My system

[Guest]

Yesterday morning I touched an internet site that immediately opened many
different internet advertising sites. Subsequently, almost everytime I move
from site to site, I get one or two ads randomly popping up. My system had
been virtually clean up to that point with routine Norton Antivirus and
SpyBot program runs. Since yesterday morning I have tried everything I could
think of including System Restore. Unfortunately, that wouldn't work either.
I then went looking on the Microsoft site and discovered the Beta version of
the Antispyware program. I loaded the program and ran it four times (plus I
removed the problems) before I had no incidents of spyware problems showing
up. I set a System Restore point and then tried to restore to that point.
No problem at all. I again ran the antispyware program with no problems
indicated. I thought all was okay but when I went on the internet, there
were those damn ads popping up again. My Pop-up blocker has been and still
is at the high setting. I again ran the Microsoft antispyware program but it
did not detect any problems. Unfortunately, I am still getting the ads that
act like pop-ups.

Does anyone know what might be going on and why the newest beta version of
Microsoft's antispyware program won't detect a problem? Thanks in advance.

 

[Andre Da Costa]

Could you give us a short run down of some of these ads you are
encountering. Also do you have a pop blocker installed? I would also
recommend restarting in safe mode, open Microsoft AntiSpyware, on the Scan
Page, choose Scan Options > Full System Scan > check boxes below and click
Run Scan Now.

Pop up blockers:
http://toolbar.msn.com
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

Hey Don

Can you please send the address of the site you visited to my email
([email protected]) I will then try it and see if they are infecting
users and what with and let you know what you can do to get the system clean.
Most malware will write thier addresses to the pop up blockers allowed lists
so finding out what you have on the system is the main part, this sounds like
it may be look2me or Vundo so I'm interested what site its come from, Go with
Andre's advise and if you still have problems you could try the free trial of
Ewido security Suite and SpySweeper as they will stop most infections between
them.

Andy

 

[Guest]

Good morning, and thank you both very much for the reply. I'm in alaska so
I'm probably well ahead of you all time wise. Also, I have to go to work
today, so I'll have to respond with a detailed message after work.

Interestingly, Antispyware detected 8 problems this morning....again. I
sure haven't visited that site though. I'll have to research the site. It
was a music lyric site.

More to follow at 5:30 Alaska Time (9:30 pm) Eastern.

Thanks again.

Don

 

[Guest]

Hey Don

Yes there is a big time difference, I'm in England and I believe Andre is in
Jamaica so it's a team effort , if you can let me know the site Id
appreciate the info' but don't get more problems looking for it, If you
cannot recall the name we can work of what the scanners are detecting, You
could try MS Antispy in safe mode and see if that can clear the problem
(Reboot and keep tapping F8 then choose safe mode from the list) MS Antispy
is not dealing with some of the new infections very well so using other
removers could be required. Let us know what MS Antispy has found in the
scans or details on infected filenames or the site that infected you and we
can take it from there.

Andy

 

[Guest]

Hello Andy,

I posted a reply to Andre's questions and now on to yours.

1. I will send you the address by direct mail when I finish here. It was
quick when it happened and it also added an MTV taskbar to my IE program that
was a devil to remove.

2. I found one address in my pop-up blocker I didn't recognize and have
since removed it. The ads seem to be reduced, but not gone completely.

3. I just ran MS Antispy and it came up clean but it did that yesterday and
then on the early morning run it reflected 8 errors. I didn't copy them
down, but I know a few were listed as Adware.Istbar and Adware.Sidefind. If
it reflects problems in the morning I'll copy them and send them on to you.

I gave Andre a list of some of the Ads, so if you want them you can check
the post I left for him. I can't tell you how much I appreciate your reply
and assistance in getting this stuff off my system.

I'm off to send you the site by email.

Thanks again.

Don

 

[Guest]

Good morning Andy,

The run this morning reflected only two problems, one of which I'd not seen
before. They are:
IST.SideFind (Adware)
AvenuesMedia.DuFuCA (Browser Plug-In)

Off to work.

