im having some trouble getting rid of the spyware. I used Ad-Aware SE to try and get rid of them, but every time i run it, it finds at least 20-23 critical items (a few processes, registry keys, modules and a file). these things wont seem to go away, any advice?

Try Spybot Search And Destroy. I use it all the time and it works great.

Also Use Microsoft AntiSpyware.

http://www.microsoft.com/athome/secu...e/default.mspx

Is your PC still connected to the net while you're doing these scans? It could be you've got some particularly pernicious malware that will reinstall itself - the usual advice is to get Ad-Aware & Spybot Search And Destroy, check for the latest updates & install them, then unplug before scanning.


Nerdz - Microsoft AntiSpyware? Well, if it works for you, but of the antimalware s/w I've tried, it does the least convincing scan I've seen. Ad-Aware takes at least 5 minutes to do it's thing, Spybot takes around 2 & a 1/2 mins, but MS's offering takes about 10 seconds ... I just don't believe that's thorough enough.

Also do your scans in SAFE MODE - helps a hella lot.

The best way to get rid of all spyware is to boot into safe mode, open SpyBot Search and Destroy, then after running the search, right click on each found entry and tell it to search for it in the registry editor. Delete the corresponding registry key that pops up (confirm the key in spybots window first). Physically find all of the things that spybot finds and physically delete them, don't let the program do it for you.

Just be careful when using the registry editor. Don't delete anything unless you have verified that it can go (via Spybot).

Your also well advised to go into the tmep folders in safe mode and remove all the temporary files and temp internet files for safetys' sake.

C:\WINDOWS\Temp
C:\temp (if its there)
C:\Documents and Settings\***XP USERNAME***\Local Settings\Temp (remove all inside this folder)
C:\Documents and Settings\***XP USERNAME***\Local Settings\Temporary Internet Files (remove all inside this folder)

theres this one file in C:\_RESTORE\TEMP that just wont seem to go away. Ad-aware can't touch it, and neither can i. do i go into safe mode or something to get to the file? i use windows ME.

safe mode may allow you to delete it, booting into safe mode command prompt definately will. Plus it allows you to show off your DOS skills.

the moment something suspicious pops up on my system, i use the following procedure to remove it, regardless of the severity or lack thereof...

>i begin by running these programs, in this order...
MS Antispyware
AdAwareSE
Spybot S&D
I update each before doing a FULL / DEEP / COMPLETE scan, not the "quick" scan most of them are set to by default.

>once that is finished, i run MSCONFIG from the RUN dialogue (start / run) and once its opened, the 2 tabs that i check are SERVICES and STARTUP, in the SERVICES tab, i check the "Hide all Microsoft Services" checkbox at the bottom, and anything left in that list goes through a google search to check wether it is, in fact spyware, or a common safe process that should be left alone. in the STARTUP tab, i carefully examine each entry, and anything that i do not recognize, i do a google search for, again to check the credibility of the process...once i am done, i save, and when asked to reboot, i do so...

>while the system is rebooting, use F8 to go into the safe mode (with networking), and basically DO ALL OF THE ABOVE AGAIN, this ensures that any rogue process or hijack that would have normally started on a system reboot gets shot down while the system is at its least vulnerable. make sure at this point to OPEN THE TASK MANAGER and check for wierd named processes, google for them, and stop those that come back as known spyware...

>reboot into normal windows, and check the running processes again, if any suspicious processes are left, you can try a couple of things...

Google for a removal tool to eliminate that particular piece of spyware

manually delete the filename by doing a system wide search for the name of the process

see if the process is related to something you installed (and shouldnt have) and see if uninstalling this offending software eliminates the offending process (note, spyware that comes with an uninstaller will usually go to great lengths to stop you from doing it, by either playing on your emotions [weatherbug] or flat out pretending to be locked up [bullseye network], so be patient, and dont fall for this cheap sh1t...

once all is said and done, and you have followed these steps pretty closely, you should have at least removed the majority of your problem, and should be prepared for whatever crap finds its way on your system...

one more thing to consider, www.antivirus.com, use the free online scan, its free, fast, WORKS, and will sometimes find malicious trojan-like processes/files that are missed by other reputable spy/malware scanners...

EDIT: the antivirus link above should only be used with IE, unfortunately the Netscape/Mozilla support is virtually nonexistent, and even with the patches and whatnot, i could not get Firefox to work with it, so dont try, just use IE....

UPDATE: well, ive gotten rid of most of my spyware problem, but now im being plagued by something else. Something got rid of the "Internet Options" option in the "Tools" menu in IE (version 5.5), likewise w/the Folder Options thing in Windows Explorer, and when i try to "Customize this Folder" it tells me that the folder has been marked as read-only or my administrator has disabled this function, which is impossible because i have no administrator (im using ME by the way..), and the folder isn't marked as read-only. i thought this was a virus so installed PC-cillin 2000, updated it and scanned for viruses and it came out clean. any ideas as to what this is?

install mozilla firefox, and never open internet explorer again....

CLICK HERE NOW....and NEVER look back!

