PDA

View Full Version : OT- windows taskbar spyware announcement



Chuck_Older
01-21-2006, 07:18 AM
First off, I use anti-spyware every week

Even as I type this (it's hovering between annoying and funny), every minute on the minute, I get a pop-up message (doesn't rely on my being online or not) from my taskbar telling me my PC is infected with spyware. Well, I of course ignored it's "Click here to protect your PC" message and ran my own spyware removal tools.

Well, the spyware my programs can detect (two of them, adaware and spybotS+D) is gone. However, the message still comes up

I can turn it off in task manager.

here's the thing:

the icon on my taskbar looks legit (yeah I know that can be faked), and the message says that 'windows will now download software for you' and 'click here to protect your PC'

there's nothing to click, and I'm not downloading anything

This actually seems like a M$ message, because it doesn't do anything! It seems to be running from my (factory-equpped) scheduler daemon.exe file

Anybody familiar with this aspect of windows (if this really is windows?)

I am yes, going to buy even more anti-spyware software today

I mean, I can kill this thing within a minute by just shutting it off in taskmanager, but it's getting annoying

F19_Olli72
01-21-2006, 07:28 AM
If you dont find anything i can recommend this place: http://castlecops.com/forums.html.

jds1978
01-21-2006, 07:43 AM
sorry Chuck, no help here.
D@mn that sounds obnoxious. although i'm nonviolent, in my darkest fantasy i'd love to play a little "Fists of Fury" on the people who create and distribute this type of thing. they are complete losers

Zeus-cat
01-21-2006, 07:59 AM
I feel for you Chuck_Older. I got hit with 14,235 e-mails at work Wednesday after someone hacked my company's website. Of course I got to sit around for two hours and get paid for it, so its not quite the same thing as my home PC getting hit.

They ought to hang people by the ***** who do this kind of stuff.

WWSensei
01-21-2006, 08:03 AM
That isn't windows. You've already been infected. Oddly enough, Microsoft's spyware program is pretty decent and has found/repaired things other spyware programs didn't (and vice-versa). Best of all it is currently free so no harm in trying it.

Chuck_Older
01-21-2006, 08:07 AM
Thanks!

The last time I waded through MS's website it was hard to find anything...anybody have a bookmark for MS's spyware software handy, to turn into a link for me?

PS

yes I'm lazy

jetsetsam
01-21-2006, 08:10 AM
try using hitman pro from here:

http://www.techspot.com/downloads/1278-hitman-pro.html

its about 10 antispyware rolled into one process. It takes a while though

jetsetsam
01-21-2006, 08:14 AM
and there is a relatively new type of spyware that is some kind of rootkit approach.

Use Blacklight beta from here to check. It's quick and safe. I've used it a number of times.

http://www.f-secure.com/blacklight/

triad773
01-21-2006, 08:21 AM
Hi Chuck_Older- that stinks putting it nicely. Had a nieghbor whose PC I fixed had a ton of that junk on it. Some ad ware programs seem to evade the usual measures. So if those other methods don't work (and I realize you may already know to do this but it bears mentioning), eliminate the processes in the task manager, making note of the names of the processes. First indication that the offending process has ceased, do a search for it on your hard drive. Delete the little sucker and reboot. See if that fixed it. Of course have your Windows disk ready in case anything goes wrong, and always back up.

It worked for me, but them I'm probably a bit daft at least.

Best of luck-

Triad

sparty7200
01-21-2006, 08:31 AM
Hi chuck..had a similiar prob myself...got the warning pop up every min or so then a direction to a site to clean it......had to reformat to get rid of it ...luckily it just came back from the shop and was clean except for a few bits!....no great loss but what a pain!!!...hope yours aint same as mine!!


