Increasing importance of realtime spyware scanners 1

[vop]

This is a story on the importance of:

realtime spyware scanners,
process killers,
how one incident became the tip of the iceburg,
need for and co-existence of similar multiple tools.


Ever wonder whether a (free) tool like SpywareGuard (SG), a real-time spyware scanner, is necessary or whether it actually does anything? It is easy to get complacent when there is no evidence of this tool in action and especially so when ones safeguard procedures have tended to keep you mostly spyware-free.

Most recently and all of a sudden, SG intercepted four (4) Browser Helper Objects (BHOs) trying to load at bootup. It identified four (4) DLLs that were trying to load and allowed me to kill each load attempt.

That is not the end of the story. Internet Explorer would not load after that. I rebooted - same problems and result.

I then loaded up a new favorate freeware tool known as'Process Explorer'

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml.

I was able to clearly see and KILL three (3) running processes with clearly odd descriptions. Internet Explorer was up and running once the middle process had been killed - first one selected:

MSBB.EXE - search assistant (180 Solutions Inc.)
YVUYEB.EXE - installation utility for

http://www.callinghome.biz

ISTSVC.EXE - istsvc

A little research brought up disturbing info on all of them. Ran SpyBot and removed 46 items. Ran Adaware and discovered that the cleanup process had been far from complete (another 32 objects including many cookies):

VX2.BETTERINTERNET
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=File : c:\recycled\dc1.exe
obj[26]=File : c:\windows\twaintec.ini
obj[27]=File : c:\windows\preinstt.exe
obj[28]=File : c:\windows\twaintec.dll
obj[29]=File : c:\windows\alchem.exe

WHENU
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[30]=File : c:\program files\clocksync\sync.exe

180SOLUTIONS
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[31]=File : c:\program files\180solutions\fleok\msbb.exe


I have since started running TeaTimer (another realtime scanner included with SpyBot). It not only co-exists with SG but is picking up different things as well. I believe that Adaware also has a similar component.

There were still some odd behaviors going on. This led me to check 'Add/Remove Programs'. Some of the re-inffection and delivery components were still alive and well. I had to check out (research) and uninstall three (3) components and do a disk cleanup of TEMP files and CACHE:

1STSVC
XXXTOOLBAR
WSEM UPDATE


Conclusions:

No one tool does it all.

What other favorite tools come to mind - especially process KILL tools.

A realtime spyware alert can literally become the tip of the iceburg. Make sure to follow all the crumbs and warning signs to conclusion.

 

[wackydj]

Can anyone advise on a suspected dial up virus with the following path: C:\program files\istsvc and H Key.current.user/software\ist which appeared on a laptop running XP connected to broadband. It appears to want to dial prem. numbers. Many thanks.

WackyDJ

 

[bcastner]

I feel your pain.

The newer variants of VX2 are incredibly hard to manually remove, and a restore from a backup is my best guess at the moment.

This is going to be a very ugly XMAS holiday season with the stuff now floating around the internet. Can you imagine the genuine grief that is likely going to occur for a child's Christmas gift, or the effort to introduce your senior parents to the internet?

I wrote in faq608-4650 my thoughts on manual cleanup. But no matter what else you do this Holiday season:

. disable ActiveX on your browser
. be certain your backup plan is a good one

Best Holiday wishes to all,
Bill Castner

 

[FredWagner]

We had one virus that trashed IE a year or two ago - I installed Netscape, so I had an uninfected browser, then removed IE, ran SpyBot and the fixes from Microsoft, then finally was able to reinstall IE. Having a copy of Netscape around can be VERY handy! Most of the nasty stuff is designed to take advantage of IE's vulnerabilities.

Fred Wagner
KQ6Q@arrl.net

 

[carrr]

wackydj,

Have a look here:

http://sarc.com/avcenter/venc/data/adware.istbar.html

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[erikhertzel]

Bill & Others,

Thanks for the informative post. I have been working on lots of PC with Spyware, etc....this is a helpful forum.

I have been having quite a time with one particular PC. I have done all the things in the FAQ's and such and still I have one that is driving me nuts.

