Foistware from CFC?

thank you very much, i will try that as soon as i try to go back on my PC :)
 
It is kind of weird to catch a virus from CFC, when you think about it. :sad:

And TF, yeah probably some programs did try to install themselves on your PC.
When I got this, there were about seven new icons on my desktop (some were "setup," etc...)
 
Whoa, SpyBot is awesome! :) Just installed it and ran it. It has found so far two problem files (Alexa Related and DSO Exploit). These are probably things that did not get deleted after my format a few days ago.
Good stuff...

Actually, skip what I said, now it has found seven such files. :goodjob:
 
scoutsout said:
@Xen: Scroll back a page and get the link to Spybot - that seems to get most of the problems...

However - I've noted something with respect to the DSO exlpoit noted above. A few minutes ago I shut down my browser, ran Spybot, problem detected (again). "Fixed" the problem, shut down Spybot, restarted spybot, and the same DSO exploit showed up. The only plausible explanation: there's a TSR running on my machine that is making this mod on the fly. And Spybot isn't getting to the source of the problem.

If possible, try running spybot whilst in windows' secure mode
or - if you know your way around the registry, try the following:
Open spybot, select tools, select system startup - read the description of each item, and delete anything that has a bad description.
Your problem is most likely a running process - or a combo of 2 running processes - one trying to back up the other. As soon as you know the name of the file causing trouble - remove it from Task management, then run spybot and a virus checker again. Hopefully, it should help
 
I downloaded and ran Ad-Aware first and then downloaded and ran Spybot and it seemed to do a good job so far.

I'll check out my home computer later.

EDIT:
Here is what Spybot found
Alexa Related
BlazeFind.Bridge
DSO Exploit
DyFuCA
eGroup
eUniverse

and surprisingly it identified Internet Washer

I have attached the text file with the cleanup data from Ad-Aware.
Ad-Aware scan results
 
Civrules said:
Whoa, SpyBot is awesome! :) Just installed it and ran it. It has found so far two problem files (Alexa Related and DSO Exploit). These are probably things that did not get deleted after my format a few days ago.
Good stuff...

Actually, skip what I said, now it has found seven such files. :goodjob:

Alexa related and the DSO exploit are from what I can tell standard in windows, once you have reinstalled it. Each time I have reinstalled windows lately (3-4 times due to hardware problems, chose the wrong solution...long story), I ve had spybot detect those two. They were of course promptly removed. It seems the Alexa search spyware come with IE as standard :eek:
 
After running Spybot and removing the offending "Avenue A, Inc." adware, I logged on and browsed many CFC pages until Spybot again warned me that it was stopping Ave.A. I was using IE via AOL ISP.

I've attached a paint of the page I was on when I received the warning. BUT as Ave A. is a cookie tracking program it MAY have been loaded by an ad on a previous page. Hope this provides a good starting point.
 

Attachments

  • Avenue A,Inc..gif
    Avenue A,Inc..gif
    168.2 KB · Views: 167
This a guide to getting rid of the recurrent nasties that are inflicting Pcs here at the moment - Its from computerelvis.com so if it works pay them your regards,


Computer Elvis - The King of PCs xxxxHome
Getting Rid of VX, VX2, VX2.BetterInternet, ABetterInternet, Look2Me, and related variants.

Well, boys and girls, if you've found this page, you've probably gotten one of those nasty bugs listed above. Here's how to get them off your system.

First of all, these nasty parasites are produced by a sc*mbag company called Nictech, whose address is below. Perhaps you would like to file a suit against the company in small claims court for the cost value of your time in getting rid of their undesired, unrequested installation of their profit-motivated seizing of your hard drive space and utilization of the bandwidth which you pay for. Just go down to your local courthouse and file a small claims suit for say... $500??? $1000??? $4999.99??? That'll send them a good message about how happy you are!

Anyway, getting rid of it... Here's how:
Basically, these bugs work by surreptitiously installing themselves on your hard drives as hidden system read-only files which install a registry entry hooking them to Explorer.exe. This causes them to be installed every time you start your computer. These s-bags then use that file to download other nasty bugs onto your machine and hide them in the various places like the Windows\System directory and on some machines the Restore directory. These files are installed as hidden system read-only files.

New variants of this worm causes the file to re-install itself on every reboot by searching to see if it's components are present and if not, re-installing them with new randomly generated names. Nice guys, these s-bags, huh?


FINDING THE FILES:
You need to get a spyware program to find the file names you need to eliminate. Ad-aware 6 is good at finding spyware (here is a link), but due to the nature of the hidden read-only attributes and hook on re-start, it cannot get this bug off your machine. An even better program is ScanSpyware, which finds alot more pests. It is definitely worth every penny of its $19.95 price. They do offer a free version which will find the bugs, (here is a link) but then you'll have to write down the offenders. ScanSpyware, however, will not get this bug off your machine because of the previously mentioned file attributes. But Ad-Aware and ScanSpyware will get everything else off so that by process of elimination you will only be left with the hidden s-bag files when you re-run the spyware program after a re-boot.