Regards as ever m8

Sparty

jetsetsam
01-21-2006, 08:51 AM
If you are going to start tinkering with your processes, here's a very handy utility from a reliable website that will give you lots more info about your processes than you'll get from Task Manager:

http://www.sysinternals.com/Utilities/ProcessExplorer.html

jetsetsam
01-21-2006, 08:54 AM
Run your antispyware in safe mode as well as regular mode. You'll find some there too.

x6BL_Brando
01-21-2006, 08:57 AM
Chuck,

Try running Hijack This http://www.spywareinfo.com/~merijn/downloads.html (http://www.spywareinfo.com/%7Emerijn/downloads.html)

The Startuplist.exe @ the bottom of the page is very useful for nailing down the whereabouts of this and other little beasts.

B.

tomtheyak
01-21-2006, 09:15 AM
Chuck, I had the very same thing a coupla weeks back - nearly drove me to a reformat (one week after having just done one - arrgh!).

Go here:
http://www.bleepingcomputer.com/forums/topic36868.html

Even if it is'nt Spyaxe, it covers a few variants that also behave exactly the way you describe.

Weather_Man
01-21-2006, 09:26 AM
I had to remove something similar from a client's PC last week. It's a real bugger to get rid of.

MS anti-spyware seemed to do the best job. Spybot would not remove it and Adaware would not detect it.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Along with that, there is a host of other steps necessary to complete rid of it. This thing had a nasty habit of reinstalling itself. Mostly work in Safe Mode to prevent that. Get as much info as you can on the web about the removal process. You'll need to empty all your temp folders, prefetch, delete the registry components and .dlls, if any remain. You must know what you are doing when working with system files.

In retrospect, it would have been faster and easier and far less stressful to format and reinstall Windows.

Dew-Claw
01-21-2006, 12:33 PM
Originally posted by tomtheyak:
Chuck, I had the very same thing a coupla weeks back - nearly drove me to a reformat (one week after having just done one - arrgh!).

Go here:
http://www.bleepingcomputer.com/forums/topic36868.html

Even if it is'nt Spyaxe, it covers a few variants that also behave exactly the way you describe.

bleepingcomputer.com is a great site...
I found out how to remove a nasty peice of spy-ware on my niece's laptop.
Left by a spyware removal tool.
not all of those anti-spyware tools are what they say they are.
Stay Far far away from Spy Sheriff

Freelancer-1
01-21-2006, 01:44 PM
I didn't see this mentioned.

With a lot of spyware, one of the problems is that it will be removed okay. But then on restart will reinstall from system restore.

I personally recomend permanently disabling Sytem Restore, but if you feel safer keeping it, then just disable it long enough to be sure the offending app has been deleted.

Good luck,

Kuna15
01-21-2006, 03:19 PM
Originally posted by Chuck_Older:
First off, I use anti-spyware every week

Even as I type this (it's hovering between annoying and funny), every minute on the minute, I get a pop-up message (doesn't rely on my being online or not) from my taskbar telling me my PC is infected with spyware. Well, I of course ignored it's "Click here to protect your PC" message and ran my own spyware removal tools.

Well, the spyware my programs can detect (two of them, adaware and spybotS+D) is gone. However, the message still comes up

I can turn it off in task manager.

here's the thing:

the icon on my taskbar looks legit (yeah I know that can be faked), and the message says that 'windows will now download software for you' and 'click here to protect your PC'

there's nothing to click, and I'm not downloading anything

This actually seems like a M$ message, because it doesn't do anything! It seems to be running from my (factory-equpped) scheduler daemon.exe file

Anybody familiar with this aspect of windows (if this really is windows?)

I am yes, going to buy even more anti-spyware software today

I mean, I can kill this thing within a minute by just shutting it off in taskmanager, but it's getting annoying

I had the same message and it somehow bypassed my antivirus and infected some crucial files so my windows xp couldn't have started anymore (windows explorer wont start). That is some kind of worm (don't remember the name).

However I managed to save my files from C: disk thru windows Task Manager (CTRL+ALT+DEL). Then reinstalled windows xp.

Get some good sweeping cleaning tool - antivirus/antispyware ASAP.

triad773
01-21-2006, 03:37 PM
Yes Chuck- it would seem after subsequent posts it may be easier to just redo your drive and spend the time needed to reinstall everything back to the way you want it.

