twitchin said:
I'm running windows xp (sp1 with all security updates) with the latest
Mcaffee Virus-scanner and firewall, and having trouble removing
certain spyware. Namely Topmoxie , WinAD, 180 Solutions and Blazefind.
Ad-Aware finds and removes them, but as soon as I do so, Ad-Aware
Watch pops up and tells me a Registry Modification has been detected
and Topmoxie re-appears. The others return randomly within minutes.
I've tried other spyware detectors such as Spybot, BPS, and XoftSpy
with the same results.
How can I erase these for good? TIA.
Here are the normal spyware removal steps. My understanding about
XoftSpy is that it adds more spyware to your system, but don't quote me
on that. To make sure it is a good program, you can check out these
links:
http://www.netrn.net/spywareblog/
http://www.spywareguide.com/index.php
http://scumware.com/
and the forums on AumHA are always excellent:
http://forum.aumha.org/ - look under "Security" for various forums
You will note that my removal instructions call for doing the scans in
Safe Mode. This is key. Also, it is a good idea to always first look in
Add/Remove Programs. WinAD will have a removal program there. The
uninstaller probably won't get rid of everything (scumware lies), but
start there first.
With the BlazeFind trojan, after you remove it and before you shut down,
check and make sure the following registry key is correct:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit string value should be:
C:\WINDOWS\system32\userinit.exe,
On the damaged installations it's one of these:
C:\WINDOWS\system32\wsaupdater.exe,
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsaupdater.exe,
Note the trailing comma, which should be there.
1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions;
2) remove spyware with Spybot Search & Destroy
(
www.safer-networking.org) and Ad-aware (
www.lavasoftusa.com). These
programs are free, so use them both since they complement each other.
You may also want to run CWShredder and HijackThis from
http://aumha.org/freeware.htm. Although CWShredder is no longer being
updated, it will still clean older variants of the CoolWebSearch
malware. If you do not have success with this, there are new removal
steps at
http://www.silentrunners.org/sr_cwsremoval.html. A combination
of HijackThis and About:Buster (
http://www.majorgeeks.com) works well
in removing homepage hijackers. Always read the instructions before
running a spyware removal tool. Be sure to update these programs before
running, and it is a good idea to do virus/spyware scans in Safe Mode.
Make sure you are able to see all hidden files and extensions (View tab
in Folder Options);
3) If you are running Windows ME or XP, you should disable/enable System
Restore because malware will be in the Restore Points. With ME, you
must disable System Restore completely. With XP, you can delete all but
the most recent (presumably clean) System Restore point from the More
Options section of Disk Cleanup (Run>cleanmgr).
4) make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update;
5) run a firewall.
Malke
