Re: Downloads and Spyware

From: Shenan Stanley (news_helper_at_hushmail.com)
Date: 09/05/04 

Date: Sun, 5 Sep 2004 14:24:43 -0500

Pete Q wrote:
> Thanks for the tip! I wasn't aware you could crosspost.
> How is this done?

Depends on your current method of posting. The web page instructions would
differ from the Outlook Express instructions and the Outlook Express
instructions would differe from FreeAgent instructions.

> As far as the spyware is concerned it sounds like you are
> saying in nearly all cases I should delete if Ad-aware or
> spybot finds it. (I haven't installed spybot yet but was
> planning to do this as well)

Correct. Although the process is not perfect, I have cleaned systems with
more than 1200 (some just cookies) of spyware/adware/malware and erasing
them had no ill effect. I cannot say it NEVER has an ill effect - but most
of the time - none.

> You referenced the WTOOLS as being one of the worst. I am
> assuming that "WTOOLS" AND "WINTOOLS" are considered the
> same with the latter being equally bad? I had some files
> that were identified as WTOOLS and others and WINTOOLS.

This site may help you sort through the logs:
http://www.xtremecomputing.co.uk/forum/showthread.php?t=2248

This one is someone with wtools problems:
http://help.lockergnome.com/index.php?showtopic=24072

> Next to the temp files most of the others that were
> identified were the following. I would appreciate if you
> could scroll down the list quickly and let me know if you
> see anything that you think should be kept. (Again, this
> is my first time with the spyware experience and just
> want to make sure I am not getting rid of something I
> need).
>
> obj[63]=File : C:\System Volume Information\_restore
> {AEE18235-44F1-49E2-A53B-7A4B7FDD6850}\RP149\A0018436.exe
> obj[64]=File : C:\System Volume Information\_restore
> {AEE18235-44F1-49E2-A53B-7A4B7FDD6850}\RP158\A0018660.exe
> obj[65]=File : C:\System Volume Information\_restore
> {AEE18235-44F1-49E2-A53B-7A4B7FDD6850}\RP159\A0018728.dll
> obj[66]=File : C:\System Volume Information\_restore
> {AEE18235-44F1-49E2-A53B-7A4B7FDD6850}\RP159
> \snapshot\MFEX-1.DAT
>
>
> obj[8]=Regkey : protocols\name-space
> handler\res\wtoolsb.resprotocol
> obj[9]=Regkey : wtoolsb.resprotocol
> obj[10]=Regkey : clsid\{a8deb4a5-d9ef-4d21-b4f6-
> 921475004e7d}
> obj[11]=Regkey : clsid\{87766247-311c-43b4-8499-
> 3d5fec94a183}
> obj[12]=Regkey : clsid\{87067f04-de4c-4688-bc3c-
> 4fcf39d609e7}
> obj[13]=Regkey : S-1-5-21-4083798302-572454927-963639892-
> 1003\software\wintools
> obj[14]=Regkey : software\wintools
> obj[15]=RegValue :
> Software\Microsoft\Windows\CurrentVersion\Run
> obj[16]=File : C:\Documents and Settings\Owner\Local
> Settings\Temp\IExploreSkins.exe
>
> obj[7]=Regkey : software\microsoft\internet
> explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
>
> obj[8]=Regkey : protocols\name-space
> handler\res\wtoolsb.resprotocol
> obj[9]=Regkey : wtoolsb.resprotocol
> obj[10]=Regkey : clsid\{a8deb4a5-d9ef-4d21-b4f6-
> 921475004e7d}
> obj[11]=Regkey : clsid\{87766247-311c-43b4-8499-
> 3d5fec94a183}
> obj[12]=Regkey : clsid\{87067f04-de4c-4688-bc3c-
> 4fcf39d609e7}
>
> POSSIBLE BROWSER HIJACK ATTEMPT
> »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
> obj[15]=RegData : Software\Microsoft\Internet
> Explorer\Main
> obj[16]=RegData : Software\Microsoft\Internet
> Explorer\Search
> obj[17]=RegData : S-1-5-21-4083798302-572454927-963639892-
> 1003\Software\Microsoft\Internet Explorer\Main
>
>
> ArchiveData(auto-quarantine- 2004-09-04 22-02-19.bckp)
> Referencefile : SE1R6 30.08.2004

I really see nothing that would be harmful to delete. I cannot say that
will completely rid you of all the spyware - but it looks like it should be
a good start. Reboot after you do it. Then immediately rerun the scanners. 

-- 
<- Shenan ->
-- 
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions.   Know what you are
getting into before you jump in with both feet.

Relevant Pages

  • Re: security message
    ... Your Anti Virus will not get rid of the Smitfraud trojan. ... It also has instructions for David Lipmans Multi AV. ... downoad spyware remover.I'm believing now that this is the spyware because I ... download system doctor.I keep clicking no but every 15 minutes it still come ...
    (microsoft.public.windowsupdate)
  • Re: Internet Explorer has been hijacked by "About:Blank"
    ... It is important that you go to one of the HiJackThis Support Forums below and allow the experts there to analyze it for youPlease DO NOT post your log to this newsgroup. ... Please follow all posting instructions carefully to avoid having your log deleted or ignored.) ... Before you try to remove spyware using any of the programs ... This now creates a "Bad hosts file entry" in the log file ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Unwanted Gator toolbar
    ... please do so again according to the instructions below. ... Dealing with Unwanted Spyware and Parasites: ... Download Sysclean.com, from Trend Micro, here: ... Create a folder on the hard drive of the other computer called ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Browser not accepting cookies -Privacy set to Min
    ... instructions in the information below to thoroughly clean you system. ... Dealing with Unwanted Spyware and Parasites: ... You will have to Register before posting on these Forums. ... or Winsock Fix Utility ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Unable to download/run ActiveX controls
    ... >>instructions below. ... Before you try to remove spyware using any ... download a copy of LSPFIX from any of the following ... >>Winsock Fix Utility ...
    (microsoft.public.windows.inetexplorer.ie6.browser)