Welcome to the North American Subaru Impreza Owners Club Tuesday March 19, 2024
Home Forums Images WikiNASIOC Products Store Modifications Upgrade Garage
NASIOC
Go Back   NASIOC > NASIOC Miscellaneous > Off-Topic

Welcome to NASIOC - The world's largest online community for Subaru enthusiasts!
Welcome to the NASIOC.com Subaru forum.

You are currently viewing our forum as a guest, which gives you limited access to view most discussions and access our other features. By joining our community, free of charge, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is free, fast and simple, so please join our community today!

If you have any problems with the registration process or your account login, please contact us.







* As an Amazon Associate I earn from qualifying purchases. 
* Registered users of the site do not see these ads. 
Reply
 
Thread Tools Display Modes
Old 07-01-2004, 01:48 AM   #1
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default Spyware

So I had some spyware that I couldn't find. Before you n00bs try to tell me how to remove it, here's what I tried:

Ad-aware. Clean. (Updated before running)
AVG Anti-Virus. Clean. (does catch some spyware now and then and I refuse to use Norton System Bloat) (Updated before running)
Spybot, S&D: Clean. (Updated before running)
CWShredder: Clean. (Updated before running)

Then I went looking manually, which usually finds things that those guys don't. WINNT and SYSTEM32 directories all show no suspicious exectuables and nothing that looks particularly new (sort by date.)

Then I went and cleaned out the WINNT\TEMP and Temporary Internet Files and Documents and SEttings\Mike\Local Settings\Temp directory. Checked the Temporary Internet Files there as well. Nothing.

Then I bring up my TaskInfo 2003 program (it rocks.) I look for random executables and modules that I haven't seen before or don't know. Nothing doing.

How do I know I had spyware? Because NASIOC doesn't have popup windows saying crap like "You're the 50,000,000th visitor to this site, click here now!"

That, or other sites I visit with no popups.

So I fire up Internet Exploder and look through things based off that exectuable. I hit the modules tab and start going through each individual file. Then one caught my eye: twaintec.dll

I can't delete it. Hmmmm...close IE and still can't delete it. I kill the explorer.exe process (man that ticked off Windows) and pulled up a command prompt. Then went down to good ol' fashioned DOS commands and deleted the file that way, along with a twaintec.ini file.

Now my spyware is gone. Yay! That was one of the tougher spywares I've had to get rid of. That crap annoys me to no freaking end.

So hopefully if anyone searches the board for spyware then maybe they'll read this and find something helpful in the future.

Cliff Notes: Biggly's mad spyware removing skills > Spybot > Ad-Aware > AVG Anti-Virus > CWShredder > Windows Task Manager
* Registered users of the site do not see these ads.

Last edited by DrBiggly; 07-01-2004 at 02:37 AM.
DrBiggly is offline   Reply With Quote
Sponsored Links
* Registered users of the site do not see these ads.
Old 07-01-2004, 01:55 AM   #2
HalfBaked
Scooby Specialist
 
Member#: 24759
Join Date: Sep 2002
Chapter/Region: SWIC
Location: Gilbert, AZ
Vehicle:
2020 Ascent
Blue

Default

I got the same problem.

Only my spybot freezes each time I try to delete the spyware.

HalfBaked is offline   Reply With Quote
Old 07-01-2004, 02:05 AM   #3
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default

What OS are you running?
DrBiggly is offline   Reply With Quote
Old 07-01-2004, 02:06 AM   #4
HalfBaked
Scooby Specialist
 
Member#: 24759
Join Date: Sep 2002
Chapter/Region: SWIC
Location: Gilbert, AZ
Vehicle:
2020 Ascent
Blue

Default

English?

