The kids noticed "boobies" popping up today -- I hadn't been on the computer in a week.

I ran Adaware and it found some BHOs and deleted them, but it's back (or nevr went away) after the reboot.

I checked Microsoft Security Center (XP) Automatic Updates but it was turned off. Something keeps turning it back off! I turn it on, and sometimes it stays on, but sometimes not (same boot tonight).

There are no updates I'm missing -- I even installed WGA.

Worse, something is running on a regular bases, causing the focus to lose on the window I'm woking on (say, this very web one I'm typing at now) for a fraction of a second every 30 seconds or so, causing a character typed to be missed since the type window is out of focus briefly (a fraction of a second.)

I have looked at the process list and pared away everything I can see. When this happens, or another IExplorer window pops up with one of boobies, Internet Doctor, or one of several other spyware removal tool windows, again nothing pops up new in the process list.

Is this some brilliant new rootkit MS is incapable of handling? Anyone else having a problem the past few days or so? Any ideas? Adaware is helpless too.

:(
Last time my youngest daughter did something like this, accidentally while at a kid's gaming site, it took me 14 hours to get rid of all the spyware crap.
Start by running this http://housecall.trendmicro.com/housecall/start_corp.asp and it'll list (usually) all the bad files that are causing the crap to happen. It'll also attempt to remove them and if it can't, then simply google the file names to see if there is a special way or possibly a tool to get rid of them
Also try running HijackThis ( a free download) and post the result log here so people can examine what might be running in the background.
Secondly, get a third-party firewall and ditch the MS piece-o-garbage.
Third and most important, get FireFox and/or Opera to use as an alternate browser or even to replace IE.
One thing you might want to set up on your PC is McAfee's site advisor. It's free and warns like crazy when you attempt to navigate to an iffy site. So far it hasn't steered me wrong and it sits quietly in the background without using too much resource.
Good luck is all I can say.

Operating System?

There used to be a thing called System Configuration Utility
( msconfig ) in which a tab called Startup could be clicked, revealing a laundry list of stuff that was insiduously installed to run in the background. By just unchecking the checkboxes of various items that seemed out of place, I was able to kill some stuff that was wreaking havoc. (Win98)
This is where Registration Reminders and Auto-Updaters and other things lurk.
Anyone know how to view the "startup" section of msconfig utility (or its replacement) in XP?

Adaware seems to miss out a lot of spyware. Download and install Spybot Search n Destroy. I can guarantee it will come up with a few suspects that Adaware didn't.

Operating System?

There used to be a thing called System Configuration Utility
( msconfig ) in which a tab called Startup could be clicked, revealing a laundry list of stuff that was insiduously installed to run in the background. By just unchecking the checkboxes of various items that seemed out of place, I was able to kill some stuff that was wreaking havoc. (Win98)
This is where Registration Reminders and Auto-Updaters and other things lurk.
Anyone know how to view the "startup" section of msconfig utility (or its replacement) in XP?

It's still there, go to Start->Run and type 'msconfig'

ETA: this isn't a good way to find viruses/trojan/spyware. It will, however, show you programs that might eat up your ram

Ok, running the Trend Micro Housecall free check. I'm typing this from Mozilla Firefox 2.0.0.2, the latest one, which I just downloaded.

We shall see what happens. :(

It is Firefox that's the top contender now, right?

Beerina,

I feel your pain.

I had something get on my computer a couple of months ago... and it hasn't been the same since.

It's a Dell and I should probably do a complete reinstall but I can't remember how to do it with newer Dells (I know it has a hidden partition with a clean install but can't remember the procedure).

Anyway, the crap you're describing can happen to even advanced users. The MS answer to this is Vista, which is already going through it's own problems.

*sigh* Maybe those Mac commericials aren't as overhyped as they seem.

When dealing with these types of issues, you might consider estimating the time it would take to "fix" your computer against the time it would take to rebuild the OS/programs/etc.

Almost invariably, I find that wiping the disk and reinstalling windows takes far less time than tracking down some persistent worm and fixing it. You have the added advantage of knowing that you killed the problem (unless it is a boot-resident issue).

You can probably burn your email and files to cd/dvd, and get back up and running in an hour.

The kids noticed "boobies" popping up today -- I hadn't been on the computer in a week.

I ran Adaware and it found some BHOs and deleted them, but it's back (or nevr went away) after the reboot.

I checked Microsoft Security Center (XP) Automatic Updates but it was turned off. Something keeps turning it back off! I turn it on, and sometimes it stays on, but sometimes not (same boot tonight).

There are no updates I'm missing -- I even installed WGA.

Worse, something is running on a regular bases, causing the focus to lose on the window I'm woking on (say, this very web one I'm typing at now) for a fraction of a second every 30 seconds or so, causing a character typed to be missed since the type window is out of focus briefly (a fraction of a second.)

I have looked at the process list and pared away everything I can see. When this happens, or another IExplorer window pops up with one of boobies, Internet Doctor, or one of several other spyware removal tool windows, again nothing pops up new in the process list.

