Guest RJK Posted October 1, 2008 Posted October 1, 2008 Hi ...just brought home form work a friends' PC that is suffering lots of unwanted ad-windows opening up all by themseles in IE7 ....I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to its' boot drive C:\ ....and it's now running the Sophos sweep. ....was this a good start ? ...or should I be taking a different approach, than starting off by running these 4 CLS's i.e. I've never worked on a PC that's had the IE7 compromised in this way - i.e. lots of windows opening all by themselves. any tips appreciated , ..TIA regards, Richard Quote
Guest RJK Posted October 1, 2008 Posted October 1, 2008 mmm, ....hosts file is 0 bytes in size, and dropping a new one in there is being prevented ! IE starts by itself and offers casino websites, and even Zonealarm ! .....looks like I'm in for the long slog. ....couldn't resist having a quick fiddle though :-) regards, Richard "RJK" <notatospam@hotmail.com> wrote in message news:uwrQbm9IJHA.728@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Hi ...just brought home form work a friends' PC that is suffering lots of > unwanted ad-windows opening up all by themseles in IE7 > > ...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to > its' boot drive C: > ...and it's now running the Sophos sweep. > > ...was this a good start ? ...or should I be taking a different approach, > than starting off by running these 4 CLS's > > i.e. I've never worked on a PC that's had the IE7 compromised in this > way - i.e. lots of windows opening all by themselves. > > any tips appreciated , ..TIA > > regards, Richard > </span> Quote
Guest Geoff Posted October 1, 2008 Posted October 1, 2008 On Wed, 1 Oct 2008 16:21:17 +0100, "RJK" <notatospam@hotmail.com> wrote: <span style="color:blue"> >Hi ...just brought home form work a friends' PC that is suffering lots of >unwanted ad-windows opening up all by themseles in IE7 > >...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to >its' boot drive C: >...and it's now running the Sophos sweep. > >...was this a good start ? ...or should I be taking a different approach, >than starting off by running these 4 CLS's > >i.e. I've never worked on a PC that's had the IE7 compromised in this way - >i.e. lots of windows opening all by themselves. > >any tips appreciated , ..TIA > >regards, Richard ></span> Get LavaSoft AdAware Free Edition: http://www.lavasoft.com/ Advanced (paid) versions have A-V tools. Get CCleaner: http://www.ccleaner.com/ Good tool for getting at the nitty gritty details. Get SpyBotS&D: http://www.spybot.info/index2.html Best way to help prevent repeats of ending up on malicious sites that deposit malware without user input. GiPo MoveOnboot file utility: http://www.gibinsoft.net/gipoutils/ The MoveOnBoot tool allows you to schedule deletion/movement of especially nasty malware that lock the files they depend on while your system is active. The locking action prevents you from deleting them unless you can delete them before the malware runs. The tool can delete malware programs or DLLs before the system has a chance to run them. Get Autoruns: http://technet.microsoft.com/en-us/sysinternals/default.aspx A good tool for getting at the registry entries pertaining to virtually everything critical in Windows startups or drivers in a nice GUI. You can spot invalid or suspicious startup items and prevent them from starting at boot or delete them entirely. Another good tool is ProcessMonitor from Sysinternals but it is much more technical and not recommended for beginners to Windows internals. Sysinternals used to be an independent company but was purchased by Microsoft who seem to be keeping the tools faithful to the goals of Sysinternals. Quote
Guest David H. Lipman Posted October 1, 2008 Posted October 1, 2008 From: "RJK" <notatospam@hotmail.com> | Hi ...just brought home form work a friends' PC that is suffering lots of | unwanted ad-windows opening up all by themseles in IE7 | ...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to | its' boot drive C:\ | ...and it's now running the Sophos sweep. | ...was this a good start ? ...or should I be taking a different approach, | than starting off by running these 4 CLS's | i.e. I've never worked on a PC that's had the IE7 compromised in this way - | i.e. lots of windows opening all by themselves. | any tips appreciated , ..TIA | regards, Richard Richard: The best solution may be a combo of my Multi-AV and MBAM. Malwarebytes Anti-Malware http://www.malwarebytes.org/mbam/program/mbam-setup.exe -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Jo-Anne Posted October 1, 2008 Posted October 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:edk3NJAJJHA.728@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "RJK" <notatospam@hotmail.com> > > | Hi ...just brought home form work a friends' PC that is suffering lots > of > | unwanted ad-windows opening up all by themseles in IE7 > > | ...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to > | its' boot drive C: > | ...and it's now running the Sophos sweep. > > | ...was this a good start ? ...or should I be taking a different > approach, > | than starting off by running these 4 CLS's > > | i.e. I've never worked on a PC that's had the IE7 compromised in this > way - > | i.e. lots of windows opening all by themselves. > > | any tips appreciated , ..TIA > > | regards, Richard > > > Richard: > > The best solution may be a combo of my Multi-AV and MBAM. > Malwarebytes Anti-Malware > http://www.malwarebytes.org/mbam/program/mbam-setup.exe > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> I've been meaning to ask, Dave, if there's a website in English. When I click on your Multi-AV link, it takes me to a German-language page. I've been able to read it using Google's translator; but if there's an English page, that would be easier. Thank you! Jo-Anne Quote
