jhaley
2004-04-19, 10:28
Ok... I'm rarely this stupid
I downloaded the latest Divx codec (so I could watch the first 3 seasons of South Park I had just downloaded) and installed it without issue.
I actually did read about the fact that the latest 5.11 "Pro" version (used for encoding and decoding) of the Divx codec had spyware contained in it... however there was NO mention of spyware being contained within the non-pro version (used only for decoding only).
:mad: Damn!
Sure enough, shortly thereafter, I noticed something a bit odd.... Google searches were returning the first page of results as non-relavent links... almost identical to the sponsored link results except these new results were always very similar, regardless of what I was searching for, and these results referenced links for other search engines. Knowing that google wouldn't be quite THAT stupid, I figured there must be some spyware on the system. When I clicked on the second page of results, they all looked like normal results... and I noticed something VERY odd... according to the gooooogle page navigator at the bottom of the page, I was viewing the FIRST page of results. Additionally, I noticed an unusual spike in internet traffic and a noticable slowdown of the system performance. After closing everything down and uninstalling SEVERAL different spyware programs which had graciously installed themselves using the Windows Add/Remove programs option, I proceeded to clear the browser cache (manually), delete all temp files, then scan using "spybot - search and destroy" and adaware 6.
Sure enough, there was bucketloads of spyware found (over 100 individual components). I scan for spyware daily... so all of this crap came from this one program. After deleting the items, I did a boot scan for spyware using spybot to ensure that nothing remained. After removing the final pieces of spyware from my computer, I gave a sigh of relief... no problems removing everything... only took 30 minutes... no problem... time to do another google search...
DAMN! Same problem! :banghead:
At this point, I'm thinking I've overlooked something. :confused: I know some spyware is a bit of a nightmare to remove.. but I'm sure I've run the normal routine that should get rid of everything:
clear cache
clear temp files
check the add/remove programs section
run adaware
run spybot
reboot and run spybot in boot mode
Next, I ran a manual anti-virus scan just to make sure (after I manually updated my virus definitions)... no signs of a virus.
Tried google again... same problem... and now I'm getting pop-ups even with the google pop-up blocker turned on... DAMMIT... THIS SUCKS!
After checking the usual resources online, I found no reference to this type of spyware/malware. (In hindsight, I'm sure there was probably a result that could have helped... but not knowing the type of spyware you are dealing with, coupled with the number of generic results from online search makes finding helpful information virtually impossible.)
Ok, I'm a computer geek by trade... time to think outside of the box...
I uninstalled the google toolbar.. no difference... except now I get even more pop-ups. DAMN DAMN DAMN!!! :boom:
Next, I checked my "hosts file" in c:\windows\system32\drivers\etc\ . This file can override normal network addressing... essentially routing any specific networking request (including web requests) to another unrelated server. The "hosts" file is very devious since it routes these requests without the user even knowing it.. for example, you type in www.cnn.com and you end up in www.milf.com ... meanwhile the url in the browser window still shows www.cnn.com as a side note, many child filtering programs utilize the "hosts" file to route kids from nasty sites. Nothing out of ordinary in the hosts file
I decided to check the browser cache for a clue as to what is going on. Since I had recently cleared the files and had only tried to use google once since then, it was reasonably easy to navigate the list of files. After eliminating the items originating from the actual google domain, I viewed the html source of some of the odd looking html and script files remaining in the IE temp file...AHA! a reference to "2020 Search"! Time to search online again.. this time using the terms "spyware", "2020" and "google".
SUCCESS! Links to a program called "Hijack This". This program checks a wide variety of points on a system where the problem can be hidden. I ran "Hijack This"... the results showed several entries with some of them looking a bit unusual... but after some careful checking, all but a couple were normal. I deleted the non-normal entries. (NOTE: "Hijack This" edits the registry... don't use unless you understand what you are doing)
Time to try google again... SON OF A #$&^&! :refilao: No luck!
