PDA

View Full Version : Adware viruses


Moongold
01-11-2005, 07:50
This is a general query to more technically aware members than I.

In the last few weeks I've been almost bombarded with Adware viruses, all coming from the same computer. I have AVG free virus protection which is updated daily and this has picked all but a couple of infections up. The updates occur in the early morning so there is sometimes a window through which viruses can enter.

One such virus affected my modem and web browser. I had to reinstall the modem several times. The virus captured the web browser and rewrote the addresses each time I tried to log on to any site.

My AVG is the free version which does not provide technical support but I wonder if anyone here knows how I can "report" the computer which sends the viruses, or contact the owners direct. The AVG tracks the virus back to the computer which sends it. I have a sense, but am not sure, that the viruses are being sent deliberately so it would be better if there was someoneor some website to which I could complain constructively.

I have a firewall and spyware detectors in place. Not sure what else I can do to protect myself.

Thanks for any advice people are able to give.

Moongold

Jestre
01-11-2005, 09:49
Browser hijacking is, more often than not, a function of spyware (or one of the multitude of search bars) rather than a virus. You didn't say which anti-spyware app(s) you had installed, but I would 1) ensure you have one of the better ones (Microsoft's, Adware, Spybot) and that it is up to date. If you're using Spybot, ensure you have performed all of the inoculation steps. Also, while it is not a cure, simply switching to Firefox can help greatly minimize these effects (and reoccurrences).

J

Moongold
01-11-2005, 10:08
Thanks Jestre ~

I use Adware and it is up to date. And I also use Firefox.

AVG identified that they were viruses - "Adware generic virus" - and they are all slightly different in size and ultimate location in my system.

I am vaguely aware of browser highjackers and have checked out anti-hijacker programs. Most seeme to be targeted at IE, which I don't use, though have installed on the PC.

It is a bit puzzling but what I have seems to be holding *IT* at bay. I'd like to stop it happening though. Have rarely had trouble with this sort of thing before.

Thanks again ~

Moongold

Sophie-David
01-11-2005, 11:10
Hi Moongold

I recommend to my computer clients that they install both AdAware and SpyBot. The basic versions are both free. SpyBot is useful in that it can innoculate Internet Explorer to prevent some infections from occuring - but I don't know if it will do anything for FireFox. In order to provide standard functionality and compatibility FireFox would also be vulnerable to many of the things Internet Explorer is.

AdAware is somewhat better at getting rid of spyware infections than SpyBot, but either one will pick up stuff the other missed. Of course, with your AVG and anti-spyware programs, be sure to keep them updated, and use the latest versions.

If you are on dialup you generally don't need a firewall other than the one that XP provides. But if you are continuously online you really should consider a firewall. I understand that AVG has one in the version they charge for. If you have the money, the Symantec Internet Security Suite contains antivirus, antispam and a firewall for less than $100. Independent labs generally find Symantec has the best detect and kill rate, mostly because they have the biggest staff and can respond the quickest to new threats. McAfee comes in a close second, and AVG is a bit behind that - but often good enough, depending on your exposure.

If you have a problem with a particular IP address sending you junk it is best to contact their ISP - in fact that it is about the only useful option. It may not be deliberate either, some people just get taken over and don't even know it.

Good Luck - David

Moongold
01-11-2005, 14:43
Hi David, and thank you for the reply :).

I have dial - up at present and am not on line for long periods of time generally. I have the XP Firewall installed.

In the last three days I've received 15 viruses that AVG have identified and automatically quarantined. The files are all named differently and of different sizes.

The computer of origin is identified by AVG as 21QH25XAH8Y1W6R. How do I find out what their ISP is, or how do I find out where they are?

I'll take your advice and check out Spybot, as well.

Moongold

Moongold
01-11-2005, 17:30
Hi again David ~

Well, I downloaded the free version of Spybot and found several hundred problems that Adaware had not picked up.

Some of them were in the registry and I had identified them as problems with registry checkers but did not have enough confidence to remove them. Spybot seems to have removed these without any consequence so far but also made a back up if I need it.

