KNOWN SPYWARE ON COMPUTER WINDOWS DEFENDER DIDN'T FIND

[Arlykat]

Hi. I found out today that I have spyware on my computer by talking with my
server's rep. (Comcast). I have Windows XP Svc Pack 2 up-to-date
automatically, I have Internet Explorer 6 with all updates for it and Windows
is up-to-date automatically. I have McCafee Security on my computer. I went
to download Windows Defender and wasn't sure which one to use so I chose
W.Defender 64. Went thru the installation process only to have an error say
something about computer not being compatible with it. Sooooo, I went back
and installed plain W.Defender with no problems. Did the auto scan after
download complete and it ran a quick scan and found no problems. Here is the
known problem on my computer.

Went to sign in on my Comcast homepage - it periodically has signed me out.
When I put in my info to sign in I got a Warning. This is what it said and
the aftermath of my reading more about the problem. SECURITY ALERT : Name on
Security Certificate is invalid or does not match the name of the site.
(Knew I had a problem then.) I right clicked on properties and this is mostly
what I have copied, there is gads more of tech. info and numbers I didn't
copy. VIEW CERTIFICATE: Certificate is intended for following purposes:
Ensures the identity of a remote computer. CERTIFICATE PATH: VeriSign Class
3 Public Privacy CA, VeriSign Classs 3 Secure Server CA. * doubleclick.net.
CERTIFICATE ISSUED TO: *doubleclick.net. Issued to: VeriSign Class 3 Secure
Server CA. VALID FROM 9/5/07 - 9/8/08.

Now, the Comcast Rep. said that certificate was definitely not theirs and it
was spyware and directed me to Microsoft. Again, immediately after
downloading Windows Defender it automatically ran a quick scan (which was not
all that quick, like 17 minutes or so). It found no problems whatsoever on
my computer.

SOOOOooooo, - WHAT IS THE VERY EASIEST WAY FOR ME TO GET THIS DOUBLECLICK
OFF OF MY COMPUTER FOR GOOD? I appreciate the help I know I am going to
receive so I thank you in advance. Arlykat

 

[Engel]

Hello Arlykat,

- WHAT IS THE VERY EASIEST WAY FOR ME TO GET THIS DOUBLECLICK
OFF OF MY COMPUTER FOR GOOD?

Follow the links here:

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
- - ---
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview





Windows Defender is generally a reactive application. It tends to deal with
spyware after it is already on your computer.

If your looking for protection before it can download to your computer,
you'd perhaps be interested in SpywareBlaster.

<http://www.javacoolsoftware.com/spywareblaster.html>

Sitadvisor
<http://www.siteadvisor.com/preview/>


YOU must have the expertise since it is your choices and education that
dictate how secure is your system.


<http://www.bleepingcomputer.com/forums/tutorial49.html>

SpywareBlaster will block bad ActiveX and harmful cookies from getting on to
your PC in the first place. Just download and install the program. Open
SpywareBlaster, check for and download updates, then 'select all' to protect
against all items checked. That's it! Just return to check for updates every
couple of weeks.
SpywareBlaster prevents the installation of malwares onto your system.
SpywareBlaster is a tool that is run once, vs continual running in the
background. Its working principle can be described as follows: many spyware
and hijackers make certain registry entries and are identified by CLSIDs.
SpywareBlaster has a database of these bad CLSIDs. When you run
SpywareBlaster once, it sets the kill bit of the bad CLSID as "1". This means
the specific CLSID is killed, or not allowed to register, preventing
installation of the spyware. SpyBot S&D has a similar feature. Spywareblaster
also has a minor feature of importing a list of blacklisted cookies into
Firefox.


You are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.


I hope this post is helpful, let us know how it works ºut.

Engel

 

[Bill Sanderson]

Arlykat--I can see that the appearance that you saw was convincing, but I am
not convinced.

Howerver, I believe that Engel's links will lead you in the right direction.

If you choose to post in a specialized anti-malware forum, such as those at
castlecops, just describe the issue objectively.


There are a lot of shades of gray in this world.

Doubleclick.com is a marketing firm owned by Google.

It appears to me that doubleclick.net is a part of that operation.

They provide banner ads on a many comcast pages.

You should not have seen a doubleclick certificate on a Comcast URL, but I
wonder if this certificate was somehow related to an ad url,

Here's the issue--although certificates have been and will continue to be
used by malware purveyors to try to trick folks into thinking they are
legitimate--in this case, Verisign and Doubleclick are both legitimate
businesses (subject to those shades of gray I mentioned...)

Issuers of Certificates have been fooled before, but given the clean bill of
health you have from Windows Defender, I'm tending towards some
misinterpretation of events, rather than malware.

However, recalling those shades of gray again, Windows Defender does not
scan for or remove cookies--and cookies are a major staple of any Internet
marketing outfit, Doubleclick included.

So--you may want to try another anti-malware product as well--many of them
will call out certain kinds of cookies--and in general, it does no harm to
remove the ones considered risky by reputable anti-spyware products.

Have you tightened security on your system in some way recently? Have you,
for example, added information to your HOSTS file to help interdict ads?

Doing this may have an effect which could lead to circumstances such as you
recount here--instead of seeing the ad, you get a credentials prompt on your
screen. The credentials prompt comes from the ad provider, not Comcast.

I can't explain exactly why this happens, but I've seen it myself, as have
many others. Using the hosts file in this way probably isn't the best way
to block ads.

 

[Arlykat]

Hi Bill,

I sorta understand what you are telling me about the gray areas of this
problem. To answer your question, no, I have not or had not done anything
with my security to tighten it up in any way. The only changes would have
been from updates to McAfee that I have auto download. My computer still
isn't acting right, lagging where it shouldn't on bringing up comcast
homepage, doing all sorts of something to make tower make noise and showing
the timer out of nowhere and then showing that something changed by my
watching the line at bottom turn blue as it was adding or changing something
while the timer spun. I haven't gone to the sites suggested above but I will
be doing so. I hate all this crap. Thanks much. Arlykat

 

[Bill Sanderson]

Thanks - I don't have an explanation for what you are seeing, then. As to
the lags, etc--I've seen this kind of symptom a number of times on machines
I administer. For example, I've seen a pair of machines with near identical
specs as to hardware and software installed, where one has very poor
performance comparitively--CPU is always pegged. After much investigation,
the issue turned out to be a poorly written printer driver from HP, and not
malware.

You certainly need to investigate, but don't leave out the mundane when
searching for the esoteric.