Spyware Software

[baumgrenze]

Recently I was reviewing the results of a Google search for baltic
birch plywood when suddenly a window opened and a program called "Spy-
Shredder" began running full tilt. It looked like a scam so I used the
back button and went back to my search results. It persisted and
reappeared and began a download I did not request (as far as I could
tell.) I caught it in SeaMonkey's download manager and stopped it
Somewhere in about the same time frame I stopped a download from
"spywarebegone.com" too using the same technique.

I abandoned learning about plywood and set about learning about "Spy-
Shredder." I should have slept on the problem. I grabbed the first
'solution' I found on PC Magazine's website and downloaded and
installed "Spyware Bot." It was free until I ran it and discovered
that to have it clean up what it had found I had to register and pay.
I balked and uninstalled it. I was not impressed. It found "TimeSync"
and declared it malicious. It was upset about cookies from
PriceGrabber, ZDNet and Travelocity. It seemed as though it was bent
on finding as big a list as it could compile, just to impress me with
its effectiveness.

Today I looked more carefully, I thought, and found "Spyware Doctor."
That came via PC Magazine, too. Again the come-on suggested a home
user for free product like Avast, but once the program was installed
and run, I ended up on what looked like the same website demanding
that I register and pay in order to have the software clean up my
computer. Once again, I uninstalled the program.

Then I ran AdAware and it found only 8 items. I recalled that there
was an item that it did not find that Spyware Doctor found. I failed
to do a screen dump of the results before I deleted the program! I
think it was "DealHelper."

I tried reinstalling Spyware Doctor to rerun the scan. I was troubled
when the install reported that the target directory was still on my
hard disk. The reinstall failed part way through. The install program
"was not responding" when I looked in the Task List. I tried another
uninstall only to learn that the uninstall module was now corrupted.

I went to ZTree and scanned down through ProgramFiles. The directories
for both SpywareBot and SpywareDoctor were still there. I found the
log files and copied and pasted them to Word.

What does an uninstall routine do if it does not remove the
ProgramFiles directory and its contents as part of the process?

I do not want to dig myself an even deeper hole. I'm remember being
told that it is unwise to just find a program's folder and delete its
contents.

1) What do I do to clean this software from my machine?

2) Is there a reputable program (one that does not bait-and-switch)
that handles spyware effectively?

I have "HijackThis" and can run a log if that is helpful.

Thanks,

baumgrenze

 

[baumgrenze]

I ran HijackThis and the log is 'simple' relative to some I've seen.
Just to simplify the process, here it is.

Logfile of HijackThis v1.99.1
Scan saved at 9:31:38 PM, on 9/17/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\RAMPAGE V1.3\RAMPAGE.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE.FIX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\ZTREE\ZTW.EXE
C:\PROGRAM FILES\MOZILLA.ORG\SEAMONKEY\SEAMONKEY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\HJTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
- C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:
\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TimeSync] C:\PROGRAM FILES\TIMESYNC\TimeSync.exe /t
O4 - HKLM\..\Run: [RAMpage] C:\Program Files\RAMpage V1.3\RAMpage.exe
T=1
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software
\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM
\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM
\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR
\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE
DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: STIMON_LOAD.EXE
O4 - Startup: ColorPlus Startup.lnk = C:\Program Files\PANTONE
COLORVISION\ColorPlus\ColorPlus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {53DBD2C0-39A5-11D5-888A-00B0D0DCBB25}
- http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .bpt: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/us/en/systemprofiler/SysPro.CAB
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility)
- http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner)
- http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = 922

 

[Malke]

baumgrenze wrote:
> I ran HijackThis and the log is 'simple' relative to some I've seen.
> Just to simplify the process, here it is.

(snip HJT log)

Please do not post HJT logs in the MS newsgroups. HJT logs take a great
deal of time and expertise to analyze and you will not get the attention
you need here. Instead, register at one of the specialty sites listed
below (in no particular order) and post your log there.

Here are general malware removal steps which you may wish to go through
first:

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://pcdid.com/Multi_AV.htm - download

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed below (not here, please).

