Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

spyware problem

Status
Not open for further replies.

austim

Technical User
Jul 17, 2001
37
AU
Hi, all.

I apologise if this is not quite the correct forum for my problem, but this is the nearest that I can find.

During a recent overenthusiastic search for some good (and free) metronome software, I somehow managed to download some spyware.

I have "Spybot - Search and Destroy" installed, and that identified about 16 'threats' from C2.LOP (registry entries etc). After instructing S&D to deal with all the identified threats, I have still been left with some problems.

A number of suspicious program files had been installed in my ...\local settings\temp folder. I found that these were all copies of one file, with random names. It appears that at start up, this file tries to install an (unwanted) pop-up bar at the bottom of my IE6 window, with icon shortcuts for gambling, bad etc sites, and also modifies my home page to sbjr.com/passthrough/index.html.

At start up my Tiny FireWall alerts me to a program that it does not expect. As long as prevent it from opening, all seems OK with my system. However, deleteing all files from the folder is not a cure, since at each startup similar files are created (with a different name each time).

Presumably I have been left with a residual (and well hidden) program somewhere that generates these files at startup. Is there any (relatively simple) way that I can do my own detective work and find out which program it is, so that I may delete it?

Alternatively, has any other member been faced with with the same problem, and has a ready made solution (short of a complete reformat of my Windows partition)?

I would greatly appreciate any helpful suggestions - this sort of stuff is way beyond my own experience.
 
Minor progress with my amateur detective work.

The activity monitor of Tiny Firewall tells me that the process that is causing me trouble is Idzquujo.exe. (All other processes listed up to the time that the unwanted program tries to run are clearly identifiable Windows efiles).

But.. there is no file named Idz*.* anywhere on my system. :-(
 
HI, browolf.

I should have told you that of course. Yes, I scanned my entire hard disks (all 80 GB) with Vet, updated as of two days ago. Nothing found.

I have just run a trial version of "Pest Patrol" which tells me that it found registry entries from Lop.Com. It looks as if my quickest route could be to buy a licensed copy of Pest Patrol (if it is not too pricey).
 
Have you tried downloading Ad-Aware, its a pretty good program for scanning and removing spyware.
 
If you are receiving strange, apparently random, file addresses on executables, then it might be a trojan. If so, reinstalling everything from scratch is the only truely safe way of handling it.

However, since it appears it might be spyware instead, you can take care of it manually, in most cases. On a Windows machine, it will either be in the startup group (probably), or possibly a BHO. Try this on most versions of Windows to locate any problem program that runs upon startup:

Delete the temp files or otherwise do something to ensure you will know if the software does or does not run. Run msconfig from the Run line. Set to selective startup. Go to the startup tab. Remove half the check marks. Reboot.

If the program is disabled, it was one of the ones you unchecked. If it wasn't, it was one of the ones still checked. Pick whichever list it is and split it in half, checking (or unchecking) one half and leaving the other half unchanged. Repeat until only one progam remains which, if checked, causes the problem, and which if unchecked the problem goes away. This is the cause of your problem. Uncheck that file and only that file, check the others, and close out of the program.

In some versions of msconfig, it will tell you where the file is located, in some it does not. It will either be in the Registry, win.ini (unusual), or the Startup folder. To check the Registry, first <bold>***backup***</bold>. (If you don't know how, then ask. Do not edit the Registry without backing up). Look under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\, and/or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion, and check for keys that start with the word &quot;Run&quot;, such as Run or RunServices. The key that ends in a minus sign &quot;-&quot; is the key that contains the currently disabled software, i.e. run-, runservices-, etc. Write down the location and delete the key.

If it isn't in the Registry, right click on your start button, select Open, open Programs, then locate Startup-. The file in Startup- will be the culprit; delete it and all is well.

This can be used to eliminate a lot of useless software that runs upon boot on most Windows machines, too.
 
My thanks to you all for your responses. I have made considerable progress, but am not entirely free of C2.lop yet.

browolf - yes, my SpyBotS&D is as uptodate as it can be. I really would only want to reformat/reinstall as an absolute last resort.

Grenage - I have tried twice to install and run ad-aware. Both times I got an Application Error message as soon as I tried to run it. &quot;The application failed to initialize properly (0xc00005). Click on OK to terminate the application&quot;. I'm still working on that via the lavasoft forums.

Filksinger. Sadly, my Windows 2000 Pro does not recognize msconfig.

Since I posted, I have heard back from Patrick Kalle (developer of SpyBot S&D). With his guidance I found and deleted the principal files causing my problems. For all practical purposes, my system now seems to be working all OK.

However, the evaluation version of Pest Patrol still tells me that I have Lop.Com entries in my registry. I have found and deleted one, but there must be others which are too well hidden for me to find.

Since my system is now back in working condition, (or 99% there, anyway), I would not want any of you to spend any further time on this. There must be more deserving cases than mine now. Again, many thanks for all your support and suggestions.
 
I have closure.

I eventually decided that (because of problems with several software packages) I should accept browolf's advice and remove and reinstall Win2000. Which I have now done. So far two of my software problems have apparently been cured, so it has already been worth the trouble.

Again, thanks for your responses.
 
it's worth getting hold of norton ghost and making a &quot;ghost image&quot; of a working 2k install that way if you ever need to reinstall it only takes 5 mins to put the image back. ===============
Security Forums
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top