But would that be Windows XP?
HalfBaked is offline   Reply With Quote
Old 07-01-2004, 02:25 AM   #5
benjaminetanyahoo
*** Banned ***
 
Member#: 41300
Join Date: Aug 2003
Chapter/Region: Tri-State
Location: Midtown West (Lincoln Center)
Vehicle:
2000 New York
MTA

Default

Make sure you check your applets and Downloaded Internet Files in IE, you would be suprised what you find there.
benjaminetanyahoo is offline   Reply With Quote
Old 07-01-2004, 02:26 AM   #6
nhluhr
Scooby Guru
 
Member#: 7327
Join Date: Jun 2001
Chapter/Region: NWIC
Location: Seattle, WA
Vehicle:
2008 Mazdaspeed3
2006 Wrangler Sport

Default

nice ownage, biggly. I'm gonna have to get that TaskInfo2003. The normal Task manager blows chunks.
nhluhr is offline   Reply With Quote
Old 07-01-2004, 02:35 AM   #7
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default

OS = Operating System.

For most of the world unfortunately you can just say "What version of Windows are you running?" and get the answer you want. If they aren't running Windows, you get a good laugh at least because they'll understand why I asked it that way.

XP.

Well, it's always harder to fix these things not being at the problem computer itself.

Here's what I would do first:

Close all IE windows and OE windows. (Outlook and Internet)
Then open up the task manager (CTRL ALT DEL) and look at the processes that are running. (Not programs, processes.)

Kill anything that says iexplore.exe

Then look for things that are a bunch of nonsense like xrzwerle.exe or something like that. If it can't even form part of a word, then it's probably not something you want. End any processes like that that seem suspicious. If you end the wrong thing, your computer is going to be very upset with you and probably require a reboot. If you screw it up doing this, well you picked the wrong one so do it at your own risk. Here are some examples of things that need to be running:

smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
spoolsv.exe
avgserv.exe
DUservice.exe
svchost.exe


Those you want to leave alone. There are probably some others like Norton or what have you that might be running. Like forexample I have HOTSYNC.exe (which is for my Palm.)

taskmgr.exe should be there; that's the program you're looking at.

Explorer.exe should be there. Close it and it will kill off all windows and reappear more or less.

Anything with a PID of over about 1000 or so is either a program that started after all of the system services or could be spyware. Anything with a funky name that isn't a program, kill it.

Then run Spybot and see if you can get it to elminate some of the junk instead of locking up. If that doesn't work, go download Ad-Aware. Install. Do the update in the program for the latest spyware lists. Then run it. Then run Spybot. yes, Ad-Aware might think Spybot is a malicious program. Having both of them installed can cause issue; don't let Ad-Aware delete Spybot data files and such or you'll just have to reinstall SpyBot.

That's all I feel like typing at the moment...give some of that a shot, at your own risk of course. You might get lucky.

If you take your time, you can identify what is and isn't legit. Here's a good way to get started:

Pull up the Processes list (Task Manager) and for each file, do a search on your hard drive for it. Once you get it pulled up, right click on it and go to Properties. Then in the Properties window, click on the Version tab.

If you get a bunch of nonsense or a lot of "Version 1,0,0,0,1" and such, it's spyware. End the process and delete the file.

The commas are a big giveaway; it usually means that the thing was written overseas. If it has a lot of Microsoft info in there, it's genuine and you should just keep it.

Good luck.
DrBiggly is offline   Reply With Quote
Old 07-01-2004, 02:36 AM   #8
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default

Quote:
Originally posted by FutureSTIer
Make sure you check your applets and Downloaded Internet Files in IE, you would be suprised what you find there.
Oh yeah! I need to edit my original post. I check the WINNT\TEMP directory and the other Temp directory (Documents and Settings for whatever user I was logged in as at the moment.)

Thanks for the reminder. Go clear all that out. If it won't let you, then reboot and try again. What files remain trying to work are spyware.
DrBiggly is offline   Reply With Quote
Old 07-01-2004, 02:40 AM   #9
HalfBaked
Scooby Specialist
 
Member#: 24759
Join Date: Sep 2002
Chapter/Region: SWIC
Location: Gilbert, AZ
Vehicle:
2020 Ascent
Blue

Default

Thanks I'm gonna take a look at that.
HalfBaked is offline   Reply With Quote
Old 07-01-2004, 02:45 AM   #10
jr34596
Scooby Newbie
 
Member#: 14529
Join Date: Jan 2002
Default

Quote:
Originally posted by HalfBaked
I got the same problem.

