Discussion on:

The Spyware Of Death !!

Lately in our shop, we have been running into persistant adware trojans that defy removal usually the kind of crap that's picked up from porn sites and other trash. Im sure it's some kind of CWS variant or something similar. We try all of the tricks of the trade as we know them but with limited results including editing the registry and so on. Forget AdAware, Spybot and so on. We have had some results by closing the Explorer through task manager and opening regedit and deleting the entry and then unplugging the system so as to dump the trojan in memory before it can refresh itself and recreate the registry entry.

We are getting more and more systems like this that even our experts can't deal with it and we're groping for solutions. We have gotten to the point the if we cant get a grip on it in a reasonable amount of time, its Format C: time.

I dont think there are any "magic" programs out there or silver bullet solutions. If virus writers ever get the same concepts of stickability that these spyware jerks have, heaven help us.

Any thoughts?

Robert

If it's a CWS have you tried CWShredder? I had a system with a CWS and no matter what I did I couldn't remove it using all the methods you described and more. I tried that and sure enough it removed it completely from the system after a couple reboots.

I have since added it to my toolkit just for CWS variants, (in addition to multiple spyware/adware and virus scanners since one never catches everything).

Good luck, adware should be a fricken crime.

Thanks for the input but CWS shredder is in teh toolbox and it wont touch this stuff. Thanks for the input though

Last I checked, the creator/maintainer of CWShredder had announced EOL for the utility. Some people have made noises about being willing to take over maintenance of the thing, but I would say you shouldn't expect the same ubiquitous, nigh-infallible performance from it as you previously could, because new CoolWebSearch versions probably won't be addressed as effectively or as quickly as they once were.

C'est la vie. The world moves on.

t

Great input...We've just implemented & are happy with Spysubtract who (I guess) now own CWshredder. I did not know this was a standalone utility. (We also use Webroot Spysweeper beside it.)

Anyway, we've rolled out Intermute Spysubtract(Enterprise) product which includes CWshredder on two large networks this month. I appreciate (value) your comments & will suggest that additional care be taken with the CWshredder side.

The latest version is 2.1 released this month, so time will tell.

Thanks again!

I'm happy to help. Feel free to hire me as a consultant any time, or even to make full time employment offers to me. My distaste for Windows largely arises from my extensive experience with it, which has the upside for MS shops of meaning that I know my sh*t on the Windows side as well as the *nix side. Heh.

But you'd probably hate the 24" of snow that just fell & the -24C wind blowing out there right now.

Then again, your choice in Operating Systems enjoys that climate.

I'll tell you this though - Once we've worked ourselves out of a job, your real skills will come front and center:

The true Wordsmith.

DAFE2

For now anyway, we've succesfully implemented spysubtract on many of our networks. It's available here:

http://www.intermute.com/products/spysubtract.html

It includes a tool called CWshredder & others.

Hope you find it usefull.

Another major pain is VX2. A finder and removal assist program is available at link below. I have found it highly effective and only way to really eliminate VX2. It is for Win 2000 and Win XP only.

http://subratam.org/?page=removal

VX2Finder can be a difficult program to find if you don't alrady know about it.

Might want to give it a try. VX2 also has new variants fairly often.

Add it to your toolbox.

Dalton

go to www.download.com and seach for adware se version. It's the latest / greatest. It works great and easy to use.

You've got a typo? I think you meant Ad Aware.
Just google for Ad Aware.

We're trying to avoid Adware right?

The regularity with which I see people refer to Ad-Aware as "Adware" drives me up the wall. I know that some of them must certainly be people trying to push Ad-Aware knockoffs that carry adware payloads and trojans.

It makes me want to just smack someone around when I see that sort of "error" arise, honest or otherwise. I can understand an occasional typo, but most of these have to be more than typos: I'm sure many (aside from intentionally leading people astray) are people that, in many circumstances, would complain about my intent attention to careful spelling.

It is in cases like this that attention to detail in correctly spelling out what you're trying to say most pays off. By not knowing the correct name and spelling, and by not bothering to check through the extremely easy process of a quick Google search, some people are actually leading others astray and causing (further) problems for others rather than alleviating them.

Kudos, dafe2, for catching the error. If only others paid such attention to what they were typing.

Great job on giving feedback for removal techniques yourself....

It is about time that a conscious approach is the only solution. I've noticed that within the past year, spyware, malware, trojans, etc, have been taking over user systems to the point of no real software solution. There are no magic solutions for this sort of activity, even in the virus world. This is prevalent in the the existence of removal tools and instructions on your AV's website.

