Repeat Infections

[Dell Christopher]

I've been trying to help a friend with his computer and, no matter what I
do, spyware keeps returning. Here is my novice checklist that I've gone
through:

msconfig: If I find an obvious spyware entry, I both uncheck it AND I locate
the actual spyware file(s) and permanently delete them.
Malwarebytes (usually 2 scans), Spybot S&D, and TDDS Killer.
CCleaner and reset Internet Explorer.
IE Internet Options > Connections tab > LAN settings: make sure both lower
boxes are unchecked.
Microsoft Security Essentials: configure for daily overnight scan (computer
is left on).

When I'm done, I try some sample Google searches to make sure there is no
evidence of browser hijacking. At this point, I feel like we've made
progress and cleaned the computer. Then, a couple weeks later, I'm back to
repeat the same exercise! Monday will be my 3rd visit in 2 months! ((

I'm no expert, but it sure feels like I've done everything to both clean and
protect the computer. I know that user activity is a big factor in how a
computer gets infected. However, I would really love to hear any
suggestions on any additional settings to check and/or any better tools than
what I've listed above. All input is greatly appreciated.

Thanks!

[siljaline]

Dell Christopher wrote:
> I've been trying to help a friend with his computer and, no matter what I
> do, spyware keeps returning. Here is my novice checklist that I've gone
> through:

<snip>

Post an HJT or OTL log somewhere, post back the link here and I'll have a
look at it.
(http://www.geekstogo.com/2010/05/27/...or-hijackthis/)

Some are still comfortable using HJT, many boards still support, though it is
becoming a bit long in the tooth.

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Buffalo]

Dell Christopher wrote:
> I've been trying to help a friend with his computer and, no matter
> what I do, spyware keeps returning. Here is my novice checklist that

Try the free version of SAS (SuperAntiSpyware) available on the website with
the same name.
Perhaps even purchase the pro version of SAS or MBAM so that you will have
real time monitoring for spyware.
Try explaining to your friend how to practice 'safe hex'.
Hopefully your HJ log will be looked at by Silj or others who can spot the
problem.
Please post back with the fix that worked for you.
Buffalo

[Beauregard T. Shagnasty]

Dell Christopher wrote:

> I've been trying to help a friend with his computer and, no matter
> what I do, spyware keeps returning. Here is my novice checklist that
> I've gone through:

I notice no mention was made of:
the OS used
a firewall
operating as an administrator, or a user
passworded account
using a better browser

--
-bts
-Four wheels carry the body; two wheels move the soul

[Han]

"Buffalo" <Eric@nada.com.invalid> wrote in
news:iguuoe$71q$1@news.eternal-september.org:

>
>
> Dell Christopher wrote:
>> I've been trying to help a friend with his computer and, no matter
>> what I do, spyware keeps returning. Here is my novice checklist that
>
> Try the free version of SAS (SuperAntiSpyware) available on the
> website with the same name.
> Perhaps even purchase the pro version of SAS or MBAM so that you will
> have real time monitoring for spyware.
> Try explaining to your friend how to practice 'safe hex'.
> Hopefully your HJ log will be looked at by Silj or others who can spot
> the problem.
> Please post back with the fix that worked for you.
> Buffalo

The author is rather insistent that it is SUPERAntiSpyware. Note
capitilization, for copyright reasons. I am just a user and admirer,
although my hex is safe enough that it hardly ever has encountered anything
of any importance ...

--
Best regards
Han
email address is invalid

[David H. Lipman]

From: "Dell Christopher" <dellc99@aim.com>

| I've been trying to help a friend with his computer and, no matter what I
| do, spyware keeps returning. Here is my novice checklist that I've gone
| through:

| msconfig: If I find an obvious spyware entry, I both uncheck it AND I locate
| the actual spyware file(s) and permanently delete them.
| Malwarebytes (usually 2 scans), Spybot S&D, and TDDS Killer.
| CCleaner and reset Internet Explorer.
| IE Internet Options > Connections tab > LAN settings: make sure both lower
| boxes are unchecked.
| Microsoft Security Essentials: configure for daily overnight scan (computer
| is left on).

| When I'm done, I try some sample Google searches to make sure there is no
| evidence of browser hijacking. At this point, I feel like we've made
| progress and cleaned the computer. Then, a couple weeks later, I'm back to
| repeat the same exercise! Monday will be my 3rd visit in 2 months! ((

| I'm no expert, but it sure feels like I've done everything to both clean and
| protect the computer. I know that user activity is a big factor in how a
| computer gets infected. However, I would really love to hear any
| suggestions on any additional settings to check and/or any better tools than
| what I've listed above. All input is greatly appreciated.

Chances are high that the owner is visiting a malicious we site.

What you have done is good BUT insufficient.

You have not mentioned anything about vulnerability assessment and mitigation which may be
the reason for the re-infection rate (of malware you have failed to provide information
on).

Run Secuni'a Software Inspector on the affected computer.
http://secunia.com/software_inspector

Mitigate ALL vulnerabilities and then re-run the above applet.