If you can back up all your docs (and IL-2 skins, missions, etc.), address book, messages and bookmarks, you could try deleting the offending executable from both main and restore drives possibly, but if that fails then you are stuck with having to reformat and such anyway. Either way not so fun I know.

Wish you the best-

Triad

-HH-Quazi
01-21-2006, 04:01 PM
If you are not using Mozillas' Firefox browser to replace IE, then it would behoove you to do so. Since I started using Firefox and a freebis protection program called WinPatrol at www.winpatrol.com (http://www.winpatrol.com) I haven't gotten even one single hit of anything. Which is bassackwards of what I was getting while using IE and running Adware, Spysweeper, E-Pest Patrol, Counter Spy, all actively in my taskbar while surfing the net. Somethine would always get through everyday.

Now, I run those programs to scan my rig once a week and they have yet to detect anything but the cookies I have allowed.

Firefox is the way to surf the net and prevent this type of junk from infecting your rig.

triad773
01-21-2006, 04:16 PM
That worked for me working on the nieghbors' rig to replace IE with Firefox. There was something in the temp folder that tried to reinstall itself when IE started. This made it pesky to eliminate: shutting it down in Process manager got rid of the problem, then delete contents of temp file, don't use IE unless the sucker tried to reinstall when IE started (they had to use that browser to access some sites for some reason). Told them they'd be better off reformatting some time. Maybe reinstalling IE might work, but the cr@p might follow: don't know I didn't try that. May require too much Windows reinstall since it is so integral to the OS.

They still hadn't and have the same issue on thier machine tho they say they don't use IE, and they will have to reformat eventually.

Hope that isn't too much info:

Triad

VW-IceFire
01-21-2006, 04:33 PM
Originally posted by -HH-Quazi:
If you are not using Mozillas' Firefox browser to replace IE, then it would behoove you to do so. Since I started using Firefox and a freebis protection program called WinPatrol at www.winpatrol.com (http://www.winpatrol.com) I haven't gotten even one single hit of anything. Which is bassackwards of what I was getting while using IE and running Adware, Spysweeper, E-Pest Patrol, Counter Spy, all actively in my taskbar while surfing the net. Somethine would always get through everyday.

Now, I run those programs to scan my rig once a week and they have yet to detect anything but the cookies I have allowed.

Firefox is the way to surf the net and prevent this type of junk from infecting your rig.
Just to add...both Firefox 1.5 and Opera 8.5 are excellent products that you can use as alternatives to Internet Explorer. Until IE7 comes out, nobody should be using IE at ALL. Its far too dangerous and exposes your OS to direct attack.

Even if Opera or Firefox has a secruity hole...it cannot directly influence your OS. Thats because they aren't built into it...like IE is.

snafu73
01-21-2006, 05:48 PM
Chuck, before doing anything drastic - download the trial version of AVG (http://www.grisoft.com/doc/1) and do a scan.

And after that, if you have a registry restore point saved in something like Spyware blaster or Spybot, go back to that.

I managed to contract Spyaxe, and Norton never got a sniff of it. I'll almost be relieved when my Norton subscription is up, I'm sick of it. It seems to take over your PC and act like a virus in the act of protecting you from virus's. I'll be going over to AVG for good!

http://forums.ubi.com/groupee_common/emoticons/icon_mad.gif

Grue_
01-21-2006, 05:59 PM
Sounds like Spyaxe to me.

A real ***** to get off. They even have a fake web site to make it look like a genuine product.

<pre class="ip-ubbcode-code-pre">http://www.spyaxe.com/</pre>

Do not download this product! It is spyware like a lot of 'spyware removal tools'.

Google has a about a thousand methods of removing this piece of cr*p.

Edit: disabled link.. if you must risk a look, use copy/paste

triad773
01-21-2006, 06:08 PM
I've had AVG Anti Virus (the free version) since my free Norton gave out in December 1998 and it's saved my butt many a time- and no stupid subscription to renew. By all means what the gentleman said before try anything before a reformat. But remember to calculate how much trouble you are willing to go through before you bite the bullet and reformat.