Email address exploitation is something that I deal with everyday. People don't understand that a message can be sent out using their own address. The kind of problems that arise from "social engineering" are becoming more serious. The intelligence of this activity is growing exponentially. I guess that we should feel lucky, in that we will always be employed while there are threats like this floating around on the internet.

As far as viruses go, on my home home PC, I encounter a problem maybe once or twice a year. This is usually do to my own stupidity and negligence. Though I have never had to settle for wiping the slate clean and losing vital data, I have had a damaged OS before. This is no big deal in my world, but when it comes to a client's PC, well... I'm sure that we've seen it all. What a pain it is to deal with this garbage.

For protection against malicous active x components, I highly recommend the freeware 'spyware blaster'.

It is not unusual to find hundreds of bad products on even the most 'puritanical' of systems. As for pcs that are used to visit porn sites, over a thousand bad products are common.

I use it on my own system and it finds more bad code after every update.

Greg

Check into the following software packages for help (some, I know, you've already used, but I'll mention them all anyway for the sake of completeness). The list is in alphabetical order, and each item includes some (brief?) discussion of its purpose, functionality, usefulness, and quirks. I hope this helps.

Ad-Aware - http://www.lavasoft.com
This is one of the most common and is extremely easy to use. It's a point-and-click GUI interface, and doesn't require much user interaction.

Avast! - http://www.avast.com
This is a very good anti-virus product, and there is usually a free (though slightly neutered) version available. I find it rather more annoying than AVG, and it actually is only marginally more functional than McAfee or Norton AV (though quite a lot less of a resource thief and system hijacker than either, thank goodness). I recommend it only if you are, for some reason, dissatisfied with ClamAV or AVG.

AVG - http://www.grisoft.com
There's a fully-functional, single-system version of AVG (the excellent anti-virus solution from Grisoft, far better in my experience than the installed McAfee and Norton anti-virus solutions combined.

Bazooka - http://www.kephyr.com
This is for slightly more advanced users than most of the rest. If you're comfortable with the registry, but not necessarily an expert, you'll find this extremely easy to use and will probably learn an awful lot while you're at it (if you end up using it a lot). I definitely recommend it when the automated cleanup tools fail you, and for the experienced I recommend it anyway as it is lightweight, lightning fast, and more thorough at detection than the major automated tools. If using the tool in the traditional manner proves problematic, or is not sufficiently complete enough in its treatment of a given issue, you can output raw data logs from system sweeps to a text file and use that to diagnose. Such forms of diagnosis are for experts, though, and a rank amateur runs the risk of screwing up the OS if he does stuff he doesn't understand. Also for experts is using the information from the standard Web-enabled use of Bazooka not only for explicit solutions, but also to glean hints about how to find additional files about which the Bazooka people might not yet know.

ClamAV - http://www.clamav.net
This is an open source, cross-platform antivirus solution, available primarily on the various Unices and on Windows. On Unix systems, it's mainly intended as a virus checker for mail servers (since you pretty much have to be a willing participant for Unix-targeted virus software to do any damage), and the Windows version is a port of the Unix version, so if you're a Windows-only person you may find it not as intuitive at first as AVG. ClamAV is my favorite option, at present, but I'm well-versed in Linux as well, so the Unixlike behavior of ClamAV isn't any kind of detriment for me. It seems to be thorough and highly effective (on par with AVG), though I haven't used it as much as AVG (for instance) yet, both because I don't typically manage mail servers and because I haven't been using it on Windows long, so your mileage may vary.

Firefox - http://www.mozilla.org/products/firefox
I recommend using this browser instead of Internet Explorer. There are other browsers that are probably just as effective on Windows as replacements for IE, in terms of security, stability, and functionality, but this is the one I like and I think it's the one that will be most immediately familiar in the way it works when IE "power users" get their hands on it, and it also offers a lot more functionality that I actually want without burdening me with great scads of functionality that I don't want. This has much to do with Firefox's extensions capability. Note: Even if you, for some reason, cannot or will not use Firefox most of the time, it is a VERY GOOD IDEA to use it when you are engaged in Web-related activity while cleaning up malware on your system. The reason for this is simple: When you already have malware on the system, using IE can cause that malware to (further?) activate even when it is dormant, or when some of the malware's functionality is dormant. Using IE when you currently have malware on the system is just begging for trouble. Unfortunately, the most user-friendly functionality of Bazooka defaults to IE, even if Firefox is the default browser on your computer, but I guess you can't have everything.

HijackThis - http://www.tomcoyote.com/hjt
If you are not an expert, DO NOT USE THIS without guidance from someone (trustworthy) who is. This tool does nothing but show you raw data from configuration files and the like that commonly show traces of malware. It can be used by diagnosis by someone that knows what he's looking for. If you just delete everything it shows you, though, not realizing that a lot of what it shows has nothing to do with malware, I can guarantee that any Windows system you do this with will cease functioning. This is a last-resort tool, if nothing else works. Much of the same usefulness as this can be gained from Bazooka's logfile output, though.

