Malware Cleaning Test

A

AndyManchesta

There's been alot of posts recently saying MS Antispy
never finds anything on the system. Here's a example of
what MSAS can do and reasons why the Real Time Protection
is a great feature. I shut down all the protection on my
test system (MSAS,CAeTrust,ZoneAlarm) & used some
malicious sites for about 30 minutes, scanning through
each and clicked a few pop ups to open new sites and pop
ups for screensavers and smileys

I can now see alot of problems like Aurora, IST, Hotbar,
SAH agent and also now have a bogus hosts file setup in
the Windows folder which is set as a hidden file, IE
homepage has been taken over and Im getting constant pop
ups for winfixer & reg cleaners and free ringtones,
Windows Explorer and IE keeps crashing Also Spysheriff
has been installed on the system and the desktop
wallpaper replaced with a spyware warning :)

Used Task Manager to end the process on all the malware
files to make things abit easier.

Run MS Antispy and updated the definitions then run a
full system scan.

It found 38 different malware infections and 1336
infected files and registry entries
(Spyware,Adware,Password Stealer & Trojans)

**See Screen Shots & Results For Info**

Removed everything and let it reboot the system. Got
messages on reboot saying Hotbar was missing files and
did I want to reinstall ?

Opened Add/Remove Screen and removed these

ContextPlus
Hotbar Browser, Weather & Wallpaper tools
Hotbar Outlook Tools
HotBar Shopper Reports
Atomic Clock Sync

The Best Offers - This is listed but once clicked just
displays (A division of Direct Revenue) and gives a
uninstall address at bestoffers so its the same as Aurora
and possibly the new infection coming from them,


Ran MS Antispy Again and it found alot of the same
Malware, 21 infections and 76 infected entries but
everything was detected in system restore
so maybe worth checking this if MSAS shows the same
detections on each scan, I Just flushed the system
restore to remove them.

**See Results**

Aurora was detected twice by MSAS but its still missing
parts to the infection so it will keep coming back, It
also looks like Aurora has changed again as the icons in
the windows folder now match bestoffers icons plus
svcproc is a new variant.


Run Ewido on a full system scan and removed all malware

**See Results**

Rebooted and Checked some files that remained after both
MSAS and Ewido scans at jotti's site

**See Results**

Run Adaware SE and removed everything found

**See Results**

Run Spybot and removed everything found

**See Results**

Still had the spyware warning wallpaper and I couldnt use
the Control Panel>Display option to change it as the
options were grayed out and not active, also most of the
files which I uploaded at Jotti's site still exist on the
system

Run SmitRem (By NoAhdfear) which removed the final part
of the desktop wallpaper Hijack and then was able to
reload the original XP wallpaper :)


I Still had to use Hijack This to fix some entries that
remained (BHO, Toolbar & Run Entries) then rebooted and
used Killbox to remove all the other files I found from
the Jotti scan page

**See Results for list**


The System is now clean again but it took all the above
scanners, Hijack This and then had to remove the final
Trojan/Malware entries that they all missed in the scans
manually. Microsoft Antispy did very well in removing
everything it detected first time but there is alot that
isnt on MSAS's definition list as you will see from the
other scanner results but to be fair to MSAS the other
scanners with latest definitions missed alot of files as
well,


**Results** (6 Text Files)


http://andymanchesta.com/MSAS/results.zip



**ScreenShots** (MSAS Detections and Spyware Wallpaper)


http://andymanchesta.com/MSAS/pics.zip



Andy :)
 
T

Tom

Sounds like MAS faired pretty well considering everything.
At the same time, it does point out to the average Joe
(someone like me) how incredibly labor intensive this all
is, and how much you need to know/do in order to keep your
head above water. To me, it's people like you that will
hopefully make it easier one day for people to be able to
spend their time more productively & not have to worry
about this kind of stuff.
 