Quote: Originally Posted by nev_payne Your also well advised to go into the tmep folders in safe mode and remove all the temporary files and temp internet files for safetys' sake. C:\WINDOWS\Temp C:\temp (if its there) C:\Documents and Settings\***XP USERNAME***\Local Settings\Temp (remove all inside this folder) C:\Documents and Settings\***XP USERNAME***\Local Settings\Temporary Internet Files (remove all inside this folder)

Is this safe to do?

Yes, for the most part....Safe Mode would be much better....spybot s+d does it for you aswell.

Ok just wanted to know before I mess my sis pc up she got some spyware also.

Quote: Originally Posted by Fu3lman install mozilla firefox, and never open internet explorer again.... CLICK HERE NOW....and NEVER look back!

teh_google_saber is on dialup...so i guess theres no hope? I went to antivirus.com and ran the free online scan. turns out some of the files in C:\_RESTORE are infected with a Trojan that adds/modifies a "NoFolderOptions" key in the registry. apparantly changing the dword value from 1 to 0, or deleting the key altogether solves the problem, but it hasn't worked for me. Im going into safe mode later to get rid of the problem.

I use this little program....It smacks spyware all day long....
BPS Spyware & Adware Remover
http://www.bulletproofsoft.com/

Allrighty then. Spybot search and destroy is a verry nice program I deffiantely recomend that. But Highjack this is even better. Do not go ahead and delete everything it finds. Some things are essential to programs you are running. It find a lot more than most. Try other means first if you are nervous about using it. I'de say it's like sending god after a wingless fly. Read the directory location of the files and use your better judgement. Ask someone for help if your unsure about removing things too.

Quote: Originally Posted by teh_google_saber im having some trouble getting rid of the spyware. I used Ad-Aware SE to try and get rid of them, but every time i run it, it finds at least 20-23 critical items (a few processes, registry keys, modules and a file). these things wont seem to go away, any advice?

being on dialup is no excuse for not downloading Firefox....i havent had a single piece of spyware infect my computer since i have been using it, and running it in tandem with the microsoft antispyware has pretty much made spyware a forgotten memory...

going to Firefox will make your current issues irrelevant, and relying on IE to work without problems is like
letting a 3 year old handle your high powered finances....

get firefox, and throw IE to the dogs...no excuses...

depending on the severity of what I get, I have a different set of procedures for different levels:

if it falls into the "annoying classification" (i.e. pop-ups, additional toolbars, crap that you generally can't kill easily/readily); then this is my procedure:

run Spyboy, Ad-aware, and hijackthis
check the windows task manager for malicious processes running
attempt to end those process, if they start back up
run msconfig, and check for the startup tab to see what's listed
run regedit and the hunt begins until they're all removed
usually might take a couple of tries;
then try to end the processes again. And delete. If I can't delete it right away, usually a reboot cycle will be sufficient to release it from the system. Rarely do I have to jump into safe mode to clean stuff up.

If I sense that there is something running, and I have no idea what it is, but it's making my hard drive go crazy (with SCSI drives, you can tell when it's doing something, wanted or not.) If I see it in the task manager, and it's also taking up all CPU power/time, I pull the plug - literally - to stop whatever it is that it's doing.

(It's windows, it can handle that.) Then I go and track down what it is.

Also check in your %WINDOWS HOME DIRECTORY%/system32 for malicious hidden programs. If you need help on how to "unhide" hidden files, and display all extensions, let me know.

Clearing your temp directories also do help, but not all the time. If you're unsure as to what programs got started/loaded up to begin with, go to %WINDOWS HOME DIRECTORY%/Prefetch. There will be a list of files, and if you look at the filename, it will tell you what has been loaded recently. That's another place to go to pick up on filenames for crap on comp.

Finally, once all that's said and done, see if you can remember the URL where the crap came from. If you get pop-ups, assuming that it's not a barage or them, right-click in the window, and bring up the source. See if there are any URL's/URI's that you don't recognize and add those to your firewall block list. (Yes, it does grow quite extensively.)

If at all possible, try not to use a Windows-based system to go online. (I still can't believe they deleted my post about surfing PR on Solaris on Mozilla 1.4.)

If you have an older computer lying around doing nothing, make it into your *nix firewall. Linux (Such as Red Hat 9) has that option built in natively that you can select to install when configuring the system. Solaris x86 has that as an "add-on" that you can download from Sun (search for "SunScreen 3.1 Lite"). They offer the best protection, and re-route your internet through that. Else; just surf the net with that. Store any files that you download on your *nix box, and scan the file over the network before you transfer it to your Windows system.

Hope it helps.

*Addendum*
If it screws up your IE, try and see if you can get one of your friends to download Netscape or Firefox or SOMETHING! Else; a system rebuild is almost imminent. (hint - keep a backup copy of Netscape or whatever it is that you should to resort to as a back up should IE fail.)

If you use AOL, get rid of it. It attracts way too many of it. (One of my friend's gf is on AOL, and she gets 30-50 things that pop up on spybot everytime she runs it (which is almost on a daily basis now)). Open ports, ads, etc...via AOL makes AOL just as bad as Outlook. Which brings me to my other point - if you use Outlook, get rid of that too. Notice how almost all of the major viruses and crap goes through Outlook. By now, most people should have been like "hmmm...let's see...lots of crap *looks at screen of Outlook* wonders why I am still using it?" But...unfortuantely, well...people are still using it. *sigh*