Hi, I need some good advice on a spyware problem I have. 3 Days ago I got a message from my aol
spyware protection software. It said it found spyware and I paid it no attention because not being
especially knowledgeable I thought it was like a tracking cookie. Then when it happened
again I went into the spyware protection software and it labelled this spyware as something that
I definitely understood - trojan.
Internet browsing produced some advice about shutting of system restore because spyware hides
there - a bad move, now I know I might of solved the problem very quickly with a system restore.
Then I downloaded adaware/spybot and used the online services Bitdefender and Panda Activescan.
They found the following -
- softomate tool bar (adaware)
- 1 item in norton quarantine - js.trojan.downloader.istbar.a (bit defender) which could've been there
for moths.
- FirewallDisableNotify and AntivirusDisablenotify registry entries who's values spybot didn't like
But ive still got this problem. Ive also noticed that the autocomplete settings are reset each
'attack' to remembering passwords and login details. And a new strange window offering me
autocomplete even when typing something in google appears now and then.
Looking at aol spyware protection quarantine directory it stores the files in protected zip files which
I need a password to access. The first two attacks produced a zip containing one file and subsequent
attacks produced a zip with two files insides. The files in the zip folders are always 1K in length.
I should also point out Ive got up to date Norton Internet Security which hasn't detected any of
these 'attacks', and use AOL 9 and Windows XP. Does anybody know what to do next? Could these
attacks be simple due to software error with AOL signalling an attack which isn't there or
misinterpreting normal operation of Norton or IE. Thanks in advance
1
Aol spyware?
Started by mikedd, Jun 23 2006 10:01 PM
6 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 24 June 2006 - 12:03 AM
Hi mikedd, Welcome to the forum 
Its difficult to know if this is a false positive and it initially found something harmless to cause the alerts or if there is a malware problem on your system but lets look at each point you raised and run a malware scan to begin with.
As you have noticed, you could of Restored to an earlier date which may of cleared the problem and even if the only option is an infected restore point, its still better than having none if any mistakes are made by the scanners or by removing items that are genuine, turning it off is really not required as the infected restore can only cause you problems if its used and once the system is clean its a simple step to create a new restore and remove all the older ones which still doesnt need it turning off to do although that option can be used as long as it turned back on after a reboot.
AOL is a client of Softomate's besttoolbars.net so this maybe the reason for that detection, you can see that on Softomate's site here
http://www.besttoolb...xamples.php#aol
Id agree that this may of been present for a while because as far as I know IST hasnt been involved in drive by/silent installs for many months, the detection is for a javascript so it could of been a malicious file that was detected when you was surfing the net at some stage.
This Spybot detection is likely connected to your Anti-Virus (Norton) disabling your Windows alerts for having no Antivirus or Firewall enabled, Alot of AV vendors do this incase Windows doesnt recognize that you have protection installed and starts displaying alerts for the Firewall or Antivirus.
This is likely to return after a reboot but its not a problem if it does, If you goto Start Menu > Control Panel > Security Center you will see some options listed on the left, one of those will show 'Change the way security center alerts me' , if you click that it will show the area that Spybot is detecting, there is three checkboxes (Virus Protection, Automatic Updates and Firewall) Spybot is finding that the check boxes for Antivirus and Firewall are not enabled so fixing them will re-enable them. If they return after a reboot its connected to your AV so you can click the detection on Spybots results page and choose exclude this from future searches.
Have you enabled the Auto Complete feature in IE. Open a IE Browser window and goto Tools on the top bar then Internet Options, Click the Content Tab then the AutoComplete button. You can then enable or disable the feature. If not do you have any Toolbars installed that would attempt to auto complete forms ?
Google does have a strange Auto Complete page here but I think you would notice if you was on that one
http://www.google.co...omplete=1&hl=en
Download Ewido anti-spyware
Regards
Andy
Its difficult to know if this is a false positive and it initially found something harmless to cause the alerts or if there is a malware problem on your system but lets look at each point you raised and run a malware scan to begin with.