Thanks, Don

 

[Guest]

Hi Don

Sorry for the delay Ive just finished work as its 6.30pm here , I read your
email and one of the sites (anysonglyrics) does infect users with IST
(Integrated Search Technologies) , I will reply abit later when Ive checked
what it drops on the system,

Regards

Andy

 

[Guest]

Hi again Don

On my system it dropped a trojan downloader from IST into the temp folders
which is called (iinstall.exe) and adds a entry in the Downloaded Program
Files folder for yoursitebar but it doesnt add any other junk even after
rebooting a few times
Maybe they are changing the install or bundle but now we know its only IST
it shouldnt be too much work to get them removed.

Here's a fix for IST (Copy this to notepad and save it so you can still view
it in safe mode)

Download Ewido Security Suite

download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido


Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard. If done right a Windows Advanced Options
menu will appear. Select the Safe Mode option and press Enter.

To return to normal mode just restart your computer as you normally would.

In safe mode goto the add/remove screen (Start Menu> Control Panel >
Add/Remove Programs) and remove any of these if found:
(Not all IST but are malware and could come as part of a bundle)

Cram Toolbar
Freeprod Toolbar
Internet Optimizer
ISTbar
ISTSvc
OfferAgent
Powerscan
Sidefind
SideSearch
Slotchbar
SurfAccuracy
Windows AFA Internet Enhancement

After they are removed goto Start Menu then C:\drive and open 'Program
Files' , Remove the Folders for any of the above names (Right click and
delete)

Next goto 'Start Menu' and 'Control Panel' then open 'Internet Options' from
the Temporary Internet Files area press "Settings" then press 'View Objects'
This will open the Windows 'Downloaded Program Files' Folder, Right click
every entry in this folder and press 'Properties' If they are genuine they
will have the name of who put them in there (Microsoft, Sun, Yahoo, Apple
etc..) If you cannot verify that its genuine then remove the entry, If it is
genuine then it will be downloaded again next time you visit the site it
belongs to, If its malicious it will make it easier for junk to download to
your system, In this area you may find xxxtoolbar and yoursitebar as they are
two of IST's entries.

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.

Run MS Antispyware and remove anything found.

Run Ccleaner and press "Run Cleaner" Also use the Issues feature and scan
for issues, Fix any found and run a second time to be sure it shows clear

That should fix things for you but Let us know if you have any problems

Regards Andy

 

[Guest]

Hello Andy,

I appreciate all your help, but I gotta tell you that after an entire
evening of following your very excellent instructions, I still have those
damn ads.

Everything went pretty much as you specified. I didn't find any of the file
names you listed in either the Add/Remove Programs window or the Program
Files. I did, however, find a few suspicious looking objects in the
Downloaded Program Files Folder and deleted same. I ran Ewido and it
reflected 1510 Infected Objects. Took 90 minutes to run. I removed them
all with no problems and saved the report. I then ran Antispyware with no
problems reflected. Lastly I ran CCleaner once with 283.3 mb (I think)
cleaned up and then had to run the Issues feature four times before ir came
up with no issues. I fixed them all. I then restarted the system and loaded
up IE and played around a bit and it took maybe all of 15 seconds before the
888.com online casino ad popped up. I also received a Half.com ad on eBay
and many casino ads on POGO as well as a very persistant AMXTravel ad when I
went to check on a pending flight at Alaska Air.com.

My plan is to do this all again tomorrow evening. If you have any
suggestions, I'm open to about anything right now.

Thanks again.

Don

 

[Guest]

Hey Don

Wow! 1510 infected object thats good going I'm not sure Ive ever seen that
much junk removed, If you saved the log email it to me, It doesnt matter if
you didnt save it as the main thing is they are not on your system now, There
must be bigger problems than IST if you didnt find any of the folder's or
add/remove screen entries but still have pop ups, It's going to be easier to
use Hijack This so I can check your system in more detail and look for other
junk, Sorry you had to do all that work and it didnt solve the problem but it
sounds like your system needed a clean

Some of the ad's could be written into the pages your viewing by html code
but not if they keep re-appearing so its best we use Hijack This now so I can
see whats running on your system.