Guest David H. Lipman Posted October 1, 2008 Posted October 1, 2008 From: "Jo-Anne" <naples@tbcnet.com> | I've been meaning to ask, Dave, if there's a website in English. When I | click on your Multi-AV link, it takes me to a German-language page. I've | been able to read it using Google's translator; but if there's an English | page, that would be easier. | Thank you! | Jo-Anne Yes... http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ It is a little outdated (for Multi-AV v5.00) but Ray may update it for the pending v7.00. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Jo-Anne Posted October 1, 2008 Posted October 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23gSbBfAJJHA.1160@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > From: "Jo-Anne" <naples@tbcnet.com> > > > | I've been meaning to ask, Dave, if there's a website in English. When I > | click on your Multi-AV link, it takes me to a German-language page. I've > | been able to read it using Google's translator; but if there's an > English > | page, that would be easier. > > | Thank you! > > | Jo-Anne > > > Yes... > > http://www.raymond.cc/blog/archives/2008/0...virus-for-free/ > > It is a little outdated (for Multi-AV v5.00) but Ray may update it for the > pending v7.00. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp</span> Thank you again! Jo-Anne Quote
Guest RJK Posted October 1, 2008 Posted October 1, 2008 Thank you David, I'd already plucked your Malwarebytes link from one of your recent responses in this NG. I was too impatient for the Sophos sweep to complete, although it must have been near to completion - it didn't find anything, but, then, I didn't give it chance ! Then I ran AVG 8.0 in Safe mode - and that didn't find anything. Spybot S & D didn't find anything. Malwarebytes is now up to 46500 odd files and I'll wait for it to complete. I will run multi-av properly when I get time. Worrying of course is that this PC's owners' son had installed two peer-to-peer music sharing applications - BearShare, (or bear something or other), and LegalSounds 1.4 ...both uninstalls for those tried to access the web, I noticed ! I glimpsed a reference on the web that BearShare Lite was malware free but, the "free" version was infected with something or other. I am tempted to run XP's Transfer my files and settings wizard - output that to USB hd - restore the PC back to the Norton Ghost image I made on the 07/27/08 ...and "wizard" that "Transfer my files and settings" archive back in. .....64,000 still nothing ....darned inconsiderate of them having 17 gb's on this boot drive ! Malware bytes is now wading through system32 ... ....earlier I "unimmunized" Spybot S & D and still couldn't drop a new MVP hosts file into the etc folder ! ...the hosts fiel was showing a size of 0 bytes btw ! 68178 files still nothing ... bfn, regards, Richard "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:edk3NJAJJHA.728@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "RJK" <notatospam@hotmail.com> > > | Hi ...just brought home form work a friends' PC that is suffering lots > of > | unwanted ad-windows opening up all by themseles in IE7 > > | ...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to > | its' boot drive C: > | ...and it's now running the Sophos sweep. > > | ...was this a good start ? ...or should I be taking a different > approach, > | than starting off by running these 4 CLS's > > | i.e. I've never worked on a PC that's had the IE7 compromised in this > way - > | i.e. lots of windows opening all by themselves. > > | any tips appreciated , ..TIA > > | regards, Richard > > > Richard: > > The best solution may be a combo of my Multi-AV and MBAM. > Malwarebytes Anti-Malware > http://www.malwarebytes.org/mbam/program/mbam-setup.exe > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest RJK Posted October 1, 2008 Posted October 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:edk3NJAJJHA.728@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "RJK" <notatospam@hotmail.com> > > | Hi ...just brought home form work a friends' PC that is suffering lots > of > | unwanted ad-windows opening up all by themseles in IE7 > > | ...I've just copied David H. Lipmans multi-av / av-cls (in Safe Mode) to > | its' boot drive C: > | ...and it's now running the Sophos sweep. > > | ...was this a good start ? ...or should I be taking a different > approach, > | than starting off by running these 4 CLS's > > | i.e. I've never worked on a PC that's had the IE7 compromised in this > way - > | i.e. lots of windows opening all by themselves. > > | any tips appreciated , ..TIA > > | regards, Richard > > > Richard: > > The best solution may be a combo of my Multi-AV and MBAM. > Malwarebytes Anti-Malware > http://www.malwarebytes.org/mbam/program/mbam-setup.exe > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> ....Malwarebytes just reported nothing found ! regards, Richard Quote