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://spywarewarrior.com/viewforum.php?f=5
http://forums.techguy.org/54-security/
http://forums.tomcoyote.org/

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

 

[Richard Urban]

Spyware Doctor from PCTools is one of the better AntiSpyware programs. I
just went to the PCMag website and looked at the reviews. No where does it
even begin to imply that it is free for home use. In fact, it specifically
stated that it is $39.95

From the web site:

Spyware Doctor with AntiVirus 5.0

REVIEW DATE: 03.21.07

PC Tools
http://www.pctools.com



Price As Tested: $39.95 Direct
Type: Business, Personal, Professional
Free: No
OS Compatibility: Windows Vista, Windows XP


--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

 

[baumgrenze]

Here's what I found. Perhaps I should have been suspicious because of
the "Sponsored Links" but I read in another forum that Spyware Doctor
was good.

http://search.zdnet.com/index.php?q=freeware+spyware

Sponsored Links

* Spyware Removal Download
Visit Web Site Free Spyware scan. Winner of the Best Anti-
Spyware. Rated 5 Stars!
www.pctools.com

http://www.pctools.com/spyware-doctor/?ref=google_ab&gclid=COmd_9PMzo4CFROFhgodCSxp9g

and then on to

http://www.pctools.com/spyware-doctor/version4/


Home & Home Office

Try it to see why experts awarded Spyware Doctor the best Anti-Spyware
of 2005

Free Download | More Information


Editor's Choice Anti-Spyware
Don't compromise your security with second best!

* Recommended by experts and editors around the world as the best
Anti-Spyware.
* FREE customer support for all users.
* Frequent advanced updates ensure that you are always protected.
* Detects, removes and blocks all types of Spyware and Adware
threats.
* Easiest to use with intelligent automatic protection.
* 100% Money Back Guarantee.

Best Spyware Protection. Used by Millions World Wide.

Spyware Doctor has been downloaded over 100 Million times with a
million more downloads every week. Millions of people worldwide use
Spyware Doctor to protect their identity and PC security.

Spyware Doctor has consistently been awarded Editors' Choice, by
leading PC magazines and testing laboratories around the world,
including United States, United Kingdom, Sweden, Germany and
Australia. All current versions of Spyware Doctor have won Editors'
Choice awards from PC Magazine in United States. In addition, after
leading the market in 2005, Spyware Doctor was awarded the prestigious
Best of the Year at the end of 2005.

Spyware Doctor continues to be awarded the highest honors by many of
the worlds leading PC publications such as PC Pro, PC Plus, PC
Authority, PC Utilities, PC Advisor, PC Choice, Microdatorn, PC
Answers Magazine plus number of reputable 5-star ratings including
CNET's Download.com and Tucows.

Note : If you are choosing Anti-Spyware make sure you choose one that
is proven and has genuine awards from one or more world leading
research labs such a PC Magazine, PC World, CNET, PC Pro Magazine, PC
Authority, PC Answers and other trusted labs. More importantly do not
use ratings from unknown review websites, as often these are designed
to mislead you into purchase of affiliated, inferior or rogue product.
Screenshot
[+] Click to Enlarge
Detects, removes and blocks all types of Spyware.

Did you know that numerous programs tested against Spyware Doctor
detected only small fraction of Spyware and completely removed an even
smaller amount? Also most of them were unable to effectively block
Spyware in real time from being installed on users PC in the first
place.

Spyware Doctor has the most advanced update feature that continually
improves its Spyware fighting capabilities on daily basis. As Spyware
gets more complex to avoid detection by AntiSpyware programs Spyware
Doctor responds with new technology to stay one step ahead.
Easiest to Use

Spyware Doctor is advanced technology designed specially for people,
not experts. That is one reason why it won the People's Choice Award
in 2005 and 2006. It is automatically configured out of the box to
give you optimal protection with limited interaction so all you need
to do is install it for immediate and ongoing protection.

Spyware Doctor's advanced OnGuard technology only alerts users on a
true Spyware detection. This is significant because you should not be
interrupted by cryptic questions every time you install software, add
a site to your favorites or change your PC settings. Such messages can
be confusing and lead to undesirable outcomes such as inoperable
programs, lost favorites or even Spyware being allowed to install on
the system. We've done the research so you don't have to.
Spyware Doctor Full Version Information
Current Version: 4.1.0.1
File Size: 11,161 KB
Operating System: Designed for Windows® 98, Me, 2000 and XP, with
basic support for Windows® Vista™
Release Date: April 26, 2007
Protection Against: Spyware, Adware, Spyware Trojans, Keyloggers,
Identity Theft, Hijackers, Tracking Threats, Rogue Anti-Spyware,
Unwanted Software, Phishing, Popups and Bad Websites.