Download 'Hijack This'.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click
HijackThis.exe, and click "System scan and save the logfile".

When the scan is finished it will open the results in notepad and also save
the log into the Hijack This folder, Can you email me that log, Most of what
it lists will be harmless or even essential to your system so don't fix
anything at this stage.

Run HijackThis Again and from the main menu click on “Open the Misc Tools
sectionâ€, and then on “Open Uninstall Managerâ€. Click the “Save list†button,
save the file 'uninstall_list.txt' to your Desktop, and post the contents
with the Hijack This log .

Only do this when you have time but with Ewido removing so much It's time to
get the big guns out

Chat Later

Andy

 

[Guest]

Good morning Andy,

I'm off to work now but I'll send you that file before I leave and I should
have time tonight to complete the HJT actions.

Thanks again,

Don

 

[Guest]

Hi Andy,

I'm not sure if this means anything, but it (oops, just got interrupted by
an anti virus pop-up) appears that if once I go to a site and stay there, I
only get the pop-ups one time and if I close them they don't appear again
unless I go out and come back in. Just an observation.

Talk to you later.

Don

 

[Guest]

Hi Don

I've not had time to check your logs in detail yet but will do in the next
hour and let you know the problems, The pop ups could be written into the
site if you only get them once when you enter but If the logs show clear I'd
get the site addresses of you and confirm they do serve pop ups,

I noticed in your email that you said the Hijack This link I posted doesnt
work for you and you had to get it through a different site, Ive just opened
the Hijack Attachment you sent and You have nearly every security and Antispy
site entered into your hosts file with a 127 entry beside it so that explains
why you couldnt get the Hijack This download as they would all loop back to
your own system and give a error page, some malware has tried to make it hard
for you to get the system clean

That's easily fixed so I'm glad we used Hijack This and well done for
getting it from download.com as thats not on your blocked list, I will get a
reply together for you once Ive checked the logs and see if we can get the
remaining problems resolved.

Andy

 

[Guest]

Hi Again

I sent the fix to your email awhile ago, There is signs of the Apropos
rootkit installed so we can check for that using Rootkit Revealer and remove
it if it exists, The Hosts file and IE settings need resetting and Ewido is
finding Trojans in the System Restore area so Ive sent details on fixing them
and starting a fresh restore and then you shouldn't get any more Pop ups

Let us know if you have problems anywhere

Andy

 

[Guest]

Hi Andy,

I received your email and will start the process when I get a chance. We're
headed to a 60s concert tonight with a group called The Lettermen. Should be
fun being a Baby Boomer and all. Friday is a dinner night out as well, so
I'll probably hit it Saturday morning.

Trust me, it was just dumb luck going to Download.com to get Hijack This.
Nevertheless, I was able to get it to work and I really appreciate all this
work you're putting in for me.

I'll let you know how it all comes out and then maybe we can run the Rootkit
Revealer and take care of that problem as well. Hard to believe I thought I
had a pretty clean system. But I gotta tell, I never had pop-ups and it ran
pretty smoothly until Saturday when I touched that lyrics site.

More to follow.

Thanks again.

Don

 

[Guest]

Hi Don

Hope you have loads of fun at the concert

No problems regarding the help I'm happy to assist in removing malware if I
can, There's enough people trying to infect systems so I enjoy being on the
side thats removing it, Rootkit Revealer is just to be safe as there could be
the apropos rootkit installed which would hide entries from windows and
scanners, thats very easy to remove if its present.

