Totally Lost: Undetected Spyware?

[Guest]

Hi all,

I recently purchased a new computer using the XP Home Edtion. When I log
onto the internet, seems my computer is automatically sending out data (the
internet connection status window confirms so), even when I log out of IE
(i.e. no browser on) and MSN messenger is switched off. When I set up the
comptuer I have:

Updated all critical updates for MS components,
Installed NAV 04, updated that with the latest definitions - ran than a few
times

Initially, my NAV found W32.Spybot and I removed the infected files.

When I first discovered this strange activity in my internet connection, I
did a separate scan using Trend.com, ran Spybot S&D - found a few spywares
and removed them. Ran those programs again - clean but my computer continues
to send data out and worst, I also keep getting an obscene website popping up
when I log on to internet (and not even turned openned IE) - I've since
barred the website but this does not prevent IE from opening automatically to
try log onto this same website.

I'm a complete amatuer and don't wish to ruin my new computer.....totally
lost, can anyone help please?????

 

[FletcherIrwin]

First, in the Start menu click on run. Type in services.msc. Scroll down
to the service called messenger. Stop it and disable it.
Second, how do you connect to the internet?

 

[harry]

try the free ad-aware too lavsoftusa.com
update before scan and spybot is version 1.3

also use a better browser like firefox from the hardworking
free source people at mozilla.org

and run a firewall to stop spywares from getting out or in

 

[Guest]

Thanks guys, I will try the other scanners.

FletcherIrwin: Will turning the messenger stop the data flow? Will this
disable my regular MSN (chat) program? I connect to the internet via
broadband dial up (if thart makes any sense?).

 

[Don]

Dave, sounds like a dialer (spyware) has been installed.
Turn off system restore..run a full scan again and
download and run this program
http://www.wilderssecurity.com/bhblaster.html
also click on start, run and in the box type msconfig
disable anything you think might be creating your problem

 

[Guest]

Ooops, sorry guys, it is still "Dave" - I'm still trying to figure out how
this forum works.....(off topic: wierd, how did I manage to sign in under a
different name when i was logged in using my net pass, which is this one)?).

BTW I have since turned on the firewall in XP (both on the internet
conenction network card, and the home LAN (supplied by the ISP) but data
still flows out.....any other ideas please??

Many thanks

 

[Guest]

Thanks also Don. How I wished I discovered this forum earlier........

 

[Guest]

Don, that link no longer works. Have you got the file on hand by any chance?
Cheers

 

[YZ]

Dave,

run netstat -ao from either DOS prompt or Start|Run. this will tell
you what connections you have and what process made which connection.
you can run netstat -h first to familiarize yourself with the utility.
Then post your findings

YZ

 

[Guest]

Thanks YZ, but that went way over the top of my head! As I've mentioned, I am
a complete idiot when it comes to fiddling with computers, beyond the using
Widnows. Can you please give me a step-by-step? Many thanks

Cheers, Dave

 

[Guest]

YZ, I tried typing netstat on Start/Run (with netstat -ao, it just didn't
run) but the screen jsut flashed and disappear! Any way of keeping the
screen there?

 

[YZ]

YZ, I tried typing netstat on Start/Run (with netstat -ao, it just didn't
run) but the screen jsut flashed and disappear! Any way of keeping the
screen there?

XXXXXXXX snip XXXXXXXX

in Start|Run type "cmd" and hit enter
That brings up the "DOS-prompt", where you can type various commands,
such as netstat -h or netstat -ao

Alternatively, you can get to the "DOS-prompt" by going to
Start|Programs|Accessories|Command Prompt (black icon with "c:\" in it)

HTH

YZ

 

[Guest]

Cool - works on my office computer, thanks YZ, will try when I get home
tonite (I'm in a differnet time zone... )

 

[Tom R]

This is my standard answer to people that ask me what to do about an
infected computer, they don't have to be done in this order but I've found
it works best.
TR

Download and run CWSherdder from this site:
http://www.spywareinfo.com/~merijn/downloads.html

I would also download and run Ad-Aware, (free) be sure to update it after
you install it. http://www.lavasoftusa.com/software/adaware/

You should also run Spybot Search and Destroy 1.3, (free) be sure to update
it.
(If you have version 1.2 uninstall it and download 1.3)
http://www.safer-networking.org




Then run at least two of these free online virus scan programs,

F-Secure http://support.f-secure.com/enu/home/ols.shtml

RAV http://www.ravantivirus.com/scan/

Panda: http://www.pandasoftware.com/activescan/

BitDefender http://www.bitdefender.com/scan/license.php



After you are sure the machine is clean, download and install
SpywareBlaster(free) to help keep it that way

http://www.javacoolsoftware.com/spywareblaster.html





Download the 30 day trial version of
RegSupreme. It seemed to clean a lot of other leftover things.
http://www.macecraft.com/brief_rs/


Microsoft has a free trial that is good for a year,
It includes an antivirus and a firewall.
www.my-etrust.com/microsoft/

Good Luck,
Tom

 

[Guest]

Thanks guys, you're all a great help. Tom, that's a great summary of
resources.

Will try what is recommendedl when I get home and post results for others.

Many many thanks...hope it resolves my problem (especially eliminating
obscene website popups!)

 

[Kelly]

Right click My Network Places/Properties/Advanced (top toolbar)/Dial-Up
Preferences/Enable Auto-Dial by Location/Uncheck all locations and check off
always ask me before auto dialing. Also, Disable autodial while I am logged
on.

In the Enable Auto-Dial By Location dialog box, select each location for
which you want the automatic dialing feature to operate. Reboot.

Disable or Enable AutoDial (Line 91)
http://www.kellys-korner-xp.com/xp_tweaks.htm

To view the list of names and addresses recorded by AutoDial, type the
following command at a command prompt: rasautou -s

To delete a name or address entry from the list: Start/Run/Regedit

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses

You can delete any TCP/IP addresses that you see under this key. Note that
AutoDial can use IP addresses, DNS fully qualified domain names (FQDN), and
NetBIOS names.

Disable "Log on using dial-up connection" pop-up message (Line 77)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Modem Automatically Attempts a Dial-Up Connection [Q316530]
http://support.microsoft.com/?kbid=316530

 

[Guest]

Update:

Thanks for all the advice guys (and gal?). I'd first tried getting all the
scans mentioned here, some I was able to download but could not operate due
to the same missing DLL and I was also not able to get onto some sites
(which I understand may be caused by the virus/spyware), meanwhile millions
of bytes of data was continuously being sent out - even when Adware and
Spybot S&D (unforutunately I was unable to use the others as mentioned) found
and removed some new bugs. I guess the damage was so bad, none of the
detectors/removers I had could fix it. As a result I did the classic fix -
reinstalled XP and immediately installed most of the sypware detectors
mentioned here. Not surprizngly, when I ran the scanners before I went on to
MS to get critical updates, bugs were found but this time I guess it was
quick enough as I did not experience any irregularities when I subsequently
went onto MS for the updates. Did my XP critical updates, NAV updates and
now my internet connection stops when I stop surfing Although the problem
was not fixed, many thanks for the tips and links peoples - moral of the
story? Not to rely just the AV and one Spyware detector and ensure all
updates and security settings have been switched on a newly installed OS
before surfing.......I guess you guys all know that....