Again best of luck-

Triad

Capt.England
01-22-2006, 05:43 AM
Another good Anti-Virus which is free for personal use is called Anti-Vir. This will even scan downloads for you, but if it's zipped/RAR to much, it can't clean. At least it tells you that the file is infected, so just delete the file before you install it.

Just google `Antivir` to find the download (I think I found it on Cnet)

Zatochi2005
01-22-2006, 07:58 AM
Originally posted by Chuck_Older:
First off, I use anti-spyware every week

Even as I type this (it's hovering between annoying and funny), every minute on the minute, I get a pop-up message (doesn't rely on my being online or not) from my taskbar telling me my PC is infected with spyware. Well, I of course ignored it's "Click here to protect your PC" message and ran my own spyware removal tools.

Well, the spyware my programs can detect (two of them, adaware and spybotS+D) is gone. However, the message still comes up

I can turn it off in task manager.

here's the thing:

the icon on my taskbar looks legit (yeah I know that can be faked), and the message says that 'windows will now download software for you' and 'click here to protect your PC'

there's nothing to click, and I'm not downloading anything

This actually seems like a M$ message, because it doesn't do anything! It seems to be running from my (factory-equpped) scheduler daemon.exe file

Anybody familiar with this aspect of windows (if this really is windows?)

I am yes, going to buy even more anti-spyware software today

I mean, I can kill this thing within a minute by just shutting it off in taskmanager, but it's getting annoying

Here are step by step instructions on cleaning up your computer...

http://www.dslreports.com/faq/13616

Also I highly recommend this program as it will stop spyware from infecting your computer...This must be installed on a clean computer as it only scans incoming files.

http://www.nsclean.com/boclean.html

Hope this helps...

tagTaken2
01-22-2006, 05:43 PM
Linux, anyone?

If it's necessary to do your surfing with windows, instead of spending money on antispyware, I'd recommend Norton ghost. Keep your files on a separate partition, and just replace the windows image once a week. Takes me about 10 minutes.

-HH-Quazi
01-22-2006, 06:13 PM
Yea. I am going i to install Linux Kubuntu on my Dell just for a bit of experimentation. I dl's their "Live" cd to try to check it out before installing it on the HD, but I couldn't get the computer to boot from the "Live" cd. So I will install it to HD and use it for a bit.

triad773
01-22-2006, 06:25 PM
Hey Quazi- let me know what you find about Linux. My last install was Mandrake 2.0. Would love to know if the interface has progressed, or thier implemantation of "WINE" has gotten any better.

Thanks-

Triad

tagTaken2
01-22-2006, 07:43 PM
Originally posted by triad773:
Would love to know if the interface has progressed, or thier implemantation of "WINE" has gotten any better.

Thanks-

Triad

(sigh...)

If FB could run under wine, the xp disc would be joining my ever-growing coaster collection.

http://forums.ubi.com/images/smilies/16x16_smiley-sad.gif

triad773
01-22-2006, 07:57 PM
LOL! http://forums.ubi.com/images/smilies/88.gif (for anyone unfamiliar) WINE stands for Windows Implementation something or another... it is an emulator for Windows programs like what 'Lindows' claims to use.

Yes methinks a WinXP CD would be a perfect coaster for a yummy cabernet!

http://forums.ubi.com/groupee_common/emoticons/icon_cool.gif

Triad

wayno7777
01-22-2006, 08:52 PM
Originally posted by Capt.England:
Another good Anti-Virus which is free for personal use is called Anti-Vir. This will even scan downloads for you, but if it's zipped/RAR to much, it can't clean. At least it tells you that the file is infected, so just delete the file before you install it.

