I'm retarded

[Duke]

I hate admitting it but man do I ever need a smack on the head sometimes. I dl'd some software from a less than repudable source, didn't scan it (doh) and now am dealing with malicious spyware on my rig. I've had to kill two toolbars with files hidden virtually everywhere then go into my registry and delete things I don't recognize.

What a nightmare.

 

[Lanre]

Well Duke, I don't think that you are alone in this situation. Will it be possible for you to share the names of some of this applications with us. You never know, many may not even be as good as you are.
Lanre

 

[OldWelshGuy]

I take it you have done the usual with spybot s&d etc to clean it up then?

 

[mcfox]

I hate admitting it but man do I ever need a smack on the head sometimes. I dl'd some software from a less than repudable source, didn't scan it (doh) and now am dealing with malicious spyware on my rig. I've had to kill two toolbars with files hidden virtually everywhere then go into my registry and delete things I don't recognize.

What a nightmare.

Yuk!

You can try M$'s anti-spyware:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

To be honest, if I were in your position (I have been in the past), the best thing you can do is reformat the HD and reinstall from scratch. Y'see, the thing is, once crap like that gets onto your system it tends to download a whole load of other crap onto your computer as well. Some of it will be recognised by the anti-spyware and antivirus apps but some of it can be missed and linger on, downloading more crap afterwards ... more spyware, keyloggers, spamming engines, etc, etc.

 

[Duke]

I thank you all for your responses. I did run AVG, Spybot, Ad Aware and always run Spyware Blaster in the background. The problem was what I believe an IE exploit that was embedded in a file that was supposed to be Doom 3, Resurrection of Evil, the recent expansion pack to Doom 3. I don't believe a reformat is necessary because both programs appear to be permanently nuked from my system, even after continued restarts and usage of Internet Explorer.

OK here is the story in detail. If you see any of this software around, run (don't walk) as fast as you can in the other direction.

Step 1: Idiot Duke (Ken) dl's um, a leaked warm copy of a game. This isn't something I do normally but I did it with Doom 3 simply because it was released late in Canada and I felt that since I've waited 3 years I'd had enough. I also believed that purchasing a copy wouldn't work with my cracked copy as it's mounted on a virtual drive.

I usually scan everything, but forgot to in my haste because of my excitement to play. I unzipped the file, mounted it and then proceeded to install the .exe. It took forever for a window to popup and by then it was already too late. I had a thank you for installing Hunt Bar window that all I could do was close. I was never prompted to chose directories; agree to disclaimer or nothing, just installed just like that. The program then opened up IE and took over, the rest is history.

I also ended up with another toolbar called IBIS but I'm not sure where it was because I never really saw it. I'm not sure if it was an extension of the Hunt Bar or what but it did have it's own separate registry entries.

I ended up with a trojan horse but I don't think it was related to these two toolbars, they both passed virus scan's so they had to be purely spyware, either that or there so new that there's currently no definitions written to combat them. That reminds me, maybe I'll do a Trend Micro House Call Scan just to make sure my systems not infected with a virus anymore.

Anyway, IBIS kept on changing its registry entries upon every start up so it was impossible to get rid of. I finally found dll's of it in Documents and Settings that could only be deleted in Safe Mode. It also worked it's way into my start menu (not to be confused with startup) and would execute upon every system startup anyway. These files could only be deleted in safe mode as well. Spybot provided the location of the registry entries so I just kept on going back until it was finally gone. I think the last delete in safe mode is what finally got rid of it though.

That was the easy one, Hunt Bar was way worse.