Only my spybot freezes each time I try to delete the spyware.

thats a problem alot of people have or had including myself. if u change the settings to not back up xp it might work.
jr34596 is offline   Reply With Quote
Old 07-01-2004, 02:50 AM   #11
benjaminetanyahoo
*** Banned ***
 
Member#: 41300
Join Date: Aug 2003
Chapter/Region: Tri-State
Location: Midtown West (Lincoln Center)
Vehicle:
2000 New York
MTA

Default

That's why I always say a computer is only as fast as the person maintaining it. People always ask me why my computer is so fast compared to their super home built neon lights can see the inside humming like a blower computer hehehe and it's almost two years old
benjaminetanyahoo is offline   Reply With Quote
Old 07-01-2004, 02:55 AM   #12
HalfBaked
Scooby Specialist
 
Member#: 24759
Join Date: Sep 2002
Chapter/Region: SWIC
Location: Gilbert, AZ
Vehicle:
2020 Ascent
Blue

Default

Ok I'm a total n00b.

After I run ad-aware what do I do?
HalfBaked is offline   Reply With Quote
Old 07-01-2004, 09:45 AM   #13
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default

Then try Spy Bot. It usually catches things that Ad-Aware doesn't. I'm sure Ad-aware probably took some things out and your computer is doing a little better, but you should really go ahead and try to get all of the crap out of there.
DrBiggly is offline   Reply With Quote
Old 07-01-2004, 09:48 AM   #14
Rebellion
Scooby Guru
 
Member#: 8069
Join Date: Jul 2001
Chapter/Region: South East
Location: Indian Trail, NC
Vehicle:
2016 Fiesta ST
Kona Blue

Default

HAX0R IT

ugh.. I hate spyware... spend at least an hour of my day cleaning it off morons computers.
Rebellion is offline   Reply With Quote
Old 07-01-2004, 10:17 AM   #15
Cyberdemon
Scooby Newbie
 
Member#: 11701
Join Date: Oct 2001
Location: Long Island NY
Vehicle:
2008 Acura TL-S
2001 Corvette

Default

Download Hijack This. It's an application that shows browser hijacks and all of your windows startup applications. It allows you to post a log and remove entries. I find it the most effective for removing things none of the others catch.

To be perfectly honest, I find with some of the newer trickier spyware, Spybot and Adaware are useless. They're good in general, but any times I have spyware problems now they won't find the problem (and they're completely updated).
Cyberdemon is offline   Reply With Quote
Old 07-01-2004, 10:28 AM   #16
Rebellion
Scooby Guru
 
Member#: 8069
Join Date: Jul 2001
Chapter/Region: South East
Location: Indian Trail, NC
Vehicle:
2016 Fiesta ST
Kona Blue

Default

HijackThis isn't that good at removing spyware.... it's mostly just good at showing what's there.
Rebellion is offline   Reply With Quote
Old 07-01-2004, 10:32 AM   #17
beachbum
Scooby Specialist
 
Member#: 457
Join Date: Oct 1999
Chapter/Region: MWSOC
Vehicle:
---- Smells like
weed and rampage

Default

Quote:
Originally posted by DrBiggly
Then look for things that are a bunch of nonsense like xrzwerle.exe or something like that. If it can't even form part of a word, then it's probably not something you want. End any processes like that that seem suspicious. If you end the wrong thing, your computer is going to be very upset with you and probably require a reboot. If you screw it up doing this, well you picked the wrong one so do it at your own risk. Here are some examples of things that need to be running:
Good advice all around... I'll add one tip I've found- if you see a suspicious process, just run the process name through Google. If I get no hits, I kill it. Otherwise, it may be show up as confirmed spyware or system process. Just an extra failsafe.
beachbum is offline   Reply With Quote
Old 07-01-2004, 10:38 AM   #18
Midwayman
Scooby Specialist
 