Just google `Antivir` to find the download (I think I found it on Cnet)

That's one I've been using for about 3 years now. What Capt. England says. Also C_O, here's a really good news letter to read: http://www.langa.com/
I've found the solutions to many problems here....

jarink
01-22-2006, 09:16 PM
Several tips for extreme safe surfing:

1) MS had a TechNet article about using "Run As" to safely browse using IE. It involved some hoop-jumping but is very "tight". Unfortunately, I can't find the article, but I know I have a copy at work. I'll post it tomorrow.

2) Use a virtual machine for browsing. If you don't have access to (a licensed copy of) VMware or MS Virtual PC, try VMWare Player (http://www.vmware.com/products/player/). It is a recently released free version of VMWare Worktation (main restriction is you can't create new VMs) that can run VMs from VMWare and MS VPC. They have several pre-configured VMs, incuding a stripped-down version of Ubuntu made with browsing in mind (The "Browser Appliance"). Please note, installing VMPayer will add several background processes to your PC whether you're running a VM or not.
The main advantage of this solution is that you can run it from your normal Windows desktop with no reboots.

3) Get a copy of one of the "Live" versions of Linux (Knoppix is one of the more highly regarded ones). A "Live" version is one that is typically run from a bootable CD, therefore does not need to touch anything on your hard drive.

As for me, I browse in peace and harmony using Firefox 1.5 and AVG from behind two firewalls (on my router and the one buit into my nForce4 motherboard). http://forums.ubi.com/images/smilies/16x16_smiley-happy.gif


WINE stands for Windows Implementation something or another... it is an emulator for Windows programs like what 'Lindows' claims to use.

WINE = Wine Is Not an Emulator.

Enforcer572005
01-22-2006, 10:08 PM
OK, since none of this shoots, flies, takes photos, or can kill evildoers, it's a bit over my head (I'd mention chicks, but NOBODY understands those). Before i do something stooopid.....

i just got DSL from S.Bell (and the modem went out after a day-new one here monday), and I was using it on an older computer to protect this one, but i cant get my cd writer to work on it anymore, and it will do no good to dnload files if i cant transfer them to this newer one. SO.....

I use the free AVG, and it has in the past detected stuff and even eliminated it from my older computer, returning efficiency and speed. It scans my computers every morning, and i keep updated. Would it be better to purchase the AVG firewall, or the So. Bell version, which costs about $3 a month. Sometimes i wonder if this thing has something, as every now and then it wants to choke a bit more than it used to...i figured it was from all the programs etc i have on here, and isnt much of a problem...sims work great etc.

I didnt want to expose my new comp to the net, but i really have no choice it seems. Im wondering if AVG virus protection and So. Bell firewall is a correct step, or is that daft? I know that two virus protection thingys can conflict, as i had to shut down zone alarm on my old computer to even get to any site at all.
I thought that 2 firewalls would conflict, but i see mention of using 2 above. Should i use the ms solution AND the so.bell offering, or jsut go with one?

And since so much stuff seems to use windows explorer, wont switching to anohter mechanism (pardon my terminology or lack of it) cause some problems along that line? Im weary of trying too much stuff i see on here as ive had bad experiences in the past.

ive used computers for over a decade now, so i should know all this, but it just keeps getting ahead of me. I was born when Ike was president and the F-100 was in production, so......

Tully__
01-22-2006, 11:50 PM
I thought that 2 firewalls would conflict, but i see mention of using 2 above.
Two software firewalls running on the same machine will conflict. The mention of two firewalls above is a reference to the hardware firewall built into the poster's router and the hardware firewall built into his motherboard. Both do their checks independantly of each other and before the traffice arrives at or after it leaves the software environment. If that poster wished he could add a software firewall as well and still have no conflicts, for a total of 3 security checks before incoming traffic is allowed access to the operating system and before the AV software even gets a look at it.

CaptAce
01-23-2006, 12:49 AM
I had this happen to me awhile back. It's not spyware that's making that messege, but rather a virus. Spyware programs will not catch it. Use an anti-virus program such as AVG or Norton to find and delete the program that is doing it (I used AVG). There's also some free anti-virus programs around, but I'm not sure how effective they are.