Hunt Bar had an uninstaller so in theory I should have been able to go to add/remove programs and get rid of it. That worked just great until I re-booted and there it was, larger than life. Hunt Bar was hidden in 9 different spots on My Computer from Program Files, Documents and Settings, Start Menu and 4 or 5 registry entries. All told there were 9 files to delete and they couldn't be deleted using spyware removal. Also, the files that were in Start Menu, Program Files, Common Files, Documents and Settings, WinTools, etc., were write protected or shared (windows couldn't tell) so they couldn't be deleted. Worse than that, they weren't easily identified, as they seemed to be legit files. I took a chance here, deleted all files in safe mode that had revise dates of April 16 (the day this all happened), since they were in the Recycle Bin they were not active files but easily retrievable if I happened to get rid of the wrong file. I also followed the roots of the files in my registry and got rid of them there, once again in safe mode. Files were in several places within the registry under names I didn't recognize. Files were scattered in HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, and HKEY_CURRENT_CONFIG. I was pretty confident here with what I was doing (believe it or not) but if your ever in your registry and worried about screwing something up, simply create a system restore point, you can boot up under your last system restore if need be.

Anyway, it looks like that's the end of it, I hope. If anything else develops I'll be sure to let you know.

Important Tip: if you ever experience anything like this, make sure to scan your system with spyware software prior to reboot and at the beginning of a restart before loading any programs. This gives you an idea of where the files may be hidden, as they have to execute either at start up or whenever you launch an associated program.

 

[crowebird]

wow that sux. looks like you got everything back undercontrol... lol maybe a lesson... dont dl games, or make sure you fully scan them a few times to make sure their safe

 

[Duke]

Like I said, I rarely dl games, Doom 3 just happened to be one that I'd had enough of waiting for so I took a chance. I paid for it dearly though in the end (literally).

Recent scans with both AVG and Spybot have produced no resulting infectious files so I'm clean, at least as far as those programs are concerned. I feel sorry for anyone who's less confident with messing around in their computer because programs such as this completely take over. I do some of my banking online and was extremely worried that this would be a window into my financial info.

 

[Duke]

So you're telling me that even though I did no banking in this time, it's possible that it got access to my info from an encrypted page?

The other thing is that there's nothing that can be done (to my knowledge) other than pay my bills through the one account I have online. I don't have PayPal or anything else configured either.

If what you say in your previous post is true, then what is to stop any spyware? I'm not being sarcastic either, just very curious. I get new spyware on my computer weekly. Spyware Blaster has cut the amount down by close to 95% but can't catch everything.

 

[mcfox]

So you're telling me that even though I did no banking in this time, it's possible that it got access to my info from an encrypted page?

The other thing is that there's nothing that can be done (to my knowledge) other than pay my bills through the one account I have online. I don't have PayPal or anything else configured either.

If what you say in your previous post is true, then what is to stop any spyware? I'm not being sarcastic either, just very curious. I get new spyware on my computer weekly. Spyware Blaster has cut the amount down by close to 95% but can't catch everything.

No, I'm saying it is possible, since you have already activated the nasties by running the downloaded program, that you have lurking, somewhere on your computer, one or two programs that shouldn't be there. Some type of back door.

The first thing a trojan usually does is download other software from a remote server. The same with certain spywares which operate more like trojans. This may explain why you are having problems with spyware repeatedly appearing on your system.

First place a trojan usually replicates itself to is within system restore. The polymorphic varieties will stash themselves in numerous locations in varying ways so as not to get picked up by antivirus or antispyware.

Antivirus and antispyware is effective, for the most part, in preventing infection, not curing it once it has gotten onto your system. Sure, it will pick up the virii that is already known but there is a lot of stuff out there that is new and has not yet been picked up and antivirus does not pick up keylogger software, for example. Spyware Blaster is pretty good but again, it is highly unlikely it will pick up keyloggers.

It's the same with bios which does not have a password, depending on what sort of user privileges can be gained. A skilled cracker can identify the bios on your system and flash it (reprogram it) so as to allow him/her access to your computer. This is very rare and requires proper skills but it can be done if the user privileges gained are high enough. It cannot happen if the bios is password protected.

I'm not trying to freak you out with a load of scare stories, just pointing out what can be done.

What concerns me about your own particular case is that you located a trojan on your system after you ran some nasty program from the dark side of the internet. As soon as that program was run, your system was fully compromised. It may be that the crapware and trojan was all that was put on your system but I doubt it.