I was quite shocked by the number and type of spyware programs/cookies on my system. An annoying flickering advertisement used to appear constantly and that has gone now as well. Thank God.

Oddly enough in the middle of the Spybot scan another virus from the source I named in an earlier post appeared.

Dunno what I'm going to do about these little viruses. It feels as though I'm under attack but at least the AVG stops them.

Feel like casting a spell over my PC this evening. That may work :). It seems like access to the Internet has become quite risky for the moment.

Thanks again for your help ~

Moongold

Sophie-David
01-11-2005, 20:58
Hi Moongold

I'm glad SpyBot found the additional spyware for you. While SpyBot is scanning your hard drive, the file reading process will be monitored by AVG and it will detect any viruses that are present. Also be sure to do a complete scan using AVG after updating it.

BTW, your Ad-Aware version should now be "Ad-Aware Personal, Build 1.06r1". This information is located in the bottom right corner of the main program window.

Is the attack coming in through email in Outlook Express? If it is then it is relatively easy to track down. Use the following procedure to find out where the sender is from:

1) Select the suspect message with the mouse

2) From the File Menu, click on Properties

3) In the Properties box, click on the Details tab. You will see something like this:
Received: from wwu.astro.com [192.53.104.225] by dpmail24.doteasy.com with ESMTP
(SMTPD32-8.05) id A8DF2810206; Mon, 31 Oct 2005 09:48:15 -0800
Received: from wwu.astro.com (localhost [127.0.0.1])
by wwu.astro.com (8.12.11/8.12.11) with ESMTP id j9VHoEiG019730
for <david@innerbeloved.com>; Mon, 31 Oct 2005 18:50:14 +0100
Received: (from root@localhost)
by wwu.astro.com (8.12.11/8.12.11/Submit) id j9VHoD5E019701;
Mon, 31 Oct 2005 18:50:13 +0100
Date: Mon, 31 Oct 2005 18:50:13 +0100
Message-Id: <200510311750.j9VHoD5E019701@wwu.astro.com>
To: David Wilson <david@innerbeloved.com>
From: Astrodienst <novfour@astro.com>
Reply-To: Astrodienst <novfourr@astro.com>
MIME-Version: 1.0
Subject: Seeing the essential
Content-Type: multipart/alternative;
boundary="------------040409040904090202070202"
X-RCPT-TO: <david@innerbeloved.com>
Status: U
X-UIDL: 392444926 The first line is the most significant: "Received: from wwu.astro.com [192.53.104.225] by dpmail24.doteasy.com with ESMTP". This gives the name and Internet address of the sender's mail server (and the doteasy name is my receiving mail server). Further down in the headers, the sender lists his or her name: "From: Astrodienst <novfour@astro.com>" although this may be a lie. This was a bulk mailout from Astrodienst, which I do not regard as spam. [Note to mods: my name and address are public knowledge and do not need to be protected]

4) Enter the sender's mail server name in your Internet browser and see where it leads you. Or you could Google for it. InterNIC Whois (http://www.internic.net/whois.html) should also tell you the registration information for this domain, but their site is often too busy.

5) You could also enter the mail server IP address in ARIN WHOIS (http://www.arin.net/whois/). If you enter this example's IP address ARIN will refer you to RIPE WHOIS (http://www.ripe.net/whois) which will tell you the IP is used by Astrodienst AG. It can be fun to play detective once in a while!

Let me know how it goes.

Cheers - David

Moongold
02-11-2005, 05:22
David ~

Thank you for all your time with this.

The viruses don't seem to be coming via email.

I did query the WHOIS data base and found three records for the said sender but need to spend more time to find more, and I don't have that right now.

But this is a beginning and I don't feel so helpless now.

Moongold

mysticmonkey
02-11-2005, 05:38
They might be coming from a site that you visit regularly. When you get those annoying pop ups on some sites to install software or an odd message with just an ok button don't press it if you don't know what they are for. Instead hold alt+F4 and the pop up should disappear. Otherwise you could be giving permission to download all sorts of nasty software.
Also stay away from toolbars that a lot of sites like you to download. They are often actually spyware.

