OT: Spyware attack

filmy wrote on 1/17/2005, 12:21 PM
Seems that I finally got hit with some spyware or the like. For more info see my other thread called weirdness. I figured I would post this in its own thread for higher visability.

This may of may not be affecting vegas but here is what happened - without any warning or OSD some things have been installed. I have SP2, I also have the latest security updates for SP2. I do not use IE at all. I use Mozilla, and I don't get any email on this machine.

Something called IEToolbar. It was installed yesterday and by all acoounts it is gone...or is it?

I found a file in my windows/system32 folder called $$$_.log and this is the info in it:

I did not visit amny of these sites. Seems that a website used a java exploit to silently download files and install them. And right now it seems like either on reboot or shutdown more files are being installed from somewhere. I removed the toolbar but on reboot I had all these mystery files running (See other thread). I searched and found about 50 files in my windows directory - all start with "sys" and are followed by a number and end with ".exe". All have today's date. I have deleted those and also have found new files in my system32 folder - dsmanager.dll and dsmanager32.dll - all dated today. (Same as the $$$_.log file) Both files have an internal name of "BHO.DLL" which turns up this (among other things) http://sarc.com/avcenter/venc/data/pf/adware.iepagehelper.html which is Adware.IEPageHelper. NOTE: The directions given do not work for this "new" varrient.

So I am cleaning my system - more details as they come up.


nickle wrote on 1/17/2005, 12:43 PM
After you download the antispyware tools mentioned in the other thread, disconnect from the Internet and then run them.

You also may have to go into safe mode to disable them so the anti spyware progs have a better chance at killing them.
swarrine wrote on 1/17/2005, 12:45 PM
I got the same thing except mine was called iSearch.

Basically nothing worked, system restore - tried multiple dates, the various spy software I had, manually going through the registry and so forth. My computer didn't even recognize me as the admin.

Clean install today.

If only I could find my Vegas 4 Book for the serial #...
Chienworks wrote on 1/17/2005, 12:47 PM
Never install any extra tools in your browser. They're all trouble waiting to happen.
Mandk wrote on 1/17/2005, 12:54 PM
One of my computers at home (the one used by the teenager daughters) picked up something so bad it was launching ads when the computer was not even connected to the internet. It prevented taskmager from being accessed and did not allow any edits of system registry or system configuration.

Horrible mess I ended up reformatting the drive and reinstalling everything.
jetdv wrote on 1/17/2005, 1:02 PM
The one time I had something like this happen (on 3 different machines in the office that did NOT go to the same websites) I ended up restoring from an image. Nothing else seemed to get rid of it.
logiquem wrote on 1/17/2005, 1:05 PM
I have succesfully destructed these spywares in the past (and also removed QuickTime! :-) ) simply by rebooting with a live Linux CD soft like Knoppix and renaming/deleting the executable.


Don't laugh, it works very well and you also get the Linux experience for the same price without any risk...

ChrisFontenot13 wrote on 1/17/2005, 1:07 PM
This stuff sounds a lot like " VX2 " spyware. You can't kill it from the taskbar, it starts in safe mode, and it downloads all kinds of stuff and fools with your registry, changes your home page no matter the protections you have. If you run Lavasoft's Ad-Aware SE (you can get it from SnapFiles.com or Major Geeks), you can get a plug-in to clean this from http://www.majorgeeks.com/ under "spyware tools."

farss wrote on 1/17/2005, 1:14 PM
Let me see, somebody comes uninvited into my house and messes with MY things. The law provides penalties for such acts. Why aren't more of us screaming for the same sanctions against these guys?
filmy wrote on 1/17/2005, 1:18 PM
The ietoolbar is self spawning - it was there upon reboot. New folder, new reg settings, new "sys[number].exe" files and so on. Need to find the install file...doing a search for any of the installers listed in the $$$_.log file turns up nothing.

Upon reboot the taskbar and desktop are also reset - it goes from classic to a modified XP theme.