CONFIRMING THE FILES:
Go Windows Explorer and select Folder Options, View, and make sure you select "Show Hidden Files and Folder".

In Windows Explorer, you should find the bugs in the Windows\System folder. Make sure you write down the names and match them up with what your spyware program has turned up. It is REALLY IMPORTANT to note the details on when the files were installed.

Go up the Windows Explorer tree to the _Restore folder (if you have Windows Millennium or 98) and took to see if there are files with the extension .0 or .1, which are installed into the TEMP directory and used to re-hook your machine. You'll want to get rid of them too!

Now, having your list of files and their directory locations written down, shut down your machine.

Now, with the machine off, make sure you disconnect your machine from the internet if you have a broadband connection (DSL, cable, network, etc).

When you re-boot your machine, you will want to hit the appropriate key just as the machine comes on so that you can go into the BIOS SET-UP and adjust your start sequence. On start, you get a first momentary screen that usually says "To Enter Set-up Press DEL", or "To Enter Set-up Press F1" before the Windows screen comes on. Do it. Then on the appropriate configuration page, make sure that the first boot device is your floppy instead of your IDE (hard drive). Save that configuration.

Now boot from your Emergency Start-Up disk in the floppy (if you don't have one, then make it!). Start with or without CD-Rom support, but do not use the basic command prompt option because it may not load the necessary DOS files.

Now at the command prompt A:>
type: C:

Press ENTER

That brings you into the command prompt C:>

Now type: cd windows\system
Press ENTER

That centers you in the directory C:\windows\system

Your command prompt should look like this:

C:\WINDOWS\SYSTEM>

Okay???? Now, look at the list of bad files. The one which keeps coming back after repeated Ad-aware and ScanSpyware runs is going to be something like "DfGSIG.DLL", so what we want to do it change the attributes in order to be able to delete it. (Since Microsoft has rigged it so hidden read-only system files cannot be deleted.)

So type: attrib DfGSIG.DLL -s -h -r
Press Enter

That will remove the system file attribute (-s), the hidden file attribute (-h), and the read-only file attribute (-r).

Now type: del DfGSIG.DLL
Press ENTER

BINGO! It's gone!

Now repeat the routine for all the offenders and the bug is squashed.

Now that you are a smarter computer operator, you might want to get TuneUp Toolkit 2004 and run a registry clean-up, because if this bug has been on your machine, it could have installed other registry entries not picked up by the spyware programs. Take a free download and run it.

If Computer Elvis has been helpful to you, you could show your appreciation by sending a donation.

Five dollars would be nice, since Computer Elvis has just saved you a whole lotta hassle.

Computer Elvis has been nice to you. So you should be nice to Computer Elvis.
 
Dell19 said:
Microsoft exploiting their own browser?
Who would know the security loopholes better?
 
@MarineCorps: first of all - Kazaa comes with a lot of nastyness. I see you also have "lycos sidesearch" - that's a result of similar nastyness.
In your tray to the right on your task bar - I see the "weathercast" from whenU - that's even nastier. 52 processes running - and only 1 application - ad-aware showing :eek: that should also be alarming.
Most of the times I use my computer, I seldom get over 35 processes running at once - and I know what each one do.

This little program does real time detection of spyware:
http://www.javacoolsoftware.com/spywareguard.html.

Also: Remember to configure Ad-aware to do both a deepscan, and scan compressed archives!
 
Paalikles said:
Also: Remember to configure Ad-aware to do both a deepscan, and scan compressed archives!

Be careful if you use Spybot when considering scanning compressed archives with Adaware.
 
Based on screenshots here and my 2 machines I see that we have 2 Win XP and my 2 Win2000 systems affected. Please make sure after running Adaware & Spybot cleanup that you go to microsoft and update your windows or just use the "Windows Update" choice from the Start button.

There are too many known flaws and exploits within both IE and the Win O/S. A lot of these are specific to XP & W2k. I know W2K is at Service Pack 4 with a ton of other security updates.
 
Yeah, lycos sidesearch makes me puke when I see it on the desktop because I know something bad is on.

By the way, Spybot was unable to get rid of the DSO Exploit. It fixes it, and then when I scan again, it finds it again.
 
Civrules said:
By the way, Spybot was unable to get rid of the DSO Exploit. It fixes it, and then when I scan again, it finds it again.

I removed it by running Adaware first then Spybot. Try that.
 
Back
Top Bottom