Careful examination of the verbiage shows that it just says that the
"download" is free. Nothing on this page says anything to suggest that
if you download, install and run the program you will be be told to
pay money to register, and, if you don't you'll find it difficult to
uninstall the program once it is on your machine.

baumgrenze


On Sep 18, 6:08 am, "Richard Urban"
<richardurbanREMOVET...@hotmail.com> wrote:
> Spyware Doctor from PCTools is one of the better AntiSpyware programs. I
> just went to the PCMag website and looked at the reviews. No where does it
> even begin to imply that it is free for home use. In fact, it specifically
> stated that it is $39.95
>
> From the web site:
>
> Spyware Doctor with AntiVirus 5.0
>
> REVIEW DATE: 03.21.07
>
> PC Toolshttp://www.pctools.com
>
> Price As Tested: $39.95 Direct
> Type: Business, Personal, Professional
> Free: No
> OS Compatibility: Windows Vista, Windows XP
>
> --
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)

 

[baumgrenze]

I apologize for the HJT log, however simple it is.

I should have put in a standard preface to indicate that the machine
is an OptiPlex GX200 which is running Win98 SE2 because that is what
was on the Dimension that Dell originally sold me. That machine died
slowly under warranty and they finally gave up and sent what they
could in the way of a machine that supported SCSI.

Vista does not enter into the question.

I am still troubled that I cannot uninstall Spyware Doctor and/or
SpywareBot. Should I consider them malware. Others here seem to think
not. I'm confused and tired.

baumgrenze



On Sep 18, 4:49 am, Malke <notrea...@invalid.invalid> wrote:
> baumgrenzewrote:
> > I ran HijackThis and the log is 'simple' relative to some I've seen.
> > Just to simplify the process, here it is.
>
> (snip HJT log)
>
> Please do not post HJT logs in the MS newsgroups. HJT logs take a great
> deal of time and expertise to analyze and you will not get the attention
> you need here. Instead, register at one of the specialty sites listed
> below (in no particular order) and post your log there.
>
> Here are general malware removal steps which you may wish to go through
> first:
>
> Go through these general malware removal steps systematically -http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> Include scanning with David Lipman's Multi_AV and follow instructions to
> do all scans in Safe Mode. Please see the special Notes regarding using
> Multi_AV in Vista.
>
> http://www.elephantboycomputers.com/page2.html#Multi-AV- instructionshttp://pcdid.com/Multi_AV.htm- download
>
> You can also check to see if there are targeted removal steps for your
> malware here:
> Bleeping Computer removal how-to's -http://www.bleepingcomputer.com/forums/forum55.html
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed below (not here, please).
>
> http://aumha.org/downloads/hijackthis.ziphttp://www.aumha.org/a/hjttutor.htm- HijackThis tutorial by Merijnhttp://www.bleepingcomputer.com/forums/index.php?showtutorial=42-
> another tutorialhttp://aumha.net/- Click on the HijackThis forum. Read the announcement
> and the stickies *first*.http://www.atribune.org/forums/inde....org/54-security/http://forums.tomcoyote.org/
>
> Not all tools used will work in Vista and you will need to run them
> elevated. Since Vista is so new, it will be a while before removal
> techniques and tools are developed. If you are unable to remove the
> infection by following the general steps, register at one of the
> HijackThis forums as suggested.
>
> Standard caveat: If the procedures look too complex - and there is no
> shame in admitting this isn't your cup of tea - take the machine to a
> professional computer repair shop (not your local version of
> BigComputerStore/GeekSquad). Please be aware that not all local shops
> are skilled at removing malware and even if they are, your computer may
> be so infested that Windows will need to be clean-installed. Have all
> your data backed up before you take the machine into a shop.
>
> Malke
> --
> Elephant Boy Computerswww.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

 

[Malke]

baumgrenze wrote:
> Here's what I found. Perhaps I should have been suspicious because of
> the "Sponsored Links" but I read in another forum that Spyware Doctor
> was good.
>
> http://search.zdnet.com/index.php?q=freeware+spyware
>

(snip)

A good resource for determining whether a program is a rogue is MVP Eric
Howes' site here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User