spyware creating hyperlinks in explorer

[Charles L.]

Hi there,

Has anyone ran into the spyware that creates
hyperlinks in Explorer? Word such as "focus",
"software", "managment", are converted to hyperlinks
and redirected to spiderpilot.com or other
unrelated places on the web (or into oblivion).

I downloaded MS AntiSpyware. Although it found
something, it cannot find the annoying spyware
that creates these hyperlinks.

BTW, how is Microsoft going to get their input
for upgrades of the definitions for AntiSpyware?
I bet more people are very annoyed at these
un-wanted hyperlinks.

Charles

 

[Andre Da Costa]

Boot into Safe Mode (F8) at Start Up; Empty your temporary files AND your
Temporary Internet Files C:\Documents and Settings\Username\Local
Settings\Temporary Internet Files folder ;

Run the scan while in safe mode;

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any

BHO's that you don't recognize.

 

[Bill Sanderson]

They'll get input by your going to Tools, Suspected Spyware report, and
submitting a report, if this functions on your machine.

I believe I've heard of your critter before, but can't place it at the
moment. I suspect, however, that it is common enough to be identified by
the antivirus vendors whose products have expanded spyware coverage. Those
vendors are now including spyware detection in their online scans, although
not removal.

I would recommend that you try several things: 1) restart in safe mode and
do a full, deep scan with Microsoft Antispyware, and your antivirus, both
with current updates (file, check for updates in Microsoft Antispyware.)

If that doesn't make this go away, the next step depends on your level of
adventurousness.

Safest would be to go for an online scan--Symantec and Panda, I believe, are
including Spyware in their online scans:

http://security.symantec.com

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

See whether you can get a name out of that scan. If you can, googling on
that name and Symantec will usually yield manual removal instructions, and
sometimes an automated removal tool.

Let us know how you get along, whether you get stuck--or need further
instructions along the route. You may reach a point where there's nothing
simple and automated to do, and you need more direct, expert help. For
that, I'd recommend starting here:

http://www.aumha.org/a/quickfix.htm

and working through the process specified.

 

[Charles L.]

Thanks, Bill and Andre for the suggestions.

The "suspected spyware report" did not work,
and I have had no luck removing the spyware
yet, though.

In the message from Bill, the word "spyware" is
converted to a hyperlink, which, if I click
it sends me off to some #$&@$ webside of
theshieldantivirus2005.com (or likewise
the word "share" on the main page of this
newsgroup send me of to the,
no more fun, spiderpilot.com). Anyone seen this?

I tried booting in safemode, removing all
temporary files and temporary internet files,
cookies, and running a deep scan with
AntiSpyware (turned up nothing).

IT DID NOT HELP - these unwanted hyperlinks,
(which are not a part of the website sources)
are still created (WHAT AN ANNOYANCE).

I will continue to try various antivirus
software (I guess this will force me to try
to edit the registry - which does not really
seem to be a job for normal mortals),
and report possible progress.

MICROSOFT, PLEASE, this is really an annoyance -
PLEASE PUT SOME SMART GUYS TO WORK ON
figuring out a better way to
handle the internet interaction in
explorer, so that the browser cannot be
hijacked that easily (there seems to be
a ton of different ways your browser can
get hijacked, and I have had to edit
the regstry in the past already - at that
time I found some instructions on trendmicro's
help pages).

Charles

-----Original Message-----
They'll get input by your going to Tools, Suspected Spyware report, and
submitting a report, if this functions on your machine.

I believe I've heard of your critter before, but can't place it at the
moment. I suspect, however, that it is common enough to be identified by
the antivirus vendors whose products have expanded

spyware coverage.

 

[Bill Sanderson]

Charles - you can block things you cannot identify well--either in startup
items or Browser Helper Objects--using tools, advanced tools, system
explorers within Microsoft Antispyware.

This is a reversable operation, and far safer than editing the registry
directly.

I'd still recommend the online antivirus scanners I mentioned--in fact, let
me add one:

http://housecall.antivirus.com This is Trend Micro's scanner, and it is
newly expanded to cover spyware, and to do a check for critical Microsoft OS
updates. And, it will remove what it finds.

If it id's your bug, I'd like to hear what it is--and whether it can, in
fact, remove it.

 

[Charles L.]

No luck so far with these un-wanted hyperlinks.

I tried the on-line scan from trendmicro (it found
something, and corrected som of it). Oddly my
installed trendmicro version (with updated defs.)
found nothing on my system.

I also tried the symantec on-line scan. It found
around 12 spywares, but did not correct anything.
I removed all infected files it found, manually.

Non of the above helped - still working on it.
If you have seens these annoying hyperlinks
let me know

Charles
------------------------------------------
SYMANTEC:
C:\over.exe is infected with Adware.StatBlaster
C:\TVM_B5 Bundle 10.EXE is infected with
Adware.MemoryMeter
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5
\O5ERO5QJ\mtrslib2[2].js is infected with Adware.CDT
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5
\CPINOLAV\prompt[1].htm is infected with Adware.Istbar
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5
\C9ABWD2F\tool[1].htm is infected with Adware.CDT
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5
\C9ABWD2F\tool[2].htm is infected with Adware.CDT
C:\WINDOWS\system32\config\systemprofile\Local
Settings\Temporary Internet Files\Content.IE5
\C9ABWD2F\tool[3].htm is infected with Adware.CDT
C:\Program Files\Aluria Software\ASE\Backup\15644199.ase
is infected with Adware.Envolo
C:\Program Files\Aluria Software\ASE\Backup\61080188.ase
is infected with Adware.Envolo
C:\Documents and Settings\...\Local Settings\Temp\5wS.exe
is infected with Adware.WinFetch
C:\Documents and Settings\...\Local
Settings\Temp\8Jq0.exe is infected with Adware.WinFetch
C:\Documents and Settings\...\Local Settings\Temporary
Internet Files\Content.IE5\O5ERO5QJ\mtrslib2[1].js is
infected with Adware.CDT
C:\Documents and Settings\...\Local Settings\Temporary
Internet Files\Content.IE5\O5ERO5QJ\tool[1].htm is
infected with Adware.CDT
C:\Documents and Settings\...\Local Settings\Temporary
Internet Files\Content.IE5\KXIF4XMB\prompt[1].htm is
infected with Adware.Istbar

 

[Charles L.]

Also,

the results from trend micro on-line:

COOKIE_45 Cookie pass
COOKIE_611 Cookie pass
COOKIE_1020 Cookie pass
COOKIE_2250 Cookie pass
ADW_SIDESEARCH.A Adware Removal Successful
ADW_OVERPRO.A Adware Unknown
AADW_IEDRIVER.A Adware Removal Successfu

Well, but it did not stop the hyperlinks
from appearing

Charles

 

[Bill Sanderson]

Well - at least you are making some progress.

I'd go with the experts at this point:

http://www.aumha.org/a/quickfix.htm

There is some initial advice about settings and tools to try first, but I
think you need to download HijackThis, and create a log file and post it to
the forum you can find via that link. Describe what is happening, and
likely the folks there will know far more about it than I do.