox, or full blown Mozilla. Get yourself a free (insert zone alarm) firewall. If you work for a good intentions employer that has pc's on the net, ask for the employee take home firewall/anti-v software.

In my experience, I have seen this exact same situation you describe, except Norton firewall popped-up with "Immediate Alert, Malware intrusion, shutting down ALL Comm ports". All comm ports were then shut down, and nothing else was allowed, and the malware was left open to be DELETED, without any futher mess.

Moral of the story, If you run windows, and internet exploder, without a firewall, YOU will be infested!

Sadly, you are so far beyond, your only recourse is to save whatever you think is importatnt, and re-format 3 times prior to installing a brand new fresh install of your OS. 3 times re-format is minimal, 5-7 is better, best yet would be to buy a new HDD, and take a hammer to the other one.

In lab results, a HDD has been brought back to boot, and file restoration, after the owner formatted it once. So, if you think a one time is sufficient, remember what you just experienced.

Now; your registry is where your main infestation is harboring it's next assualt. From the registry malware can piggyback an IE string and dispatch all of your personal information back to the malware site. This may or may not happen based upon what you have been hit with.

<span style="color: lightblue">Non-targeted? Perhaps. But that isn't why it's safer. Firefox, et al, are safer simply because they purposely dissallow a few key problematic things: ActiveX, remote webpages accessing local files, *anything* accessing the browser itself, popups/unders... all of those things that let spyware install itself. Meaning that even if they end up targeted (which may or may not happen depending on what it takes to become so), they will *still* hinder the spread of Bad Stuff^TM.

The same applies to using alternatives to Outlook/Outlook Express. Active Scripting = email attachments can be run without your permission or knowledge, thus installing Bad Stuff^TM onto your system. Use alternatives (which purposely don't use Active Scripting), and you'll need to run the apps yourself (manually) to have anything happen. Which takes it all back to matters of common sense.