Quote
Internet browsing produced some advice about shutting of system restore because spyware hides there
As you have noticed, you could of Restored to an earlier date which may of cleared the problem and even if the only option is an infected restore point, its still better than having none if any mistakes are made by the scanners or by removing items that are genuine, turning it off is really not required as the infected restore can only cause you problems if its used and once the system is clean its a simple step to create a new restore and remove all the older ones which still doesnt need it turning off to do although that option can be used as long as it turned back on after a reboot.
Quote
Then I downloaded adaware/spybot and used the online services Bitdefender and Panda Activescan.
They found the following - softomate tool bar (adaware)
They found the following - softomate tool bar (adaware)
http://www.besttoolb...xamples.php#aol
Quote
- 1 item in norton quarantine - js.trojan.downloader.istbar.a (bit defender) which could've been there for months.
Quote
- FirewallDisableNotify and AntivirusDisablenotify registry entries who's values spybot didn't like
This is likely to return after a reboot but its not a problem if it does, If you goto Start Menu > Control Panel > Security Center you will see some options listed on the left, one of those will show 'Change the way security center alerts me' , if you click that it will show the area that Spybot is detecting, there is three checkboxes (Virus Protection, Automatic Updates and Firewall) Spybot is finding that the check boxes for Antivirus and Firewall are not enabled so fixing them will re-enable them. If they return after a reboot its connected to your AV so you can click the detection on Spybots results page and choose exclude this from future searches.
Quote
Ive also noticed that the autocomplete settings are reset each 'attack' to remembering passwords and login details. And a new strange window offering me autocomplete even when typing something in google appears now and then.
Have you enabled the Auto Complete feature in IE. Open a IE Browser window and goto Tools on the top bar then Internet Options, Click the Content Tab then the AutoComplete button. You can then enable or disable the feature. If not do you have any Toolbars installed that would attempt to auto complete forms ?
Google does have a strange Auto Complete page here but I think you would notice if you was on that one
http://www.google.co...omplete=1&hl=en
Download Ewido anti-spyware
- Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Click on the Scanner tab at the top and then click on Complete System Scan
- Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
- Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Regards
Andy
#3 OFFLINE
-
- Members
-
- 8 posts
Newbie
Posted 24 June 2006 - 01:01 AM
Thanks for your reply AndyManchesta. I discovered how to enable/disable autocomplete as you described earlier from searching the web for an answer. However if I disable it autocomplete is reset after each attack. I should've said earlier that the aol anti spyware software called it infostealer but gave no other information about the origins of what it was blocking, I dont even know the folder the items blocked came from. I don't know if it will help or if its a silly idea, but I will try to get a photo of the autorepeat window I mentioned earlier if it will help you judge the problem. As to your suggestions ill try them either sunday or monday night and get back to you. Thanks again.
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 24 June 2006 - 02:01 AM
Hi Mike, this does sound abit suspicious if you cannot disable Auto Complete, There has been some new variants of InfoStealer so it should be considered as a genuine detection until we can check your system in more detail, When you open AOL or the protection folder to find out its infostealer can you find any additional information on where the file was detected such as a reg entry or maybe a file running from the temp/system folders ?
Norton Results for Infostealer
Can you run Ewido as it's detection level is excellent plus it will provide a Real Time guard for 30 days after its installed which may help if there is any malware issues to prevent them running. Next can you download HijackThis and post the log it produces onto the HijackThis forum of this site and either myself or another member will be happy to check it over for any problems.
Download HijackThis
Save it in a convenient permanent folder such as C:\HijackThis\
Run HijackThis and choose Do a system scan and save a logfile
When the scan is finished, it will open the results in notepad and also save them into the HijackThis folder.
Please post the full contents of the logfile back on This SubForum (Its the Spyware Hell - HijackThis Log Analysis area of this site)
Most of what it lists will be harmless or essential, don't fix anything yet.