It doesn't mean every file on your computer is toast. You can back up what you need to and scan it once you have completely secured your system should you choose to reformat the HD.

If it were my computer, I would reformat the HD, including scrapping any existing partitions and turning the power off, so there is nowhere for anything to hide, including memory-residents; then reinstall from scratch.

It's not a fun option and might take you a few days to get back to operational, but given your situation, I don't see any other way to be certain your machine is clean.

 

[Duke]

Take a few days, unlikely, it'll take me a week. I've got two hard drives 80 GB and 40 GB full to the rim with software and essential files.

I do understand what your saying but this is something that can happen at anytime virtually anywhere. It's also easy to get an instance of spyware installed, all you need do is visit a site with a popup and voila, you have spyware.

As far as virus' are concerned, I agree with you 110% but in order for a definition to be written to even remove existing virus', information pertaining to the virus has to come from somewhere. That information comes from infected computers through either online scan or allowing McAffee, Norton, Panda, etc., to dip into their computers for their "Customer Improvement Programs" or whatever they decide to call it.

A lot of what your posting is horror story stuff and isn't confined to my computer because I ran a malicious program, your computer and the computer of any user connected to the internet is vulnerable by a skilled enough hacker. I am also quite certain my computer is clean and not too worried about key logging or background apps reporting info over the net, as I said previously, the only bank info I have online is access to my bank account and nothing can be done with it (not even transfer of funds). I never signed up for those programs and never will, the only access I have is to pay bills and thats it.

I will take your suggestions under advisement and am keeping a close eye on my system. I even have my modem within earshot just to see if it's running when it shouldn't be due to my paranoia level.

Lastly, I'm pretty sure that there's software running on my computer, yours and everyone else's that we don't know about. Operating Systems, Virus Software, Spyware Removal, Software Firewalls, Search Engines, hell even Alexa gather stats from somewhere to continually improve their software apps. I'm pretty sure that information comes from everyone who connects to the net.

I do have a question though, instead of a whole re-format which I simply don't want to do because there's no way I can even do it without purchasing another hard drive at this point, what if I was to change my IP address? It seems to me that any running program that may be logging keys is using a gateway provided by my IP, if I were to change the address don't I close the door?

 

[mcfox]

I do have a question though, instead of a whole re-format which I simply don't want to do because there's no way I can even do it without purchasing another hard drive at this point, what if I was to change my IP address? It seems to me that any running program that may be logging keys is using a gateway provided by my IP, if I were to change the address don't I close the door?

Nope. Changing IP address won't make any difference.

I completely understand your reluctance to go for the reformat option. It isn't pretty when you have an enormous amount of data.

The examples I gave aren't horror stories by any means. They happen all the time, usually to people who are willing to download and run stuff that is from a dubious sources. It's the easiest way to infect a computer. Bait someone with an enticing morsel such as a game in your case, a music file, 'free' expensive software that has been cracked, a keygen, serials database or crack files for popular paid software; the list is endless.

The infected machine then starts scanning for vulnerable machines and if it finds any, will attempt to infect them. That's how zombie-pc networks are created.

I'm not having a dig at you for downloading the game, simply explaining how the general process works. It may be that you captured the nasty stuff before it could do much and you have managed to eradicate everything by editing the registry and taking care of the dll's.

Other than going for a 'clean machine', all you can do is keep an eye on your system for any strange behaviour, unexpected slow-downs or other tell-tale signals.

 

[Duke]

Nope. Changing IP address won't make any difference.

I completely understand your reluctance to go for the reformat option. It isn't pretty when you have an enormous amount of data.

The examples I gave aren't horror stories by any means. They happen all the time, usually to people who are willing to download and run stuff that is from a dubious sources. It's the easiest way to infect a computer. Bait someone with an enticing morsel such as a game in your case, a music file, 'free' expensive software that has been cracked, a keygen, serials database or crack files for popular paid software; the list is endless.

