Let me start by saying that like so many other people I have been fighting to remove this crapware from a system that I have been working on for a friend. It's a Windows 98 box that I have worked on for a couple of weeks now and thought I had this whipped but now I've spent most of the day attempting to remove a foe that I knew little about.

After some indepth research I have found that this is one of the most prevelant and stubborn pieces of malware I have ever faced, and I'm still not sure that I have beaten it. I have installed almost all of the most popular and highly recommended Spyware removal/preventative apps that this and most sites have suggested.
AVG antivirus finds the Startpage.16.M and says that it removes the culprit but doesn't. CW Shredder finds and removes CWS Hidden.dll but it comes back. The SpyBot Tea Timer is running in the back ground, yet when About:Blank shows that it is trying to be set as the new Home Page and you Deny that change, it doesn't seem to work.
Obviously this is some kind of a blended threat that one or possibly many apps cannot protect against.
The list of apps I have used is as follows: Ad-Aware SE, SpyBot, SpySubtracter, KillBox, CWS Shredder, HiJack This, and About:Buster.
Now again this is an ongoing battle as I have indicated. It appears that I have won at this point but I enjoy this victory with guarded suspicion.
Anyway in my search I have found some great articles on Browser Hijacking and Preventative measures that can be taken. These come from WWW.SPYWAREINFO.COM and are written by Mike Healan. http://www.spywareinfo.com/articles/hijacked/#removal and http://www.spywareinfo.com/articles/hijacked/prevent.php are links to great articles and maybe these links can be added to our own Removal Thread in an effort to educate our users and help those that find themselves in the same position that I'm in. Also here is the The CLSID / BHO List / Toolbar Master List from another great board that I frequent, CastleCops, http://computercops.biz/CLSID.html that can help in identifying different Browser Helper Objects, and Internet Explorer Toolbars.

As I said I think that I may have won with the help of all these different apps, boards suggestions, and some determination but we shall see.

More to follow...

I'm glad you posted this, I just got a PC in today that is so infested, I think it has every spyware/trojan that's in the wild :eek:

They have the HP recovery CD but I'm going to take on the challenge of cleaning it first :rolleyes:

One of the problems is that if the clsid remains in the registry and you visit a page that calls that clsid it will re-install with no user notification or interaction required. HijackThis is the top tool for all this stuff along with killbox and some brain power.
Other very useful resources can be located at

www.subratam.org
www.hijackthis.de (Log parser - good forums)
www.iamnotageek.com (now has a HJT log parser too - woohoo!)
www.spywareguide.com (online spyware cleaner - X-Cleaner really is excellent)

there are new spyware variants coming out regularly but not as often as 6 months ago - perhaps they are running out of ideas? The worst ones tend to have multiple points of startup and to use random filenames which can change on reboot. Along with this two or more processes may watch each other and restart any constituent killed process automatically - for these you need a dummy benign executable to replace the process executables. I made one which also rewrites the .exe .bat .com .cmd etc... default actions back to %1 %* whenever it is called.

Ok, I'm still on the trail of this @&$%#@ware. It's been a very long day, but it seems like I've made some progress. I wanted to keep posting links to some of the info that I have found in case anyone might find it useful. Obviously Google is the first tool in my box, but not everything found has helped. Due to the nature of this beast it "morphs" itself. Filenames change, installed locations and Registry entries also change, so 1 persons fix may not be the next persons fix.
Anyway, here is the next info link that has helped. http://www.scanspyware.net/info/180SearchAssistant.htm
Again, all entries were not in this computer, so hopefully I am still on the right road. Good Luck to you in your quest...

I had some that were difficult to get out on every computer that I got lately, but most were because of password protected accounts (removing the password fixed it [almost])
As I mentioned, running from a live CD got the most persistent out of the system. Hijac this also is a must. MS antispyware was usefull also, but I don't know if it runs on W98 (I doubt it)
Best solution, install Linux J/K
Did you use msconfig to check what is starting up?
Check host files (hijack this should be able to look them up) and the redirections for the search and blank pages. I haven't clean a W98 machine for a long time (about 6 months) so I can't remember all that I did

The MS AntiSpyware doesn't work on Win 98, although I didn't realize this until I d/l it and tried to use it. :( Another oddity was the complete lack of a host file. Dunno if that's normal for 98 or not. Also MSCONFIG was the first place I looked ;) but Thanks Dave. The really time consuming part was going thru the registry. This weekend alone I probably spent 10 hours on this machine. For a Friend...Now I have another one being shipped to me from a relative.

