spyware found

[nik krallis]

Somebody might want to inform Microsoft that their Spyware
program is not up to date when it says it is. I generally
run 3 different spyware/malicious ware/anti-virus
programs, always betting against each other, and so far
I've had no problems. today, however, I found 4 different
spyware programs on my computer, which were not picked up
by Microsoft's AntiSpyware program. They are as follows:

Adware:adware/portalscan
HKEY_CLASSES_ROOT\.TE

Adware:adware/wintools
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSIO
N\INSTALLER\USERDATA\STO

Adware:adware/powerstrip
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\extensions\CmdMapping\{669695BC-A811-4A9D-8CDF-
BA8C795F261C}

Spyware:spyware/bargainbuddy
HKEY_CLASSES_ROOT\Interface\{71a27036-c7d8-11d2-bef8-
525400dfb47a}

If anyone has any suggestions on how I can remove these
programs, please email me at (e-mail address removed). if you
are in the US, you can also call me at 310-770-6426 (or
have Microsoft call me directly).

Much appreciated.
/s/
Krallis, Nik
310-770-6426

 

[AndyManchesta]

Hi Nik

You shouldnt really post personal details on a open site
as it could lead to problems

What scanners are detecting these?

The CLSID for the Bargain Buddy entry refers to Spyware
Exploit Child Watch, it logs all the keys you type and
takes screenshots, Also it monitors use of IE but It must
be manually installed,If it was Bargain Buddy you could
of removed the entry The BullsEye Network from Add/Remove
screen.

To remove open Add/remove programs and uninstall Exploit
Child Watch.

That should remove it but you could always search for
these files to be sure

eitwmon.exe
ecwdinst.exe
eitcwd.exe

And the folder eitcwd from program files area.

For PortalScan there isnt a folder called
HKEY_CLASSES_ROOT\.TE so maybe double check the spelling
or submit a suspected spyware report to MS if you think
you have a new infection



For PortalScan check for these files
------------------------------------
mwsvm.exe
slmss.exe

If you know how to use regedit delete these but if your
unsure leave them and use Antispy scanners

Click Start, and then click Run.Type

regedit

Then click OK.

First go to the run folder but DO NOT DELETE IT !

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

Click run and In the right pane, delete the following
values, if present:

"absr" = "[PATH TO FILE]"

and

"slmss" = "[PATH TO FILE]"


Delete the following registry subkeys if they are present
but again not the main folders:

HKEY_LOCAL_MACHINE%\SOFTWARE\slmss
HKEY_LOCAL_MACHINE%\SOFTWARE\absr

HKEY_CLASSES_ROOT%\CLSID\{3E7145B1-EA07-42CE-9299-
11DF39FF54BD}
HKEY_CLASSES_ROOT%\CLSID\{34EF5B1C-52CB-400b-8B7C-
F787018B3826}
HKEY_CLASSES_ROOT%\Interface\{E9D8697E-BEA9-4170-84F3-
509AD2A11951}
HKEY_CLASSES_ROOT%\TypeLib\{3CD9D85E-1FF2-4BF7-A113-
6669B8D1E676}
HKEY_CLASSES_ROOT%\URLLauncher.URLLauncherControl
HKEY_CLASSES_ROOT%\URLLauncher.URLLauncherControl.1
HKEY_CLASSES_ROOT%\AdRotator.Application

Exit the Registry Editor


For Wintools
--------------
That is a wintools entry but wintools cannot be deleted
in normal mode because of 3 interacting files that stop
each other being deleted, Maybe things have improved but
Ive not seen a scanner that can remove this in normal
mode.Again its got to manually installed

Use this removal tool, download it in normal mode and run
it in safemode (To get into safe mode reboot and keep
tapping F8 then choose safe mode from the list)

http://securityresponse.symantec.com/avcenter/FxWebsch.exe

Before doing that remove these from Add/Remove screen if
found:

Search Toolbar, TS Toolbar, and WebSearch

After using the removal tool reset web settings,Goto
control panel then Internet Options, Then to the Programs
tab and press Reset Web Settings


For Powerstrip this is connected to PortalScan they are
also referred to as Trojan.Downloader.Win32.Minstaller

While your in safe mode look for these folders and delete
them

C:\Program Files\Power Strip
C:\Program Files\Common Files\Presentia


Click Start, and then click Run and Type

regedit

Then click OK.


Start at HKEY_LOCAL_MACHINE and keep pressing the plus +
untill you get to the run folder, left click run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run

In the right pane, delete this value if found:

"LTDMgr"="C:\Program Files\Common
Files\Presentia\LTDMgr.exe"

Exit the Registry Editor.



Then its just a case of cleaning up, Delete temp files by
going to control panel then to Internet Options and click
delete files and include all offline content.

Then goto start and run and type

prefetch

Delete the contents of this folder

Goto start and run and type

%temp%

Delete the contents of this folder

Then clear the recycyle bin if you dont have Service pack
2 and all the critical patches you should visit them when
you get clean and upgrade, If you have them and all
patches then just be carefull what you download in
future

All the Best

Andy