Are you the only person with access to this computer? I'm asking because a lot of this stuff tends to come from sites where people are trying to get something for nothing and others exploit this by advertising free mp3s etc but what you actually get is spyware which they use to try and get your details and sell them on etc..
Maybe someone else in your family is using the computer in this way but don't know what to watch out for.
Just a thought.

Moongold
02-11-2005, 05:44
Thanks Catbaloo,

The viruses have been arriving in the last four days, and I haven't really been anywhere but Aeclectic and a few other Tarot and astrology sites. I visit some photography sites (Australian ) regularly as well.

I don't usually download free stuff having some time ago had an awful experience with a screensaver. I think my nasty lingering pop up was a legacy of that but it's gone now thanks to Spybot.

Best wishes ~

MG

Kahlie
02-11-2005, 06:09
Glad everything went ok =)

Another great free program is HijackThis, but I think the developer stopped working on it. It's one of the programs that really helps removing extra bars that keep popping up on explorer. (I don't use it, but many people do)

Usually, what you are talking about, is people trying to get to you, through your IP. If that doesn't change, and they know it, they can continue to attack you. Norton also has a service online to check for virusses and protection on various ports against Trojans. (But it is extremely hard to find on their website, so I always google it)

Besides that, another good idea is to check your Windows Task Manager, switch to the processes tab, and check all the tasks on Google to see if they form threats. Most sites are very helpful with threat level etc.

Kahlie

gregory
02-11-2005, 06:20
It may be worth giving any information you have to your ISP - they aren't keen on hijacking either..... and they may be able to identify something more that you could block.

What firewall are you using ? ZoneAlarm doesn't seem to let anything like that through - and it's free, too. Glad to hear you like SpyBot - it killed my computer - and a friend's too.... :( We both found it deleted something critical.....!

Tarotwytch
02-11-2005, 08:31
A website I find really useful at times is

http://www.answersthatwork.com

This has a task list which explains what the items are in your task list and what you should do about them, if anything.

Also CrapCleaner can be downloaded from

http://www.ccleaner.com

and this will clear out cookies, temp.files, URL history as well as having a registry cleaner.
Both are worth taking a look at.

Lillie
02-11-2005, 08:45
If you know the 'number' of whatever site/person is sending this, then you should be able to block that number specifically with your fire wall.

I have sygate, and I can do that easy.

Moongold
02-11-2005, 13:37
Thank you all for your help. It has been sensible and productive and I feel much less besieged by these vexatious and potentially dangerous assaults on the PC.

A couple of years ago I nearly lost everything to a virus, but had a back up. Viruses can be terrible things. I have many photographs that I have not backed up and would hate to lose. Must do something about those now.

Thanks again for your help :).

Moongold

Dark Inquisitor
02-11-2005, 14:12
Welcome to hell my friend. I am so sad to hear that you are having these troubles ! As you know, I have been dealing with my own critical computer issues. I have the cleanest system known to man, according to all the scans . Hahhaha. And it doesn't matter a lick .

Get free SpywareBlaster - that will PREVENT loads of crap from getting in before it can start trouble. Once you are satisfied that you are free of it all, use their system snapshot feature in case you might need it one day.

In Spybot, be sure to click on the Advanced tab and enable the Tea Timer , which will alert you to anything trying to change your registry and let you say yes or no. There is also a section where you can lock your hosts file and your start page. And, after any updates, be sure to press the IMMUNIZE button !

In the CCleaner, go to the advanced options and enable getting rid of temp files less than 48 hours old. Be careful what you check to have cleaned though .

Get free HijackThis and run it to see what suspicious things may have been added to your startup. Unfortunately, some evil things masquerade as legitimate programs though, and it's hard to tell sometimes .

Go to the Symantec downloads section and save the shell reset tool to your desktop , in case you can't get rid of something that restarts when your computer does.