Some of your problems may have come from that lyrics site but from looking
at the Ewido log there has been alot of infections and junk on your system,
The ewido scanner has really done well for you removing over 1500 entries so
thats removed most of the junk and we just need to clean up the last few bits
that remain,

From the Ewido log its showing all these have been on your system

( IST, iSearch, InternetOptimizer, YourSiteBar, ClearSearch, VX2, AdBreak,
FavoriteMan, IPInsight, TwainTech, SearchFast, SearchEnhancement,
NauPointBar, eXact, PeopleOnPage, KeenValue, SmartPops, 7Search, TrafficHog,
i-Lookup, SideFind, SearchSquire, Winpage, ShopNav, ClientMan, CometCursor,
PurityScan, SubSearch, ToolbarCC, CustomToolbar, SearchExplorer, BrowserAid,
InetSpeak, ezSearching, CoolWebSearch, NewDotNet, Trojan.Aspam, Begin2Search,
SearchCentrix, 404Search, UCmore, HighTraffic, Xupiter, Gratisware, NetPal,
FlashTrack, LinkReplacer, Whazit, TinyBar, ABCSearch, FriendGreetings,
CleverIEHooker, Qcbar, DailyWinner, BandObjects, MoneyTree, IEPlugin,
CommonName, ClearSearch, WurldMedia, 123Mania, SearchEx, Masterbar, AdRoar,
Dashbar, EZCybersearch, BargainBuddy, IeMonit, LOP, SmartPops, MidAddle,
SearchAndBrowse, ZyncosMark, SupaSeek, AutoSearch, LZIO, TX4,
BookedSpace, ASN1exploit, Muulcom , SideStep, iWon, IAGold, Deltabar,
AroundWeb, CnsMin, Bizrate, ZippyLookup, SpiderSearch, ArrowToolbar,
Backdoor.Lixy.B, Clitor, Bukaw, Antispykeylog, PerfectKeylogger, Seek99,
WhistleSoftware, EliteBar, Hijacker.Generic, Commander, LookThruCool,
DynamicDesktopMedia, ProBotActivity, ZipClix, E2Give, HitHopper,
E-booksystems, Msinfosys, YellowPages, 2020Search, PowerSearch, eUniverse,
eZula, 180Solutions, Adlogix, VirtuMonde, BonziBuddy, ZeroPopupBar, Kugoo,
HTMLEdit, Flyswat, BlazeFind, Xlocator, FizzleWizzle, Yandez, WinFavorites,
RedV, Azsearch, Clickspring, iChoose, BaiDu, BDplugin, VividenceConnector,
Praize, OnWebMedia, System61, Webhancer, SpIEMonitoring, Trojan.Delf.cr,
eXact, Dialer.Generic, MPGcom, TrojanDownloaders, SurfAccuracy)

Thats a lot of junk, Probably easier to name the spyware you havent had as
there's a few nasties in that list , Its nice to see your logs are nearly
clean now except for those entries I sent in the email that need fixing and
the other clean up work,

getting some extra protection products on your system may be a good thing as
they are all free and could prevent alot of problems in the future such as
Spyware Blaster and Spybot Search & Destroy with the Immunize and SDHelper
enabled, Also MVPS Hosts file or IESpyad may help to add malicious sites to
your hosts file (The same way the malware has added security sites to your
hosts file now to block access the MVPS hosts file and IESpyad will block
malicious and rogue sites) but I can post links for them to your email after
the last bit of cleaning up if you want to use them.

Chat to you again at weekend

Regards

Andy

 

[Guest]

Holy Smokes!!!

How in the world was my system ever working in the first place? And to
think I thought I was doing a good job with the combination of Spybot Search
and Destroy and Norton Antivirus. None of that ever showed up or at least
affected my system to the point that I took notice.

I'm glad there are folks like you out there who like to combat the nasties
that for some reason get pleasure out of anonymously screwing up people's
systems. Good on ya for sure!

The concert was great but the accoustics could have been better. In an
sports arena rather than a concert hall. Still nice to hear the old tunes
though.

Take care and we'll chat later. Thanks again.

Don

 

[Guest]

Don nie ,, increase firwall and or Internet site security levels and keep
eye opened for increases in cpu drain specialy when you are at idle ! You
will see the criter come out...I promise