The really time consuming part was going thru the registry. This weekend alone I probably spent 10 hours on this machine.
Thats about what I went through with the PC that I got the other day. Next time they're getting a format & reinstall :p

It doesnt sound good, these blended threat models are a HUGE pain to get rid off... the worse ones are starting to use old Mainframe coding techniques for DLL injection... that way they can morph and attach to any valid process and re-spawn the malware :eek:

Unless, it is impossible to back up data, a reformat is the best solution... It might take 1 - 2 days to format and install all apps, but better than 2 weeks of hair-pulling over stupid morphing HiJacking piece of crapware!!

Some of the new variants are real buggers which require some specialist treatment - did a VX2 variant today which is one of them. Luckily some kind and knowledgable souls have written some great tools to aid in their removal vx2finder being one of them. Although I got rid of everything I could I still got a message on boot about some dll error which ended in the words 'random.dll, UMonitor'. FindVX2.bat located some lovely dlls for me which I removed with killbox and my own dummy file (about 10-14 dlls in all). Once you get the methods right it doesn't take that long - about an hour.
At the moment my method is
1. HJT first time
2. HJT second time using dummy files to replace those which HJT first time didn't cure (swapped out via pocket killbox).
3. If there are nasty ones goto VX2Finder, AboutBuster, regedit to alter permissions on some registry keys (which reminds me this one set a few registry key permissions so that HJT, BHODemon etc could not remove them), Autoruns, Process Explorer, BHODemon, WinsockFix and Internet Controller.
4. The usual stuff (SpyBot, Adaware, MSAntiSpyware, X-Cleaner).
Real problems if there are lots of user profiles - you got to do it in each one!!

Curio you seem to be up on most of this so the info you give I am trusting as gold. Not sure I'm clear on point #2 where you use dummy files. What do you mean?

BTW if you write batch files or Reg files that are capable of helping remove or stifle these different threats I'll bet they can be posted here...on a "Use at Your own Risk" basis of course.

About blank registers a text/plain filter for explorer that will reinstall the crap.

Look for it in the registry....

I had to tear that one out of my brothers PC - this shit is close to making a regular PC, without a lot of third-party stuff (adware killers, Firefox &c), close to useless...

Johan-Kr

Curio you seem to be up on most of this so the info you give I am trusting as gold.
I agree, you make some real nice post ;)

Followup:

Well I thought I had it whipped....I had the system up and running at my house, all seemed great. None of the detection and cleaning apps found any indications of an infection. AVG no longer finds any Trojans, no longer getting any "weird" files being created in Windows\temp. I even put it on the internet and tooled around a bit to make sure it was working. Then I took it back to my friend...
I had installed everything I could to block hi-jack attempts and malware from getting on the system.

Today I get a message that it is back to it's old ways...browser's been hi-jacked, can't get into email, popups out the ying yang. Obviously it's something specific to what She is doing or clicking on but I can't figure out what.

It's getting reinstalled next...

Rik, is she on a home lan with other comps? or direct connection to internet via modem and bypassing router??

By the sounds of it there might be another computer within her lan that bypasses the firewall and infects her.

Also, have you turned off system restore and then did virus scan??

@CS - The is a Windows 98 box, no network, on a dialup internet connection. Nothing else I can blame 'cept the "nut behind the wheel".

;)

@CS - The is a Windows 98 box, no network, on a dialup internet connection. Nothing else I can blame 'cept the "nut behind the wheel".
;)
Gee... no wonder this is doing your head in... Is the dialup with a reputable ISP, or a backyard college dude? Does she have a favorite program or website she always visits? There must be something residual to keep on infecting the PC...