But... also mentioned on a page referencing "Hijack This" was another program called "CWShredder". This is a highly specialized tool for removing a very specific type of spyware/malware: CoolWebSearch (and it's various incarnations). After reading about the program, I ran CWShredder... which has two options: "Scan" or "Fix". Since the "Fix" option can do no harm to the system(and the "scan" option can overlook some varients, I ran the "Fix". Sure enough, It found a version of this nasty software called SearchX. It automatically removed it without fanfare. Back to google again... I entered a search term... and VOILA! A normal google result page! I tried again with a different search... WOOHOO... normal result!!!
After a quick reboot, final scan using spybot, adaware and CWShredder with nothing found, and a reinstall of the google search bar... I'm back to square one... except I now have to download an older version of the DIVX codec so I can watch the rest of the South Park episodes!
This whole process took 2.5 hours! This itself is significant. I am considered an expert on Windows Systems. I make my living as a I.T. Consultant for small-medium sized companies, I specialize in Windows-based systems/networks, I have over 15 years of practical experience working with 32-bit Windows, I have had my MCSE for over 8 years, I understand the methodology of troubleshooting problems... and yet it took me over 2.5 hours to figure this out! I can only imagine how much this could screw up an "average user".
While SPAM might be a pain in the ass to most people, I think Spyware/Malware is far worse of a problem. The average user won't notice many of the side effects of spyware... and even if they do, they are often ignored. I have seen reasonably powered systems slowed to a crawl from spyware clogging up the works. This slowdown is usually incremental and typical users would more often than not attribute the problem to other factors such as not enough memory or slow connection to the internet.
Here is a great link which contains many of the best FREE spyware detection/removal utilities including Adaware and Spybot (as well and many other handy tools).
http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Also, in case you are unfamiliar with the practice, search engine results for "Spybot", often include different programs called "Spybot". Some of these programs will actually load spyware onto your system!!!
The "real" homepage for Spybot: Search & Destroy is here:
http://www.safer-networking.org/
The real homepage for AdAware is here:
http://www.lavasoftusa.com/
Sorry for the length of this post... I just needed to vent a bit after this pain-in-the-ass ordeal. I hope someone finds this helpful when dealing with Spyware/Malware.
I downloaded the latest Divx codec (so I could watch the first 3 seasons of South Park I had just downloaded) and installed it without issue.
I actually did read about the fact that the latest 5.11 "Pro" version (used for encoding and decoding) of the Divx codec had spyware contained in it... however there was NO mention of spyware being contained within the non-pro version (used only for decoding only).
:mad: Damn!
Sure enough, shortly thereafter, I noticed something a bit odd.... Google searches were returning the first page of results as non-relavent links... almost identical to the sponsored link results except these new results were always very similar, regardless of what I was searching for, and these results referenced links for other search engines. Knowing that google wouldn't be quite THAT stupid, I figured there must be some spyware on the system. When I clicked on the second page of results, they all looked like normal results... and I noticed something VERY odd... according to the gooooogle page navigator at the bottom of the page, I was viewing the FIRST page of results. Additionally, I noticed an unusual spike in internet traffic and a noticable slowdown of the system performance. After closing everything down and uninstalling SEVERAL different spyware programs which had graciously installed themselves using the Windows Add/Remove programs option, I proceeded to clear the browser cache (manually), delete all temp files, then scan using "spybot - search and destroy" and adaware 6.
Sure enough, there was bucketloads of spyware found (over 100 individual components). I scan for spyware daily... so all of this crap came from this one program. After deleting the items, I did a boot scan for spyware using spybot to ensure that nothing remained. After removing the final pieces of spyware from my computer, I gave a sigh of relief... no problems removing everything... only took 30 minutes... no problem... time to do another google search...
DAMN! Same problem! :banghead:
At this point, I'm thinking I've overlooked something. :confused: I know some spyware is a bit of a nightmare to remove.. but I'm sure I've run the normal routine that should get rid of everything:
clear cache
clear temp files
check the add/remove programs section
run adaware
run spybot
reboot and run spybot in boot mode
Next, I ran a manual anti-virus scan just to make sure (after I manually updated my virus definitions)... no signs of a virus.