Capt.LoneRanger
01-23-2006, 01:18 AM
A little comment on firefox and IE:

Firefox WAS a good alternative, as long as it wasn't used by so many as standard browser.

During the last year, the tide has changed against Firefox. IE had 7 critical issues, Firefox had 19 during the same time.

Don't get me wrong, I still use Firefox, because it has some nice features, IE has not. But calling it the more safe alternative is simply no longer true. http://forums.ubi.com/images/smilies/16x16_smiley-sad.gif

Swivet
01-23-2006, 03:20 AM
When in doubt, reformat http://forums.ubi.com/groupee_common/emoticons/icon_eek.gif

Noooooooo...not the "R" word!!

-HH-Quazi
01-23-2006, 03:54 AM
I have been measuring the use of Firefox vs. IE this way. When I use IE and 4 active anti-spyware scanners, which in using alot of my resources, I get BS daily. When I use Firefox and one program that takes 3Mb memory to run actively, WinPatrol, I get notta, nothing, zilch and only check once a week using 5 different anti-spyware programs.

I am sure since Firefox is growing in popularity it is becoming more vunerable to attacks, but as long as the above continues to be the case, I will keep IE under wraps.

jarink
01-23-2006, 07:54 AM
Ah, ye olde "Security through obscurity". http://forums.ubi.com/images/smilies/51.gif

It might seem to work out that way, but just because one browser is more or less popular than others is immaterial if you are truly concerned about security. Firefox has two big advantages over IE when it comes to security:
1) It is not integrated into the shell (Windows Explorer, Help, etc.)
2) It does not support ActiveX controls, which are by far the most common vector used for "drive-by installs" of spyware. Granted, this also means Firefox will not work for some web sites, but hey, it's not like you can get rid of IE anyhow.

Whatever browser you use, <span class="ev_code_yellow">it is always safer to use a non-administrator account when connecting to the internet</span>. 'Limited' or 'User' accounts are not normally able to install software (including spyware and trojan horses) and have read-only access to system folders and files. This safety comes with complications as a great deal of software still requires admin priveleges to run (mainly for backwards compatability with Win9x).

I posted earlier about a TechNet article about running IE using "Run As". I can't find the paper here at work (naturally), but here are a couple of links about using non-admin accounts:
Applying the Principle of Least Privilege to User Accounts on Windows XP (http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx)
Aaron Margosis' Non-admin Weblog (http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx) (He is a writer for MS TechNet)

By the way, for those that need it for computer support or 'cause you're paranoid, there is a portable version of Firefox that can be run completely from a USB drive ("It will also work from a CDRW drive (in packet mode), ZIP drives, external hard drives, some MP3 players, flash RAM cards and more"), leaving no cache or history on the PC. Great for use on public computers.
Portable Firefox (http://portablefirefox.mozdev.org/)

jimDG
01-23-2006, 08:36 AM
Big corporations tend to be (in general) a very inhospitable place for capable people/geeks/"I'll do it my way 'cause my way is better" people. So, 2 things happen.
1) Capable people get pissed of and deliberately write crappy code leaving security backdoors
2) Capable people find security flaws in the code written by the people who didnt quite care about doing their work properly, but tell noone (being pissed off with the organisation).
End) Capable people leave and share their knowledge of those flaws with the internet world a.k.a the hacker world. Or exploit those themselves.

JG6_Oddball
01-23-2006, 09:42 AM
Originally posted by tagTaken2:
Linux, anyone?

If it's necessary to do your surfing with windows, instead of spending money on antispyware, I'd recommend Norton ghost. Keep your files on a separate partition, and just replace the windows image once a week. Takes me about 10 minutes.

ditto
I have not used virusware spyware or had any problems in 2 years http://forums.ubi.com/groupee_common/emoticons/icon_smile.gif linuxiso.org
mandrake suse gentoo...etc its free and you can dualboot wondows=gaming linux=everything else http://forums.ubi.com/groupee_common/emoticons/icon_smile.gif