Many of these tools can be messed with , and their settings changed without you even knowing or being alerted. It can be good to keep their setups saved on your desktop in case you want to reinstall them from time to time if you suspect they aren't working right.

Most of the antivirus programs can be disabled without a hint either. You really have to keep close tabs on those. They all catch different stuff.

It's best to run the scans in Safe Mode. Are you up to date with your Windows Updates? You can be very vulnerable if you're not. If you have a critical update notification enabled, unfortunately that can be nuked too and you won't even know that there is something you need .

Since you mention that your internet situation has changed recently, it is possible that your new provider doesn't use as much security filtering as your previous one. A lot of my problems started when I moved and had a change like that.

I hope some of this will help- let me know how it goes.

WalesWoman
02-11-2005, 15:07
It's one of those funny coincidences, I just spent the last couple days trying to get some crap off this computer. My son typed "Skye sucks" on Google... you can imagine the crap that got on here... and stuff trying to hijack or atleast spy on me. ARRGH! I figured out how to use parental controls in Norton Internet Security. I think it was $30 well spent. I realized that I need to copy my blocked cookies and web pages from "Internet Options/Security/Unsafe Sites and paste them in the "personalization" of the firewall. I guess I was hoping that it would read it from my settings and do it automatically. Darn!

There are some good places to get advice on what Hijack This! picks up on it's scan... there are some programs that come loaded with tracking and adware on them... like anything with AOL. But HP also uses Wild Tangent and Back Web for some of the programs that come loaded with the computer. They have their counter parts that can muck up the computer, so you have to know which "flavor" Spybots S&D or AdAware jor Hijack This zero in on.
But they do have the feature to put things back if you discover some programs won't work properly.

http://www.tomcoyote.com/ and another place, net integration are excellent help sources for figuring out what you have mucking things up. There is a forum and lots of helpful people who know their way around the system.
I haven't heard of crap cleaner, but it sure sound appropriate. I had a whole lot of places that had info on spyware and malware and sneaky nasties, but they were lost in the hard drive crash of Spring 2004. But you even have to watch out for some of these places that offer to find your bugs... they add their own... I swear!

I've also done some explores in Program files and Windows from the hard drive, and gotten rid of a lot of cookies and temp internet stuff manually. I'm glad Spybots takes care of the registry, I have avoided that spider web altogether.
It seems you should have an option to block particular addresses and I know there is a place to report this stuff... I've got to remember where I saw that at.
I just got an email from them... how fortuitous!!! ;)
http://net-integration.us/forums/index.php

gregory
02-11-2005, 16:09
A couple of years ago I nearly lost everything to a virus, but had a back up. Viruses can be terrible things. I have many photographs that I have not backed up and would hate to lose. Must do something about those now.
I back EVERYTHING up to CD every couple of days..... (leaves you with heaps of clean space to work in too !!!) :D

HOLMES
03-11-2005, 08:03
here is what happend to me..

i didnt' believe in adware, and spyware until i took my old computer in get dvd installed.
i said did someone try to take over my computer ? they said no ..
it was already taken over .
as i had the store record for spyware over 400 at least.

so i quickly got educated about it. especially since i have a new computer.

first about avg free edition.
it doesnt' pick up spyware,, just anti virus. so that is a differnt matter.
i know for i had it for months on my comptur and never picked up any adware, or spyware,,
for i ran my other programs and i pick them up like hell.

so you need an good antivirius program i recently picked up defender pro for i needed a quick antivirus program fighter.
it is cheap but it did some awards so i figure it can't be that bad.

key loggers are spyware that detect what key strikes are stuck at a site and use those key to figure out passwords. a guildmate had his account hacked at wow from such a trojan which antivirus may not pick up.

so looking at the programs out there that are top rated at cnet download.

here is what i currently use.
the latest adware.
the latest free version of spyware doctor
spybot search and destroy
defender pro antispyware.

you can also buy spysweeper at the stores for 30 bucks with a one year subscription i test out the free version every now and then just for good measure.

and defender pro antivirus.
i wouldnt' mind get the new norton antivirus/spyware progrom out there as well.

so my advice for you is,
adware latest build and version.
free version of spyware doctor at cnet, that rules in my book.
spybot

don't get rid of avg,, but get norton, or mcfae, or even defender pro all in one.
and get a firewall going as well after updateing all windows.