Is this some brilliant new rootkit MS is incapable of handling? Anyone else having a problem the past few days or so? Any ideas? Adaware is helpless too.

Reminds me of my dad's computer the thing was so slow because of all the spyware and junk that accumulated on it over it time. Catch it before it becomes a cancer otherwise it becomes harder to clean up hence my deliberate use of the word cancer.

I've become a bit better with this sort of thing after a virus was able to use the junk anti virus program I had as gate in to my computer. Completely locked up my PC. I was able to fix it by, bypassing normal windows startup and directly deleting the offending files. Then I ran another virus check, (different program) using that method I was able to clear the problem.
Good idea to format the hard drive as well. I keep a backup of my important files, on a DVD+RW and the stuff that I permanently need I place on DVDs. Easier that way for me at least. I don't backup very often but I don't have much that's important to begin with.

I'm more vigilant now I'm always looking at process explorer (not the same as task manager) to see what programs are running in the background. Furthermore, I check everything I download. You can never be 100% safe unless you stop using the internet to download anything. It's possible to diminish the risk though.

You can probably burn your email and files to cd/dvd, and get back up and running in an hour.
An hour! Wow! Maybe with no customization away from the install configuration. I heavily customize my GUI, program settings, toolbars, etc. When I rebuild, it takes days...and mucho suds.

mucho suds.

And excedrin migraine.

Best advice is to setup an admin account and a user account... and always use the USER account (which doesn't have install priviledges).

An hour! Wow! Maybe with no customization away from the install configuration. I heavily customize my GUI, program settings, toolbars, etc. When I rebuild, it takes days...and mucho suds.

If you have XP, it has a profile transfer utility that makes customisations a lot easier to backup and restore.

These boobies can be dangerous.

A teacher was convicted for "showing porn" to the kids in her class. She claims it was the spyware/adware. She's facing 40 years incarceration.

http://julieamer.blogspot.com/

http://en.wikipedia.org/wiki/Julie_Amero

Couple of things might be useful to you: AVG Spyware and Antivirus are both available for download as free versions from the Grisoft website- you might have to hunt around for them- and seem to be better than Adaware at spotting spyware. It's worthwhile rebooting into safe mode and running them that way. I also use a free download called Codestuff Starter to manage what is allowed to start automatically at startup- a quick search with Google will lead you to a suitable download site. Other than that I would agree with using Firefox rather than IE- if only for the pop-up blocker.
Hope that's of some use to you.

Well, Firefox seems to leve a lot tobe desired. (A)s I t(p)y(e) thisvery sentence, a number of letters I ype re jumping AFTER the curser. I m leaving this sentence otherwise ualtred so you can see the irritation I' up against with the exception of restoring a few letters in parenthesis tomake it lgible. I presume this isn't Firefox's poblem, butI wouldn't be so sure.

Does Firefox have some poory designed "intelligent spacing"utlty that scks donkyalls? Ho do I turn itoff? Notepad doesn't have this problem, so eiher it is the virus attacking via Java assuming that's what a Randi edit control uses or its browser specific.

l leave you with all the characters that occasionaly appear after the cursor and are huspushed over tothe right, gathered up like poop on a dog's butt: 'twb uii e tl rmenaat epA a

Housecal had (r)un overnight (()its time estimate leaves a lot to be desied, but at leat its free) hey, the s (f)r(o)m "least" totally disappeared, anyhoo, found a bunch of stuff and deleted it. I rebooted (Windows had a security updte to install on shutdown, eve thog going to their web site found no mre udates whatsoever except a few non-security ones) nd went into Firefx to start the scan again (I had tried running it a second time efore shutdown, and it instantly told me it scanned it again and you were clean! Ver fishy.)

Many times the space bar doesn't work and the cursors do't either. Gathered letters: a n,ybsa-pohuna ofr(rl

The spell checker in this seems to assume you have a reasonably powerful CPU that is not maxed out. When I use this on my old PII system, the lack of power gives similar symptoms.

I know there is one spyware that was extremely difficult to remove, Coolwebsearch, that you have to use a specific tool to remove, I think is on the same site as housecall.

Often, though, once you remove all the spyware and viruses, if it's a really bad infection, windows is screwed, and you just have to reinstall anyway.

I know there is one spyware that was extremely difficult to remove, Coolwebsearch, that you have to use a specific tool to remove, I think is on the same site as housecall.


The tool is called CWShredder

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe


I would also recommend dowloading a program called Hijack This! and posting the log to a "hijack this" forum. Folks in those forums are always very helpful.

Certainly run spybot S&D. It's a nice little program and running it along with Adaware definately won't hurt.

Cleaning up a contaminated system can be a daunting task, and reinstalling the operating system can be a pain. Either way you'll need to roll up your sleeves and 'git 'er done'.

No matter which road you choose to follow, here are a couple hints once you have a clean system again. I currently run four systems 24/7 (the newest is over a year old), all connected to the net, all accessible to children, and all systems have been spyware free from the time I set them up.

These hints/suggestions are only what I have personally done to my own systems to keep them spyware/virus free, but they should work for any system running WindowsXP Professional.