Regards
Andy
Norton Results for Infostealer
Can you run Ewido as it's detection level is excellent plus it will provide a Real Time guard for 30 days after its installed which may help if there is any malware issues to prevent them running. Next can you download HijackThis and post the log it produces onto the HijackThis forum of this site and either myself or another member will be happy to check it over for any problems.
Download HijackThis
Save it in a convenient permanent folder such as C:\HijackThis\
Run HijackThis and choose Do a system scan and save a logfile
When the scan is finished, it will open the results in notepad and also save them into the HijackThis folder.
Please post the full contents of the logfile back on This SubForum (Its the Spyware Hell - HijackThis Log Analysis area of this site)
Most of what it lists will be harmless or essential, don't fix anything yet.
Regards
Andy
#5 OFFLINE
-
- Members
-
- 8 posts
Newbie
Posted 24 June 2006 - 12:24 PM
Thanks Andy I will do that as soon as I've got time to give it my full attention. Ive heard you should run Ewido in safe mode is that true? Should I also run hijack this in safe mode?
As for the additional information unfortunately there is none, Ive gone into the Aol antispyware software and click left/right over the entries and looked elsewhere but there is no info just infostealer - trojan - and the date. It doesn't even give the time of attack.
Ive included a jpeg of the autocomplete window that appeared while using ebay. They've been plaguing me, not sure if its ok but I never saw it until the attacks. I will post the hijack file as soon as possible.
Thanks
Mike
As for the additional information unfortunately there is none, Ive gone into the Aol antispyware software and click left/right over the entries and looked elsewhere but there is no info just infostealer - trojan - and the date. It doesn't even give the time of attack.
Ive included a jpeg of the autocomplete window that appeared while using ebay. They've been plaguing me, not sure if its ok but I never saw it until the attacks. I will post the hijack file as soon as possible.
Thanks
Mike
Attached Files
-
autowin.JPG 29.27K
52 downloads
#6 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 24 June 2006 - 06:31 PM
Hi Mike
Ewido and HijackThis should be run in Normal Mode, Ewido can work better in safe mode when its a badly infected machine as the malware is not running in most cases, but generally it should be used in Normal Mode as it can still detect and remove the same infections. Its the report it generates after the scan which is very useful as it can show info' on what infections are present which then gives us a good idea what we are dealing with and allows us to check if the malware makes changes in other area's.
The screenshot is fine and that is the genuine AutoComplete prompt but it should not keep appearing after you have made your choice, Its best to see the Report from Ewido and the HijackThis log first to get more info on your system incase there is any Registry monitoring tools that maybe interfering with the changes or if there is a malware problem present or a registry key/value missing.
Can you also download the attached file and save it to your desktop, extract and then double click CheckAutoComplete.bat to start the script, It will export the information from the registry keys and write that into a text file which will open after a few seconds. Can you post the contents back on here or add it to the HijackThis log and Ewido Report on the HijackThis forum.
It should be simple enough to solve once we see the results
Cheers
Andy
Ewido and HijackThis should be run in Normal Mode, Ewido can work better in safe mode when its a badly infected machine as the malware is not running in most cases, but generally it should be used in Normal Mode as it can still detect and remove the same infections. Its the report it generates after the scan which is very useful as it can show info' on what infections are present which then gives us a good idea what we are dealing with and allows us to check if the malware makes changes in other area's.
The screenshot is fine and that is the genuine AutoComplete prompt but it should not keep appearing after you have made your choice, Its best to see the Report from Ewido and the HijackThis log first to get more info on your system incase there is any Registry monitoring tools that maybe interfering with the changes or if there is a malware problem present or a registry key/value missing.
Can you also download the attached file and save it to your desktop, extract and then double click CheckAutoComplete.bat to start the script, It will export the information from the registry keys and write that into a text file which will open after a few seconds. Can you post the contents back on here or add it to the HijackThis log and Ewido Report on the HijackThis forum.
It should be simple enough to solve once we see the results
Cheers
Andy
#7 OFFLINE
-
- Members
-
- 8 posts
Newbie