Tried google again... same problem... and now I'm getting pop-ups even with the google pop-up blocker turned on... DAMMIT... THIS SUCKS!
After checking the usual resources online, I found no reference to this type of spyware/malware. (In hindsight, I'm sure there was probably a result that could have helped... but not knowing the type of spyware you are dealing with, coupled with the number of generic results from online search makes finding helpful information virtually impossible.)
Ok, I'm a computer geek by trade... time to think outside of the box...
I uninstalled the google toolbar.. no difference... except now I get even more pop-ups. DAMN DAMN DAMN!!! :boom:
Next, I checked my "hosts file" in c:\windows\system32\drivers\etc\ . This file can override normal network addressing... essentially routing any specific networking request (including web requests) to another unrelated server. The "hosts" file is very devious since it routes these requests without the user even knowing it.. for example, you type in www.cnn.com and you end up in www.milf.com ... meanwhile the url in the browser window still shows www.cnn.com as a side note, many child filtering programs utilize the "hosts" file to route kids from nasty sites. Nothing out of ordinary in the hosts file
I decided to check the browser cache for a clue as to what is going on. Since I had recently cleared the files and had only tried to use google once since then, it was reasonably easy to navigate the list of files. After eliminating the items originating from the actual google domain, I viewed the html source of some of the odd looking html and script files remaining in the IE temp file...AHA! a reference to "2020 Search"! Time to search online again.. this time using the terms "spyware", "2020" and "google".
SUCCESS! Links to a program called "Hijack This". This program checks a wide variety of points on a system where the problem can be hidden. I ran "Hijack This"... the results showed several entries with some of them looking a bit unusual... but after some careful checking, all but a couple were normal. I deleted the non-normal entries. (NOTE: "Hijack This" edits the registry... don't use unless you understand what you are doing)
Time to try google again... SON OF A #$&^&! :refilao: No luck!
But... also mentioned on a page referencing "Hijack This" was another program called "CWShredder". This is a highly specialized tool for removing a very specific type of spyware/malware: CoolWebSearch (and it's various incarnations). After reading about the program, I ran CWShredder... which has two options: "Scan" or "Fix". Since the "Fix" option can do no harm to the system(and the "scan" option can overlook some varients, I ran the "Fix". Sure enough, It found a version of this nasty software called SearchX. It automatically removed it without fanfare. Back to google again... I entered a search term... and VOILA! A normal google result page! I tried again with a different search... WOOHOO... normal result!!!
After a quick reboot, final scan using spybot, adaware and CWShredder with nothing found, and a reinstall of the google search bar... I'm back to square one... except I now have to download an older version of the DIVX codec so I can watch the rest of the South Park episodes!
This whole process took 2.5 hours! This itself is significant. I am considered an expert on Windows Systems. I make my living as a I.T. Consultant for small-medium sized companies, I specialize in Windows-based systems/networks, I have over 15 years of practical experience working with 32-bit Windows, I have had my MCSE for over 8 years, I understand the methodology of troubleshooting problems... and yet it took me over 2.5 hours to figure this out! I can only imagine how much this could screw up an "average user".
While SPAM might be a pain in the ass to most people, I think Spyware/Malware is far worse of a problem. The average user won't notice many of the side effects of spyware... and even if they do, they are often ignored. I have seen reasonably powered systems slowed to a crawl from spyware clogging up the works. This slowdown is usually incremental and typical users would more often than not attribute the problem to other factors such as not enough memory or slow connection to the internet.
Here is a great link which contains many of the best FREE spyware detection/removal utilities including Adaware and Spybot (as well and many other handy tools).
http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
Also, in case you are unfamiliar with the practice, search engine results for "Spybot", often include different programs called "Spybot". Some of these programs will actually load spyware onto your system!!!
The "real" homepage for Spybot: Search & Destroy is here:
http://www.safer-networking.org/
The real homepage for AdAware is here:
http://www.lavasoftusa.com/
Sorry for the length of this post... I just needed to vent a bit after this pain-in-the-ass ordeal. I hope someone finds this helpful when dealing with Spyware/Malware.