The infected machine then starts scanning for vulnerable machines and if it finds any, will attempt to infect them. That's how zombie-pc networks are created.

I'm not having a dig at you for downloading the game, simply explaining how the general process works. It may be that you captured the nasty stuff before it could do much and you have managed to eradicate everything by editing the registry and taking care of the dll's.

Other than going for a 'clean machine', all you can do is keep an eye on your system for any strange behaviour, unexpected slow-downs or other tell-tale signals.

I didn't take you post in any negative way, all of what your saying I do know to be true. I also don't dl a lot of free software (very little in fact) but I got bitten from an unlikely source, usually this place is pretty clean and I'm still amazed a file like that even existed in their db.

I once went through 2 weeks of re-formatt/re-install due to a nasty virus hidden in an unlikely source that wouldn't initiate until I launched the program. I do know what it's like to be hit hard as I lost tons of data in the process, it sucked. I ended up re-installing the OS 4 times over two drives because I kept transferring the virus from one drive to the next without knowing it. BTW, all scans (home and online) produced no virus in the infected file (how do you like that?).

I never did fully recover from that nightmare so the moment I got anything funny on my system I took care of it right away. I feel very confident that it's gone but I'm not really taking any chances at the moment. I actually have been sleeping in the living room because when my hard drives start spinning they wake me up (believe it or not). I've enabled, disabled and changed times for my daily virus check just to ensure the disk starts spinning when it's supposed to and at no other time. I also have a software firewall, a hardware firewall and disabled active X.

Whenever I get hit with something such as this (which is very rarely) I do keep an eye on my rig. I do get spyware because my buddies always give me links to everything and I sometimes click, sometimes don't. I also do a lot of surfing online and end up on sites with all kinds of "less than professional" advertising techniques. Just take a look at many of the gaming sites, browse 10 of them and you'll get 5 instances of spyware, it's a joke. This has become common place for me and I'm used to dealing with it.

 

[mcfox]

Man, I've been there too. Stuck between a rock and a hard place. Usually takes me a week to get up and running if I do a reformat of the HD.

If you know your system inside and out; msconfig, the registry, running processes, etc., then you can monitor any changes by checking them manually. If something mysteriously appears you pick it up right away and can purge it from your system. Sounds as if you are pretty much on top of that although you can never have too many resources, right?
Try here for a comprehensive listing of processes running under windows: http://www.processlibrary.com/

I'm guessing you already have Adaware and Spybot Search & Destroy already on your system. If you don't, then you should probably give them a whirl.

Am I correct in thinking you are using Internet Explorer for general surfing? Not usually a great idea except on completely trusted sites.

Have you tried Firefox? It rocks. The tabbed browsing is brilliant and something you never want to let go of once you have it, plus there are loads of extensions you can add to increase functionality.

 

[Duke]

Again I have to thank you for your help in this matter, it's been really great!

I do have Spybot, Ad-Aware, and Spyware Blaster. The three most used Run files for me are msconfig, regedit and cmd, it's like that for a reason. If I have spyware that poses a severe threat, I'll likely check out the registry at that location just to see what it is I'm dealing with. It also helps should I run into another file similar to the malicious one in my registry.

I Ctrl+Alt+Delete quite often as I do game and like to make sure there's a minimum of Ken processes running. In the few cases that I see background apps that I don't recognize, I hunt them down and nuke them. At any time I do have a minimum of 21 processes running but ATI uses a few of them as does Creative for my Audigy 2 and LWEMon.exe for my Logitech gaming devices.

I do have Firefox but I'm not the biggest of fans of the software. I usually use it for downloading files because it's more dependable than IE for some reason but I'm not a big fan of how long it can take to load images on pages that I've already visited that, I believe, should already be in it's cache. I like surfing and having images, blocks, modules to load instantly (or as close as possible) and I find IE to be better at that.

Maybe I'll spend a bit more time with Firefox and see if it grows on me. I do also have the latest version, I upgraded late last week I think.

Thanks again.