Well, i guess you can keep practicing spyware removal and get it down pat :D

I dunno Babe...I'm tired of fightin this. It's getting reinstalled, probably with XP. But it's an old 450 w/ 256 ram...It might be a tad slow but I think the security is worth it.

Sounds good Pops, just turn of visual styling and use classic theme, the XP should be respectable... you said it only dialup and for browsing/email etc, more than enough :D

I am suffering from About:blank / startpage.16.m too...

I have spent many hours with my inlaws seldom used, dial-up, 98 box trying to get this off of it. All my reading indicates that this is a loosing proposition - I have put more time in than I wanted to on this neglected little PC and I want a quick fix, i.e. hammer not scalpel.

I have thought of three alternatives:

1. Uninstall IE6.0 and reinstall it. I suspect this won't fix anything. (will it?)
2. Uninstall IE6.0 and put on firefox. This seems like it will work, but maybe I am not appreciating the full evilness of this malware. I am wondering if there is any other risk - i.e. is any of this malware doing stuff in the background or does it only function by using IE? (I can, and my inlaws can, live with this).
3. A complete wipe and re-install of their software (this is time consuming but at least when I am done I know I am done).

Would #2 work? Is it safe?

Is there a "partial" re-install of the OS I could do that would fix my problems? (At least, perhaps, not have to back up and restore their data).

Please advise...
Thanks,
Brian
brvanvoo (I am at) mn (put a dot) rr (another one) com

Welcome to Techzonez.

Unfortunately I think the best way to handle it at this point is a format/reinstall. A partial is gonna leave things on the drive that can be very detrimental to the system. I am opting to blow it out and start over after all this work.

what about installing Linux?? Will that fix all the issues? and it will run in that hardware too :p
A tip that I remember now. Before cleaning the PC, delete the files from the internet temporary, and the windows temp folder. This makes the scan a lot faster. And if you want to know if the spyware is a problem between the keyboard and the chair, those folders is where you should concentrate. Check the history.
I cleaned out 4 computers from the same place. All were extremely infested, but they all had a pattern. 1 I cleaned it out twice, since it was shared. I finally was able to narrow to a couple of programs, and web sites. Wrote a report (I saved all the logs from Spybot and Adaware) and I explained the main problems in plain non-technical English. Sometimes education is the only way. Unless you like to play with the adds where you have to kill the roaches as a fellow member admitted :p

Can you be more specific Rik about what damage would come from leaving the stuff dormant on the system? Take the "never use IIE just use Firefox" approach... what will about:blank / startpage do if IE never runs again? It seems to just hijack the IE startpage - is it worse than that?

Brian
brvanvoo (I am at) mn (put a dot) rr (another one) com

Sorry for slow reply - lots of sick PCs around and Servers to install.
Dummy Files - some Adware/Spyware has several components, one bit loads then checks for another bit and if it can't find it it re-installs that bit or the whole kack. You use a dummy file to replace the bit so it doesn't re-install it/all. As you get more bits out you can then get to the original installation/startup which can then be removed. After this usually your Adaware/SpyBot etc.. can clean up although you may need a specialist tool like AboutBuster, CWShredder, Killbox (which actually does the Dummy file thing - though I made my own) ..etc and to unregister some dlls. Incidentally you ABOUT:BLANK infected people should take a look here http://www.besttechie.net/forums/index.php?showtopic=1488 for instructions on how to use about:buster but in my experience you normally have more than one problem so be ready to look for others like VX2 and nCase(180 solutions), Blazefind etc...