Guest David H. Lipman Posted October 1, 2008 Posted October 1, 2008 From: "Jo-Anne" <naples@tbcnet.com> | Thank you again! | Jo-Anne YW :-) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest David H. Lipman Posted October 1, 2008 Posted October 1, 2008 From: "RJK" <notatospam@hotmail.com> | ...Malwarebytes just reported nothing found ! | regards, Richard Run the AV scanners from Multi-AV. Please let them continue through. At laest Sophos and Trend Micro w/anti spyware enabled. Addionally... Download Gmer http://www.gmer.net/index.php Run a scan with Gmer to see if this is RootKit based such as; TDSSERV.SYS -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted October 1, 2008 Posted October 1, 2008 On Wed, 1 Oct 2008 22:17:40 +0100, "RJK" <notatospam@hotmail.com> wrote: <span style="color:blue"> >...Malwarebytes just reported nothing found !</span> You would appear to have some kind of root kit or malware system that has intercepted the file system drivers and is hiding the malware from any scanner you might install at this time. If you have other computers available, remove the disk drive from the infected machine and install it as a 2nd drive on a machine with a known clean system and good tools. This will allow you to scan and inspect the infected drive without booting the OS on that drive without all the malware active. Otherwise, low-level the HD and reinstall Windows or use the ghost image as you planned. Next, make all users on the system normal users, set up the kid as a normal user so he can't install untested stuff. Running as admin or allowing families to share one (admin) login always seems to create trouble on those home PC's. Quote
Guest RJK Posted October 1, 2008 Posted October 1, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:smr7e4lv4c8d3eu9qcik9comm89r36dk5v@4ax.com...<span style="color:blue"> > On Wed, 1 Oct 2008 22:17:40 +0100, "RJK" <notatospam@hotmail.com> wrote: ><span style="color:green"> >>...Malwarebytes just reported nothing found !</span> > > You would appear to have some kind of root kit or malware system that has > intercepted the file system drivers and is hiding the malware from any > scanner you might install at this time. > > If you have other computers available, remove the disk drive from the > infected machine and install it as a 2nd drive on a machine with a known > clean system and good tools. This will allow you to scan and inspect the > infected drive without booting the OS on that drive without all the > malware > active. > > Otherwise, low-level the HD and reinstall Windows or use the ghost image > as > you planned. > > Next, make all users on the system normal users, set up the kid as a > normal > user so he can't install untested stuff. Running as admin or allowing > families to share one (admin) login always seems to create trouble on > those > home PC's.</span> .....now trying hard to not top post ! Thankyou David and Geoff, all help much appreciated. My prodding and stabbing around in a non methodical approach seems to have worked for the time being. ....unwanted IE7 windows have stopped appearing - and I dropped a new mvp hosts file into etc and made it read only ,....have checked several times and it's still in there :-) ....will run Gmer tommorrow, ...I've got PrevX here somewhere... Hooking hd on as slave, on a "good" PC crossed my mind at the outset but, I was too lazy, ...which was daft i.e. it would have been a lot faster - have a x6000 on a dual channel board in my 2nd PC ! Will tackle it with much more methodical approach tommorrow, ....eyes starting to close all by themselves ....zzzzz regards, Richard Quote
Guest RJK Posted October 2, 2008 Posted October 2, 2008 4:30 pm onwards today, ran av-cls Sophos (2 1/2 hours!), Trend and McaFee found nothing, Kaspersky scan that I just aborted because it was taking so long, (it must have had an hour or more) ...I mean - I want to got bed and sleep ! .....found Trojan.Win32.obfuscated.gen and deleted it, in :- c:\docume~1\alluse~1\applic~1\aboutt~1\extrap~1.exe umm..sob.....sob...sob regards, Richard Quote
Guest james Posted October 4, 2008 Posted October 4, 2008 > My prodding and stabbing around in a non methodical approach seems to <span style="color:blue"> > have worked for the time being. > ...unwanted IE7 windows have stopped appearing - and I dropped a new mvp > hosts file into etc and made it read only ,....have checked several times > and it's still in there :-)</span> Once infected by a malware, you can never be quit sure it is completely removed, even if the PC is asymtomatic. The only sure way is to clean install the OS. I usually swap in a new hard drive to do this. This way, any important data on the old drive can be extracted at leisure. Even for a normal PC, how do you know it is not infected by something?? Virus scanner don't detect everything, especially when run from an infected machine. Scary. Quote
Guest RJK Posted October 5, 2008 Posted October 5, 2008 ....partially agreed, though you do NOT need to buy a new hd, ...."zero-filling" the hd is as good a buying a new one. (sometimes erroneously called a low-level format !) ...i.e. newer/higher density hd's, (as I understand it), sometimes cannot be successfully low-level formatted - depends on the stability / thermal characteristics of the type and even the individual hd ! ...read lots about it - formed part of the current hd "picture" in my own mind - not sure even if you can initiate a low level format via the hd's firmware - nowadays !!?!! regards, Richard "james" <nospam@nospam.com> wrote in message news:erYhEwlJJHA.1304@TK2MSFTNGP02.phx.gbl...<span style="color:blue"><span style="color:green"> >> My prodding and stabbing around in a non methodical approach seems to >> have worked for the time being. >> ...unwanted IE7 windows have stopped appearing - and I dropped a new mvp >> hosts file into etc and made it read only ,....have checked several times >> and it's still in there :-)</span> > > Once infected by a malware, you can never be quit sure it is completely > removed, even if the PC is asymtomatic. > > The only sure way is to clean install the OS. I usually swap in a new hard > drive to do this. This way, any important data on the old drive can be > extracted at leisure. > > Even for a normal PC, how do you know it is not infected by something?? > Virus scanner don't detect everything, especially when run from an > infected machine. > > Scary. </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.