Linux, BSD, MacOS X, and Solaris x86
I don't list URLs for these because there are literally thousands of URLs you can use to get to a solution along these lines. My point here is that for many the solution may simply be to use an operating system other than Windows. The rest of the solutions in this list are very Windows-centric (except for ClamAV). This one is the "anti-Windows". Windows suffers significant security problems, many of which have absolutely nothing to do with its popularity (and, in fact, many server roles that receive attacks all the time are more commonly deployed with one of these OSes instead of Windows, but they still end up being more secure options). If you have the option of migrating some or all computer operations to non-Windows systems, you might try it out. Of the OSes I've listed in this entry, only MacOS X and Solaris are not fully open source. MacOS X is closed source proprietary interface functionality on top of an open source core, and most Solaris implementations are very expensive closed source software though Sun Microsystems is now making a fully open source x86 version available. What open source means to you, among other things, is that you can get it for free if you want to without breaking any laws. For a long-time Windows-only user, though, migrating to another OS is a very involved, often very complex process, if you don't have the aid of a very helpful and knowledgeable friend in the process. If you choose to go this route, you may or may not find that the process can be difficult for a first-timer. If you just want "just works" without being any kind of power user, I recommend MEPIS Linux http://www.mepis.org or SuSE Linux http://www.suse.com/en if you don't have a "guru" handy to help walk you through.

Spybot Search and Destroy - http://www.safer-networking.org
This is my favorite automated GUI tool for cleaning up malware. It's easy to use, very thorough, and very helpful. It also provides active system protection and is always 100% free (unlike its chief rival, Ad-Aware, which has both a pay version and a less-functional free version). When installing, configure it so that it starts in the advanced mode when you open it up (trust me on this), and get into the checkboxes in the configuration to make sure that expert buttons will be shown when using it. Those so-called "expert buttons" should be default, but for some reason they are not. I think that's to help prevent clueless users from accidentally disabling adware that is attached to something like Kazaa, but really you shouldn't have any malware on your system anyway, and if you're willing to keep Kazaa-related malware on your system you may as well let it all in.

Spyware Blaster - http://www.javacoolsoftware.com
This is most renowned for its usefulness as protection, rather than clean-up. It is helpful on both ends, however, and by all accounts does a decent job of it. Because I always use Spybot Search and Destroy, Bazooka, and Ad-Aware before resorting to Spyware Blaster, and because of a great deal of skill in cleaning stuff up even without the aid of such tools, I have yet to run across malware that Spyware Blaster detects and protects against that the others don't. Your mileage may vary.

SystemRescueCD - http://www.sysresccd.org
This LiveCD Linux distribution is a system rescue tool, not an OS offering for desktop system installation. I recommend making a bootable CD with this, if you have the inclination to learn Linux enough to use its utilities. This thing is great for the Linux-competent Windows administrator. When you've got malware controlling your Windows system so that it's "impossible" to fix Windows even by booting into DOS or Safe modes, you can boot your computer from this CD and use Linux-based system rescue tools to clean the crap out. You can also perform a great many other tasks, such as resizing partitions after they've been created (make sure you have backups before trying it, especially with NTFS volumes). This is something that requires skill, though. This is potentially the most useful tool at your disposal out of all those I mention (other than, perhaps, just switching to a non-Windows OS, if that's to your liking), but it is the most difficult (by far) for someone to learn from scratch to properly and effectively use in Windows system maintenance and recovery.

Thunderbird - http://www.mozilla.org/products/thunderbird
NEVER use Outlook Express if you have any reason to believe that you will ever run any risk of coming into any contact with any email-related virus or other malware activity of any kind, ever. Period. If you use Outlook Express, I guarantee you'll run that risk (I'd bet money, and with enough people betting I'd make a very steady living). Just don't use OE. Thunderbird is a pretty much perfect drop-in replacement for OE, but it also has additional functionality, is more intuitive, is far FAR more secure and stable, is not nearly as slow and bloated, and is generally just more spiffy. If you have other email clients that you prefer, that's fine, but whatever you do, avoid OE at all costs. I'm serious (in case you weren't aware).

This post can be linked to using this URL: http://tinyurl.com/7y5f5

Try Bart?s PE...You can make your own tool that will allow you to fix without even being on the OS. It might keep you from having to unplug the machine.

http://www.nu2.nu/pebuilder/

Richard

http://www.trianglespywarerepair.com

These adwares are real pain in . . .