Look at the user's History and Browser Favourites, look for anomalous URLs that may be
associated with the re-infection.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

Han wrote:
> "Buffalo" <Eric@nada.com.invalid> wrote in
> news:iguuoe$71q$1@news.eternal-september.org:
>
>>
>>
>> Dell Christopher wrote:
>>> I've been trying to help a friend with his computer and, no matter
>>> what I do, spyware keeps returning. Here is my novice checklist
>>> that
>>
>> Try the free version of SAS (SuperAntiSpyware) available on the
>> website with the same name.
>> Perhaps even purchase the pro version of SAS or MBAM so that you will
>> have real time monitoring for spyware.
>> Try explaining to your friend how to practice 'safe hex'.
>> Hopefully your HJ log will be looked at by Silj or others who can
>> spot the problem.
>> Please post back with the fix that worked for you.
>> Buffalo
>
> The author is rather insistent that it is SUPERAntiSpyware. Note
> capitilization, for copyright reasons. I am just a user and admirer,
> although my hex is safe enough that it hardly ever has encountered
> anything of any importance ...

So be it.

I spell and capitalize it that way so the emphasis is on the three capital
letters S-A-S.
I do have the lifetime pro version, so don't tell the author about me or he
may cut me off.
Buffalo

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| Han wrote:
>> "Buffalo" <Eric@nada.com.invalid> wrote in
>> news:iguuoe$71q$1@news.eternal-september.org:



>>> Dell Christopher wrote:
>>>> I've been trying to help a friend with his computer and, no matter
>>>> what I do, spyware keeps returning. Here is my novice checklist
>>>> that

>>> Try the free version of SAS (SuperAntiSpyware) available on the
>>> website with the same name.
>>> Perhaps even purchase the pro version of SAS or MBAM so that you will
>>> have real time monitoring for spyware.
>>> Try explaining to your friend how to practice 'safe hex'.
>>> Hopefully your HJ log will be looked at by Silj or others who can
>>> spot the problem.
>>> Please post back with the fix that worked for you.
>>> Buffalo

>> The author is rather insistent that it is SUPERAntiSpyware. Note
>> capitilization, for copyright reasons. I am just a user and admirer,
>> although my hex is safe enough that it hardly ever has encountered
>> anything of any importance ...

| So be it.

| I spell and capitalize it that way so the emphasis is on the three capital
| letters S-A-S.
| I do have the lifetime pro version, so don't tell the author about me or he
| may cut me off.
| Buffalo


I know Nick and I know he wouldn't care (as to the mixed case and acronym). That is
unless it got in the way of his race car < LOL >.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Buffalo]

David H. Lipman wrote:
> From: "Buffalo" <Eric@nada.com.invalid>
>
>
>
>> Han wrote:
>>> "Buffalo" <Eric@nada.com.invalid> wrote in
>>> news:iguuoe$71q$1@news.eternal-september.org:
>
>
>
>>>> Dell Christopher wrote:
>>>>> I've been trying to help a friend with his computer and, no matter
>>>>> what I do, spyware keeps returning. Here is my novice checklist
>>>>> that
>
>>>> Try the free version of SAS (SuperAntiSpyware) available on the
>>>> website with the same name.
>>>> Perhaps even purchase the pro version of SAS or MBAM so that you
>>>> will have real time monitoring for spyware.
>>>> Try explaining to your friend how to practice 'safe hex'.
>>>> Hopefully your HJ log will be looked at by Silj or others who can
>>>> spot the problem.
>>>> Please post back with the fix that worked for you.
>>>> Buffalo
>
>>> The author is rather insistent that it is SUPERAntiSpyware. Note
>>> capitilization, for copyright reasons. I am just a user and
>>> admirer, although my hex is safe enough that it hardly ever has
>>> encountered anything of any importance ...
>
>> So be it.
>
>> I spell and capitalize it that way so the emphasis is on the three
>> capital letters S-A-S.
>> I do have the lifetime pro version, so don't tell the author about
>> me or he may cut me off.
>> Buffalo
>
>
> I know Nick and I know he wouldn't care (as to the mixed case and
> acronym). That is unless it got in the way of his race car < LOL >.


Buffalo

[Dell Christopher]

Thanks for the replies. It sounds like a combination of recommending either
Firefox (or Chrome), and perhaps the paid version of Malwarebytes is in
order.



"Dell Christopher" wrote in message
news:sZOdnaOu8NTFHq_QnZ2dnUVZ_hGdnZ2d@earthlink.co m...

I've been trying to help a friend with his computer and, no matter what I
do, spyware keeps returning. Here is my novice checklist that I've gone
through:

msconfig: If I find an obvious spyware entry, I both uncheck it AND I locate
the actual spyware file(s) and permanently delete them.
Malwarebytes (usually 2 scans), Spybot S&D, and TDDS Killer.
CCleaner and reset Internet Explorer.
IE Internet Options > Connections tab > LAN settings: make sure both lower
boxes are unchecked.
Microsoft Security Essentials: configure for daily overnight scan (computer
is left on).

When I'm done, I try some sample Google searches to make sure there is no
evidence of browser hijacking. At this point, I feel like we've made
progress and cleaned the computer. Then, a couple weeks later, I'm back to
repeat the same exercise! Monday will be my 3rd visit in 2 months! ((

I'm no expert, but it sure feels like I've done everything to both clean and
protect the computer. I know that user activity is a big factor in how a
computer gets infected. However, I would really love to hear any
suggestions on any additional settings to check and/or any better tools than
what I've listed above. All input is greatly appreciated.

Thanks!