DarkElectric
04-11-2005, 01:05
Good grief, how do I get spybot? Or some of the other free goodies people have mentioned? I'm having some trouble too...

Emily
04-11-2005, 01:57
A couple of years ago I nearly lost everything to a virus, but had a back up. Viruses can be terrible things. I have many photographs that I have not backed up and would hate to lose. Must do something about those now.
Moongold

Hi Moongold,

Don't leave your backing up until its too late - last year I lost my complete hardrive - everything on it - I'd only backed up the work files but all my files, emails, personal letters, photo's - everything else was lost.

I learn't my lesson - now I back up everything and I have a memory stick - which is a good job because my laptop failed again a couple of weeks ago and again everything was gone - not a problem this time, I just re-installed from the back-ups. :)

gregory
04-11-2005, 02:05
Good grief, how do I get spybot? Or some of the other free goodies people have mentioned? I'm having some trouble too...

For adaware, go to www.lavasoftusa.com

For free antivirus, www.grisoft.com (gets you AVG) (the free version, if you have trouble finding it, is here (http://www.grisoft.com/doc/40/lng/us/tpl/tpl01)

For anti pop up, to www.panicware.com

For a good free firewall to www.zonelabs.com (Holmes - you could use this !!! It is great fun watching it ban things !!!!)

For heaps of good and entirely safe stuff (except that I did not appreciate my personal experience with spybot) here (http://www.vnunet.com/downloads/) is where I always look first - and most of these are there !

Dark Inquisitor
04-11-2005, 06:24
www.majorgeeks.com will have all the links you need , and new developments too.

Unfortunately, my upgrade to WinXP and ZoneAlarm 6 security suite is not helping my situation much. The attacking pest has reappeared . Apparently it can't be caught by antivirus and firewalls . I am going to have to get a trojan hunting program that will nuke it before it can start and do a hard drive wipe and reinstall. (AGAIN)

Here's some scary reading:

http://www.nsclean.com/bodetail.html

I am going to try demo versions of Trojan Hunter and Ewido and see what happens.

gregory
04-11-2005, 06:38
One thing to bear in mind..... there ARE sites that offer free scans etc - and then say you have 40 zillion things on your machine and if you pay heaps of money we will clean them out. If you then say no thanks, they will have left all KINDS of junk behind - which may include trojans etc. Quite often these are the same people that put out scare sites like the one you've read ! (Trojans are BAD EVIL THINGS - but that site is OTT, IMHO !)

Incidentally, if you use kazaa (is that the name of that music thingy ?), that leaves all manner of rubbish; innocuous ? I don't think so !!! I cleaned out a friend's machine after her nephew had been using kazaa for a year and it was barely crawling along - there were over 4000 bits of spyware, several bits of malware and 3 viruses... and it had hijacked her browser.) If I were you I would try some web forums about this first - other sufferers tend to be more reliable than sites that want your money. Here's one (http://www.cexx.org/adware.htm) and here's another (http://forums.vnunet.com/) - which has just sorted out a horrid problem I had with outlook....!

Dark Inquisitor
04-11-2005, 06:54
One thing to bear in mind..... there ARE sites that offer free scans etc - and then say you have 40 zillion things on your machine and if you pay heaps of money we will clean them out.

This is very true- especially if you are clicking on ads for them. There are review sites you can visit that will sort them out for you .

In my case, all the most highly rated scans say I have nothing ! But I've been chasing this thing for months now while it tries to block pages, screw up my cd burner, change my start page , disable my email. (I know you're in there , worthless bastard..) I think I got my problem from one of the rare times I was listening to a music clip to decide if I wanted to buy a cd, but I don't have any music download programs going on.