Also to be clear - I know people are tyring to help but the main reason I posted this is because this seems to be something new that doesn't care about the normal install/MS things. Also using ad-aware turns up nothing. In doing searches for some of the found files mostly nothing turns up. (ie - dsmanager32.dll on Google brings nothing) This is somehting new that just silently installs. So -

1> I don't use MS IE. I use Mozilla. - latest build.
2> I do have a firewall., turned on - so no access is allowed but the sites I mentioned are logged)
3> I did not use, or ever install, any sort of "toolbar" helper - this included Google toolbar.
4> I do not get email on this machine.
5> Need the network set up for files and such. Internet is mainly via a router and a gateway for updates.
6> Have windows update turned off. Auto installs in browser turned off. Security set to "high" in all browser settings.
7> As these installs are going on right now - today and last night - it has nothing to do with *any* install that I did. For example the toolbar helper thing has be uninstalled and re-installed 5 times today alone - and I am NOT the one installing it. It shows up in the add/remove menu as "IE Search Toolbar plugin" after each reboot.
8> As above same goes for the "MDS Search Booster". Have uninstalled that but it comes back. Doing a search on Google turns up nothing for example. (Your search - "MDS Search Booster" - did not match any documents.)
9> I relize from searching that the toolbar issue is old, however it may be the method used to get onto a system has changed. For example most of the sites that discuss this mention files to be deleted that do not exist.
10> While running HiJack does return lots of info (mpostly about items that are not unwanted - ie: McCaffe, BackUps, Acrobat, the audio driver and so on) it also returns errors such as: An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=win.ini, sSection=windows, sValue=load) Error #5 - Invalid procedure call or argument. Could this be a result of a new breed of spyware?
11> No I do not run MSN mesenger, AOL, ICQ, chatzilla or the like.
12> I use BlackVipers tweakss.
travel_addict wrote on 1/17/2005, 1:26 PM
From what I understand, IE has Active X which makes it easy for this spyware crap to get on our systems.
One cure I just saw was on TECH TV....they said too use Firefox!

PierreB wrote on 1/17/2005, 1:45 PM
My daughter's computer caught one of those things, probably from Kazaa.

I used the demo version of somethings called TrojanHunter to root it out and things seem to be ok now.

Good luck.

apit34356 wrote on 1/17/2005, 1:45 PM
filmy, you can repair without a total rebuild. run programs like ie spybot, then disable your lan, just unplug it, then go in taskmanager and "end task" all unfamilar task running, then run spybot or another utility that will let you edit the startup tasks. THen go to the system utility for ADD/REMOVE programs, remove all toolbars and programs you do not know, check install date. then run an anti-virus program and if you have a register cleaning program, this is a little over kill. reboot, then run again the spybot program, check memory for unknown running programs, should be non there, reconnect the lan.
filmy wrote on 1/17/2005, 1:55 PM
To Peter - don't use anysort of filesharing apps. No Kazza, No napster..nothing. Also this is a relativly brand new system. Only had it a few months.

To apit - Already checked all thse types of things. Checked services and so on on. That is how I discovered the "sys**.exe files that were running. Did a regsearch for any of them, but only one was listed. No listing under any run or runonce settings. I already mentioned the add/remove thing - not doing anything to add, just remove. Reboot - it is installed again. Install date is today - now, or whenever I delet the files and than reboot.

apit34356 wrote on 1/17/2005, 2:13 PM
filmy, you must also edit the startup run file, disable all unfamilar programs from starting. Sometimes non critical startup program files are replaced, like adobe gamma, ....., this is why it is important to disable all non critical programs in memory or in the startup run file. I just 11 hours, when through a similar attack. I do not use ie and ie was starting with a new toolbar, popups everywhere, it required about 30 minutes of "h" to get control of my laptop.
J_Mac wrote on 1/17/2005, 2:22 PM
Try Webroot SpySweeper.

www.webroot.com. PC mag and Maximum PC pick for this type problem. John.