Just read your later posts rik, I don't know if you use SpywareBlaster and IEspyad but they do help to prevent the crap getting on there, must keep updating them though. Also you can d/l a blocklist from www.SpywareGuide.com which will do similar and of course SpyBot S&D has the immunize tab.
For networks I recommend setting up a Proxy for the web using Squid with SquidGuard. I use Lycoris SME server which is absolutely fantastic see www.contribs.org, scripts to put on squidguard and squidproperties available at www.tech-geeks.org. It automatically downloads updates to the sites blacklist overnight every night and if you want to surf po.. I mean research security issues you can add your IP to the unrestricted list. Script to install Clam-AV antivirus and SpamAssasin (if you are going to relay mail through it) also floating around somewhere on contribs.org. I have taken a look at ClarkConnect but I think SME server is better especially as you can easily create and manage groups which is missing in CC - that's just a big no-no for me.
Avoiding directly using Internet Explorer on older systems is a necessity now because of the unpatchededness pre XPSP2 unless you are behind a sanitising Proxy.
SpyBlocker is also an excellent host proxy and I can recommend you give it a go - I think you can install it as a 30 day tialware, I use it on my Windows ME box. I know the site http://www.spyblocker-software.com/spyblocker/index.shtm looks a bit cheap and nasty but it works OK for me and let's face it there are plenty of professional loking sites out there selling useless crap.

I do use and recommend Spyware Blaster and Spyware Guard. Odd thing about it, even though I had cleaned that system, and nothing found any infections on it, I couldn't get Spyware Blaster to install and run. It kept giving a message that either there was a virus blocking it or bad sectors on the hard drive. The hard drives fine...

I also use this all the time before I even look into the pc. Run it reboot then start to look for problems. It's the updated version of my startups remover converted from the castlecops list.

A little on the late side, but these tips may help..

I had a MAJOR infection that I battled with se.dll a while (couple of weeks ago) back. The only way that I got rid of it was to boot to a Barts PE CD, and scan with a FULLY updated McAfee SuperDAT. I had to scour the log that it creates and then rename this one .dll that it had found that it couldn't open for some reason.

Following that I did a scan of the machine with the online scanners from bitdefender, f-secure, mcafee, and norton. Every last one of them found something.

The key that is the main culprit is the Appinit_DLLs. It may LOOK empty, in fact HijackThis will scan it, and then show nothing. It is, in fact, NOT empty. The newer scumware all mask this key and throw something in it.

Bah to them.

If you can, remove the hard drive, hook it up to another machine, and then use the online scanners listed above to scan it for infections.

----------------------------
Free Spyware Removal (http://www.eradicatespyware.net)

Thanks for the info Sootah, and welcome to TZ :)

Moons ago, or it seems that way now (actually last May to be precise) ... My wife's PC was infested with some real nasties much as you describe. After 3 days of beating my head on the keyboard with it I finally got an idea that my help others. I went downstairs to my pc and made a list of ALL the OCX's, DLL's, VBX and any other binary on my 'clean' system and saved the list to the server. then did the same on the wife's PC. Using Beyond Compare, I examined the 2 system's results and discovered that nearly every DLL that was supposed to be there was older than a given date - in my case, since this about a year ago it seemed that all the 'right' DLL's were older than April of last year - without so much as a thought I figured why not? and I booted to the command console (all my PC's have the command console boot off the HDD in hidden, system. read-only folders as are the files.) then proceeded to WACK all DLL's, EXE's and other BINARY executable type files more recent than the 4th of april. Once completed - I rebooted and search the registry for all references and other info relating to the files I trashed and trashed the main branch of each reference. Rebooted and she was good to go!

Perhaps a little extreme but after 3 days I figured it was that or format and since she wanted to keep the pictures and a boat load of other files I figured that was my only option. At least it worked for me - perhaps it will for you too someday.

That is pretty much how I often get rid of the stubborn infections too - just go to Windows system32 folder and arrange the files by date then delete all the files created recently from the estimated time of infection. Good files usually have summary information in their properties fields while spyware don't. Also they have dodgy filenames and are often the same file size. So when I arrange my files by date they usually stand out like sore thumbs. If there is a file you are not sure about just save it onto a floppy/flash before deleting. Its very satisfying to outsmart the buggers by just using the old delete key. :)

I know its not free but I highly recommend Spyware Doctor. Run that in Safe Mode and 99% of your infections will be zapped for good.

Thats about what I went through with the PC that I got the other day. Next time they're getting a format & reinstall :pPerhaps you should epoxy the keys so they won't mess it up again - :p

As long as they bring the PC to me and pay $$ for a fix, I hide the epoxy and reserve it for repeat net offenders-:p=J/K to U