You're right though, the tech forums are often a much better and easier source of advice than regular customer support .

Kahlie
04-11-2005, 07:01
One thing to bear in mind..... there ARE sites that offer free scans etc - and then say you have 40 zillion things on your machine and if you pay heaps of money we will clean them out. If you then say no thanks, they will have left all KINDS of junk behind - which may include trojans etc. Quite often these are the same people that put out scare sites like the one you've read ! (Trojans are BAD EVIL THINGS - but that site is OTT, IMHO !)


OTT? I only use sites of famous anti-virus companies... Norton is not a company that would do such a thing... others however... I would not trust so easily.

Kahlie

Dark Inquisitor
04-11-2005, 07:08
OTT? I only use sites of famous anti-virus companies... Norton is not a company that would do such a thing... others however... I would not trust so easily.

Kahlie

I think maybe the reference was to the site I posted . But, when it happens to you and you see what something can do with your computer and no one can even identify it or stop it, it might not be so over the top after all.

HOLMES
04-11-2005, 08:23
http://www.download.com/Adware-Spyware-Removal/3150-8022_4-0.html?tag=nav_dir
reviews of antispyware programs

http://www.pctools.com/spyware-doctor/
spyware doctor site

there is a pay version of course but they offer a free version as well

there is also an free 30 day trail version of the antivirus program they offer which i think i will download to compare it to avg the free version.

O_O
04-11-2005, 10:31
Hi Moongold,

Don't leave your backing up until its too late - last year I lost my complete hardrive - everything on it - I'd only backed up the work files but all my files, emails, personal letters, photo's - everything else was lost.

Which is why I also use online file storage...

http://www.xdrive.com/

And for my photos I use...

http://www.photobucket.com

Very good places to store my files just in case my hard drive is emptied accidently or on purpose.


.

Ace
04-11-2005, 10:49
Holmes, my brother beats you: he had 3000 (yes, that is three thousand!) spyware cookies on his machine. I have explained to him (again) about updating anti-virual software regularly and adding Adaware....
Ace

O_O
04-11-2005, 11:05
3000!!! :eek:






,

gregory
04-11-2005, 19:26
3000!!! :eek:ER - see my earlier post at 4000 + other rubbish (NOT my machine; ZoneAlarm is a great firewall, and I NEVER download music - given the frequent bad consequences it is cheaper in the long run to buy the CD !!!)

I have a niggling recollection of spyware doctor leaving junk itself. I absolutely agree that Norton, McAfee and Sophos sites are reliable, but there are a heck of a lot out there that grab you and scare the shit out of you - and leave Evil Things to boot.

O_O
04-11-2005, 22:45
I have a niggling recollection of spyware doctor leaving junk itself. I absolutely agree that Norton, McAfee and Sophos sites are reliable, but there are a heck of a lot out there that grab you and scare the shit out of you - and leave Evil Things to boot.

Yeah, you really can't win because all downloads leave stuff behind, then you download something to get rid of that stuff and it leaves stuff too.Never ends.
Sorta' like the cure making you sick.:laugh:



.

gregory
04-11-2005, 23:01
I cannot resist pointing out that this is what is called iatrogenic disease. I do like a long word !!!!

(And I DO agree. Even AT leaves stuff - just NICE stuff, of COURSE !) :cool4:

Ace
05-11-2005, 03:23
Incidentally, if you use kazaa (is that the name of that music thingy ?), that leaves all manner of rubbish; innocuous ? I don't think so !!! I cleaned out a friend's machine after her nephew had been using kazaa for a year and it was barely crawling along - there were over 4000 bits of spyware, several bits of malware and 3 viruses... and it had hijacked her browser.)


You are right, Gregory, I didn't read all the posts carefully, your friends is a my new record! but Sandy don't use Kawaa, so his came from just carelessness and surfing the web regularly.


ALL websites put in cookies, yes including AT. that is how they tell when you were here last. cookies by themselves are not bad, but malious cookies and spyware can quickly slow down your machine, that is why spybot or AdAware is so important.
Ace