JJKizak wrote on 1/17/2005, 2:57 PM
As of right now there are two spywares that are installed on your computer as soon as you access any website, and I forgot what they are. AOL is one of the culprits and if it isn't on your computer it will be after you go thru AOL. You have to remove these every time you go offline. Nothing will block them the next time you go online. There are also a couple associated with "BILL".

Rednroll wrote on 1/17/2005, 2:59 PM
"Let me see, somebody comes uninvited into my house and messes with MY things. The law provides penalties for such acts. Why aren't more of us screaming for the same sanctions against these guys?"

I agree!!! There should be some criminal acts taken against this type of activity, it is rediculous. No one should be able to change anything on your computer without your consent. They're basically putting sh*t on your computer and able to track your every move. Do that on someones telephone line and see how fast you get arrested for invasion of privacy......yet this happens all the time on computers, with no reprocussions. The internet....the land of no rules.

I've been running Spybot on my home PC for quite a long time now. The nice thing about Spybot is that it also has a "Tea Timer". You can choose to have this run upon starting windows, or choose to run it before going on the net. The tea timer let's you know whenever something tries to install anything or change anything in your registry. Therefore, you can block it before it even gets on your system. You can choose to automatically block everything, or have it prompt you when something tries to make a change where you can either allow the change or block it. I was surprised on a lot of the websites I went to that try to install crap on my computer. Ones that I thought where legit companies. I have a hotmail email address, and everytime I go to www.hotmail.com or try to read an email message, some kind of adware is trying to install something into my registry. I never knew it until I installed Spybot. MSN/hotmail, thank you for the spyware.

I occassionally run Ad-Aware also, just incase Spybot missed anything. The free version of Ad-Aware only cleans the stuff once it's already installed, where you need to purchase it to get the optional part that blocks it altogether.
rs170a wrote on 1/17/2005, 3:01 PM
FIlmy, I highly recommend going to MyTechSupport.ca and asking for help. These folks saved me hours of work (after spending several hours trying to fix it myself) last fall when I got hit with a browser hijack. Follow the directions in the sticky about a "Hijack This" log at the top of the page and go from there. Good luck.

scdragracing wrote on 1/17/2005, 3:09 PM
i love spybot, run it all the time myself, but some of these new viral programs are beyond it's capability... they typically replicate entirely new .exe files that have random names, every time you boot up... you clean it off once with adaware, but it comes back... they alter the registry file as well.

booting in safe mode a couple of times, and running multiple up-to-date tools both times to clean things up is the only cure... be sure and turn off system restore first!
TheHappyFriar wrote on 1/17/2005, 4:58 PM
Didn't read through all the posts, just read a few. I've gotten that damn thing occationatly (and others ocationatly). Here's the files I d/l to get rid of bugs:

Spybot 3d
CWS Shredder

Get all 4 of those (do a search for HiJack & CWS). Install/uncompress to a temp folder. Make sure that are all up to date. Then, shut off computer & disconnect the net (modem, ether, etc). Start up & go in safe mode.

Now, run those. All of them. For HiJack you have a list of what to delete. Make sure you know what you're getting rid of. After you run all of these, re-start in safe mode AGAIN and run them again to see if there is anything left. After you get rid of everything, re-start in normal mode.

Now, there was one thing I couldn't get rid of. It made a folder on my HD in my windows folder. To counter act that I went into the folder, deleted all the content, then made the folder right prottected, hiden, & system. :) Fight fire with fire i say. :)

And don't feel like you did something wrong to get this. It was probley uploaded to your computer via a MS Windows exploit that you have little control over.
Spot|DSE wrote on 1/17/2005, 6:04 PM
Since I've had to rebuild my MBR several times in the past month, I'm in favor of taking all virus-writers, dropping them on a deserted island with no electricity, and giving them nothing but Shakespeare and a religious book to read. Leave em' there for 5 years, maybe by the time they've gotten a little sunburn, they'll have forgotten what they knew, or technology will have surpassed them.
filmy wrote on 1/17/2005, 6:28 PM
I tried Spybot, but that didn't tell me anything really but it looks like it might have stopped this in the first place.