1. Go into your Control Panel and check Users to see if they are administrative or limited accounts. Simply put, a limited account is a computer account with reduced privileges. Surfing the net in a limited account means malicious software cannot install on your computer without permission. That's a good thing. By default, WindowsXP sets you up as an administrator. Surfing the net in an administrator account (the default setting) means malicious software like viruses, trojans, and spyware, if it gets past your anti-virus and anti-spyware software, can automatically install and make system-wide changes without any intervention on your part whatsoever. That's NOT a good thing.

eweek.com (http://www.eweek.com/article2/0,1759,1891447,00.asp) did a test with a fully patched WinXP system, surfing to questionable websites from a limited user account, and then again from the administrative account, to see what changes would be made to each account. These were the results:

Limited account - 0 total threats detected, 0 memory processes, 0 files, 0 registry keys
Admin account - 16 total threats detected, 20 memory processes, 400 files, 2,774 registry keys

One of the first things I do with a new computer is setup a limited account to be used by everyone for surfing the net, email, and chatting. In fact, the only reason I switch over to the administrative account is to install Windows updates.

Here's an excellent blog on the easiest way to run as a Limited User:
http://blogs.msdn.com/aaron_margosis/archi.../17/158806.aspx (http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx)

And here's more info on limited accounts in WindowsXP (also called Least Privileged User, Limited User Account, or NonAdmin accounts):

http://www.microsoft.com/technet/prodtechn...n/luawinxp.mspx (http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx)
http://nonadmin.editme.com/
http://security.utexas.edu/personal/windows/useraccount.html
http://www.windowsnetworking.com/j_helmig/wxphusrm.htm
http://www.castlecops.com/a6112-Windows_Se...Windows_XP.html (http://www.castlecops.com/a6112-Windows_Security_Checklist_Part_28_Limited_User_Se curity_on_Windows_XP.html)

Running in the limited account is not always a smooth ride. This link details some of the problems you may encounter, though personally I have not experienced anything close to that many.
http://www.pcmag.com/article2/0,1759,1683498,00.asp

2. If you are using Internet Explorer, don't. I have cleaned numerous systems infected with spyware/malware and in each case the client was using IE as their browser. I would suggest either Firefox (http://www.mozilla.com/en-US/firefox/), which is what I've been using, or Opera (http://www.opera.com/download/), another nice alternative to IE. I have never used IE, even back in my early days of surfing the net, and in the 10+ years I've been going online I've remained virtually problem free.

In any case, those two things should help prevent any further scumware infestations.

You're welcome. :D

RayG

A lot of spyware propagates from hidden files that are not in the usual spots in the registry or startup files, and can be very hard to remove. I got a case of nasties on a Win XP laptop a couple of years ago from a site I thought was about "art" photography. I had stupidly turned off the firewall the day before while trying to get some other site that was being blocked, and forgot to turn it back on. Woo hoo, that was some startling art, and it put about 20 spyware stinkers on my computer in about 10 seconds! Niether Adaware nor Spybot caught them all. I then found a program called Pest Patrol. Pest Patrol is not freeware, but the part of the program that does the diagnosis is free. You have to pay for the part that actually cleans out the spyware. I'm a terrible cheapskate, so I saved the scanning log as a text file, printed it out, and manually cleaned it one file and directory key at a time. The amount of stuff, and the depth, was amazing. There were hidden files a half dozen directories deep in the most obscure locations in "documents and settings," folders you'd never even suspect existed, and little snippets of stuff in the registry that you'd never catch. No matter how carefully you clean out startup and run files, some of these things will replicate themselves the next time you boot, and you'll be right back where you started.

Anyway, I don't know whether Pest Patrol still works the way it used to, but it might be worth a try if others don't do the trick.

I use Uniblue's SpyEraser (http://www.liutilities.com/products/spyeraser/) and AVG Anti Vrius (http://www.grisoft.com/doc/1/0/0/0).

I also recommend AutoRuns, which I have linked to in this (http://forums.randi.org/showthread.php?p=2415570#post2415570) thread.

Adaware seems to miss out a lot of spyware. Download and install Spybot Search n Destroy. I can guarantee it will come up with a few suspects that Adaware didn't.

I'd install and run both on a regular basis. What one misses the other will catch, usually.

This page has excellent and extremely thorough instructions on how to clean and/or set up a well protected PC:

http://www.wilderssecurity.com/showthread.php?t=50662

Most, if not all of the programs listed, are free and have download links.

About 18 months ago I followed these instructions and I have had great success.

I also recommend using a hardware firewall (A Linksys router or other brand). Software firewalls like ZoneAlarm and Blackice are practically useless since they are easy for hackers to get around.

My PC has been clean ever since.

Here's a tip for the future:
1. install a new computer, configure it to your liking, install all the windows update/firewall/etc. Make sure to split the drive so the boot partition where windows is installed is not too big (10-20gb at most).
2. create an image of the entire boot drive (compressed it should take about 3-4gb and can be burnt to 1-2 CDs).

Now, if something bad happens, you can restore your image and be back and running within an hour.

Avast antivirus seems to work good.