It's a VX2. Lavasoft SE can't get it. Spybot crashes. I have used Hijack and many, many others and got must of the others, but this one is nasty. I have used Killbox to try and delete the .dll but it will change names on reboot. I have used AVG and Mcafee and finally Mcafee has me back on the Internet, but I still can't get rid of that VX2. Any idea as to what I have exactly and what I can do to get rid of it?

Thanks,

Erik
-----------------------------------
I feel your pain.

The newer variants of VX2 are incredibly hard to manually remove, and a restore from a backup is my best guess at the moment.

This is going to be a very ugly XMAS holiday season with the stuff now floating around the internet. Can you imagine the genuine grief that is likely going to occur for a child's Christmas gift, or the effort to introduce your senior parents to the internet?

I wrote in FAQ608-4650 my thoughts on manual cleanup. But no matter what else you do this Holiday season:

. disable ActiveX on your browser
. be certain your backup plan is a good one

Best Holiday wishes to all,
Bill Castner

 

[iamnotageek]

I work in a PC repair shop and remove scumware (and viruses) on a lot of machines. I read bcastner's faq, and would add the following to that (bcastner, feel free to incorporate this into your faq).

All scanning should be done in safe mode, as this makes it easier for the scanners to remove malware, and they certainly run faster when the machine is heavily infected. Most malware does not load in safe mode. If the patient is Win9x/Me, you will need to copy over the scanners and other utilites first if you have them on a CD or USB memstick, because you won't be able to access them in safe mode.

When machines are severely infected, it is difficult or impossible to update a scanner online. I like to download the scanner dat files ahead of time on a different machine and keep them on a USB flash stick or CD-RW, install the scanner, update it and then run the scan.

Because one tool does not catch all, I usually only scan with a couple and then remove/disable the rest of it manually, using hijackthis and manual deletion. This method does not remove all registry entries or orphaned files, but it does take the malware out of commission. If you want, you can then do a scan with the free trial version of Spysweeper (you have to update it online) and clean up the remnants.

One thing that you must do without fail before booting into protected mode is to delete all temp files from the following directories, while in safe mode: c:\windows\temp, c:\documents and settings\user_name\local settings\temp and go into Control Panel - Internet Options and delete Temporary Internet Files (make sure Delete Offline Content is checked). Make sure you do this for all user's temp directories.

If you don't do this, don't be surprised if some of the malware reinstalls itself when the system is rebooted.

When searching for temp files, make sure the options are checked so that it searches system/hidden directories. When using Windows Explorer to look at users temp directories, make sure to set the Tools - Folder Options - View to show hidden files, do not hide extensions for known file types and show protected operating system files. I have been finding a lot of malware lately that designates its files as protected operating system files.

If you manually delete things, do not send them to the recycle bin. I have found that some of this stuff continues to run from the recycle bin! For this reason, make sure to empty the recycle bin as well.

If your system seems to be clean, but you still can't connect to antispyware or antivirus web sites, check the contents of your hosts file. One trick they use is to redirect requests to visit such websites to the loopback address of 127.0.0.1. The latest version of hijackthis (v1.99 as of this writing) includes a hosts file editor.

And lastly, whatever you do, don't let anyone talk you into formatting the hard drive to get rid of this stuff. If you can't remove it yourself, take it to a pro or avail yourself of one of the malware removal forums. If the pro tells you that he is going to have to format the hard drive, run out of his shop and take the time to find a good one.

It takes me 2 hours at the most to clean up the most heavily infected machines. Some of these have had over 500 pieces of malware identified by Spybot, and Spybot doesn't do that thorough of a job!

 

[biglebowski]

Bill is right, I recently got infected with vx2 and I was running mcafee security centre (virus,firewall,privacy and spyware) this did nothing to prevent or clean vx2 from my laptop. Mcafee came with a new dell laptop I bought and although it looks pretty has proved to be useless. I have now had to reinstall xp from scratch and am now using sophos, pestpatrol, adaware and spybot and since I have had not had a single problem. No one product is effective but various used together are.

Are you suggesting coconuts migrate?