**Dislaimer - editing the system files and reg files can cause bad things to happen. Don't do it unless you back up your spyware infested system in case somehting goes very wrong.**

Anyhow - the steps I took was to first delete whatever I found that was running. This goes back to my first posts. Than I did a Google on the files I found - as I stated most came back with no hits, making me feel this is something brand new. Following some of the older threads around on the toolbar I ran down the reg settings and deleted those. Rebooted - and it was installed again. Followed the same steps but searched for files dated today (January 17, 2005) and came up with the other files I mentioned. Did a reg search for these, most were not mentioned. So I deleted these. I Again did an "uninstall" of the toolbar and the "MDS Search Booster". Rebooted and again they were back. Followed the same steps and than ran some of the programs I already had - this includes Ad-aware. In addition I also manually blocked the IP of that my system keeps trying to access, and that try to access this system. I also added this IP to the filter settings of Mozilla. Finally I locked off the computer with the firewall and ran R-Wipe & Clean on the temp files, cookies, trash and empty space. Than rebooted.

Seemed fine. So allowing filtered traffic in. Downloaded spybot and ran it and didn't really find anything..actually only flagged 2 things. One was a cookie from hotmail (Actually not from hotmail but from the banner adds there) and another 3 reg entries that had to do with security settings...I deleted them to see if it made any changes. Rebooted.

And that is where I am now. No more toolbar or booster installs at the moment. But spybot shows me the same reg entrys I deleted, so they seem to be there for a reason. And the IP of still works away at trying to make contact.

So best I can pass on is this:

If you use IE you may discover this a lot faster but I don't and I noticed this because it effects windows Explorer. If you click on any folder and you see a menu bar that was not there before that has listings for XXX and other items you got hit. If you look under View > Toolbars and see a listing for "IE Search Toolbar" you got hit. If you look in the running process and see any variation of "sys3425.exe" "Sys024.exe" "sys534.exe" than you got hit. Also if you see init32m.exe you probably got hit.

In this case to do a system search for any of the following files:
1> $$$_.log
(with the following in it) :
(Also note at no time did I ever find any of the kist .exe files anywhere on my system)

2> dsmanager.dll and dsmanager32.dll in the system32 directory. (Check to see if they have an internal name of BHO.DLL before you delete them)

3> In the windows directory any exe file starting with sys followed by a number. (ie: sys024.exe, sys5234.exe, etc)

4> Look in the add/remove programs for "MDS Search Booster" and "IE Search Toolbar plugin". (Actually you could try this first, and than uninstall - however I did this and on reboot they both were there again)

5> Search for init32m.exe.

6> Open regedit and search for all of these:
MDS Search Booster
IE Search Toolbar plugin
Perezzz Software

And delete the entries these are in.

You can also do a search for BHO.DLL and/or BHO however you will get some items that don't seem to be related to this however I did get 2 that were called something like BHO.IESearchToolbar that I did delete.

If you have any sort of firewall or router than filter out these IP's and (The seemed to go away after I got rid of the "MDS Search Booster" files)

Also look at the date(s) of these files - all of them had todays date on it. January 17, 2005. Most of the times started around 11 am. I can not say if this is the actual date of the files or the install date as they were written to the system however if you find a buttload of files all with the same date and time - current date and time - than it could be this.

For now this seems to have solved the problem - although something on the system is still trying to access and I have no clue what. (matter of fact in the time I have been typing this the firewall has blocked outgoing access to this IP 7 times)
filmy wrote on 1/17/2005, 6:29 PM
Spot - LOL!!
filmy wrote on 1/17/2005, 6:35 PM
So I am trying to find this IP and any info on it because my system is trying to contact it, even if I am *not* in this forum or "online". Well check this out - I find a thread about this sort of thing and someone asks about the same bloody IP and guess what the answer they got was???? a Level3 Communications 'owned' IP address

WTF???? Erm...sony...any comment???