Member#: 1997
Join Date: Jul 2000
Chapter/Region: MWSOC
Location: Des Plaines, IL
Vehicle:
2006 Acura TL 6spd
STMGM6 alumni

Default

#1 here is never ever install applets from the web you dont need, or are from sites you dont completely trust.

hint: the site you buy modchips and dl warez from is probably a bad choice to trust.
Midwayman is offline   Reply With Quote
Old 07-01-2004, 10:38 AM   #19
DrBiggly
Scooby Guru
 
Member#: 11482
Join Date: Oct 2001
Chapter/Region: South East
Location: Winston-Salem, NC
Vehicle:
02 WRX
Acute Stickeritis

Default

I typically go do a search on the computer (especially if the Internet is dead from all the spyware) and then hit the properties and start doing version checking. That usually makes it plenty obvious.
DrBiggly is offline   Reply With Quote
Old 07-01-2004, 10:39 AM   #20
Cyberdemon
Scooby Newbie
 
Member#: 11701
Join Date: Oct 2001
Location: Long Island NY
Vehicle:
2008 Acura TL-S
2001 Corvette

Default

Quote:
Originally posted by Rebellion
HijackThis isn't that good at removing spyware.... it's mostly just good at showing what's there.
Correct, but it is still good at getting rid of the registry entries and DLL files that alot of the nasty browser hijacks use.

Also if it started happening recently, check windows\system32 and organize by date. Generally if you see a few recent files that are called like "aslihs.dll" and just seem to be random garbage that were last modified when the problems started happening, they're probably no good.
Cyberdemon is offline   Reply With Quote
Old 07-01-2004, 10:41 AM   #21
plunk10
Scooby Specialist
 
Member#: 32342
Join Date: Jan 2003
Chapter/Region: International
Vehicle:
13 BubblePrius
00 F150

Default

Quote:
Originally posted by HalfBaked
I got the same problem.

Only my spybot freezes each time I try to delete the spyware.

make sure you are running spybot 1.3, not 1.2. be patient too.

Quote:
Here are some examples of things that need to be running:

lsass.exe.
before spyware existed, I'd never noticed this file, so I immediately thought this WAS spyware when I first saw it. I mean who names a file lsASS? I originally thought it was some hax0r joke like lsass = lick some ass
plunk10 is offline   Reply With Quote
Old 07-01-2004, 10:52 AM   #22
2WDrift
Scooby Specialist
 
Member#: 5132
Join Date: Mar 2001
Chapter/Region: MAIC
Location: MAIC RWD guru
Vehicle:
95 BMW 330ti
black

Default

I have to clean this crap daily (job). We uninstall about a dozen suspect programs from Add/Remove and run Spybot first then AdAware. Delete the .exes out of C:\ in W2000. This week 5 new programs showed up.

Gary
2WDrift is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
best free spyware finder/remover Swivel1000 Off-Topic 9 09-22-2003 06:40 PM
spyware on my computer xfader Off-Topic 9 09-04-2003 03:06 AM
Ad Aware Time! Run it and post how much spyware you have! Eric SS Off-Topic 37 04-26-2003 09:55 PM
Way O.T. spyware? DWNSHFT Bay Area Impreza Club Forum -- BAIC 5 11-11-2002 03:28 PM
OT: Want to check you computer for SPYWARE. david2z4 General Forum Archive 0 08-21-2000 06:42 AM

All times are GMT -4. The time now is 07:50 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Powered by Searchlight © 2024 Axivo Inc.
Copyright ©1999 - 2019, North American Subaru Impreza Owners Club, Inc.

As an Amazon Associate I earn from qualifying purchases.

When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission
Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.