A

AndyManchesta

Hey Tom

It was alot of work but this was a nasty infection with
it involving Password Stealers and hidden Hosts files,
anytime Spysheriff gets installed without consent it
takes alot of time to remove the full infection. The same
infection was used by AntiVirus Gold & Security iGuard
and is now being used by PS Guard & Spysheriff where it
downloads Trojans and then Rogue Antispy and displays a
spyware warning which cannot be removed to make some
users who dont have protection use the rogue antispy and
then have to pay for it to remove the problem (Which of
course it wouldnt as they put the infection there),

I think MSAS did great here detecting over 1300 infected
entries and removing them all first time, It did miss a
few files but new variants come out all the time so thats
to be expected. I was suprised that after using all the
scanners I still had about 10 or more Trojans on the
system, they went without a fight but maybe Killbox
helped with that.

To me its programs like MS Antispy, Ewido, Spybot,
Adaware etc.. that can save us all alot of time
especially MSAS through its Real Time Protection, I was
just testing for myself to see is anythings changed and
thought Id use the scanners to see the difference between
the scanners plus was curious if they could clean the
system if used together but I had to use Hijack This and
Killbox for the last 10 or 12 entries as I ran out of
scanners to use :)

I would of sent a spyware report but I still get Proxy
Errors when trying so thought this was the next best
thing, MSAS performed great in my opinion and I hope they
keep adding definitions to keep up with all the junk and
prevent users having to use all these different tools and
scanners to remove the problems.

Keep Up The Great Work MS :blush:)

Andy
 
G

Guest

My Internet Explorer homepage has been hijacked by spyware with the
following address: (http://updatecenter.com/. The site says that I have
been infected and Recommends AntiSpyware Software, PS Guard and Spyware
Trooper, it also has a small screen entitled Microsoft Internet Explorer the
says your PC has been infected with Spyware and recommends you download and
purchase Spyware Trooper. When trying to use the Tools/Internet Options to
change the default home page it seems to let you change it, but the next time
you click on IE it looks like it goes to what you set the home page to, but
before it has a chance to come up it goes to the http://updatecenter.com
again.

I have downloaded the McAfee Security Center - both the McAfee Virus Scan
and the McAfee Personal Firewall and now the Microsoft AntiSpyware Beta 1.
After running all of these it does not detect and delete this one??

Do you know how I can get rid of it and get my home page back?
 
A

AndyManchesta

Hi Skipjack

Sorry for the delay I don't usually check my old topics but the http
side of the newsgroups is down so I thought Id use a newsreader and then
noticed you had replied to this.

Its clear you still have malware on your system which is causing the
hijacks, Smitrem would be usefull here to remove the usual trojans and
rogue products related to this and scanning with Ewido Security Suite
would also clear some of the junk, Smitrem will also reset the internet
start pages and remove restrictions plus run cleanmgr on the system to
clear temp files to it could solve this for you,

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Right click on the file and extract it to it's
own folder on the desktop.

Please download, install, and update the free version of ewido security
suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left
menu, then click the Start update button. After the update finishes
close Ewido

Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode
from the list)

Open the smitRem folder, then double click the RunThis.bat file to start
the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your
drive, eg; Local Disk C: or partition where your operating system is
installed.

When thats finished run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select
"Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click
on "Save Report" and save it to your desktop or c:/drive incase you need
it again.

Reboot Back To Normal Mode

Then do a full system scan with Panda's Activescan. Make sure the
autoclean box is checked and Save the scan logwhen its finished.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

This should fix your problems but if it continues just send me a email
as I may not see your reply on here and we can have a closer look using
Hijack This.

All The Best

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Aurora and System Explorers 4
It doesn't do anything. 2
MS Patch , Any Idea's ? ? 1
How do I get rid of Cydoor and stop Browser Hijacking 2
Hotbar 2
SPYWARE ALERT!!!!!!! 10
Trojan and MalWare 2
Hotbar - Re-Post 5

Top