Microsoft

[gore]

If you want niceness over intelligence call Microsoft's tech support. No one even made fun of him, they cracked a joke.

[txsidewinder1]

Okay. Thank you for all your replies. One: I am running spybot, adaware 6, pest patrol, win patrol, anti-trojans, Black Ice and some more programs. Two: I was running ME when I first ran my "Highjack This" log. All three of these sites were on my ME. For a while, I had adserverBonzi, z1adsever.com, and one other whose name escapes me right now. I hunted down and got rid of these pests. ALL were on my mailbox. ALL were invited into my mailbox, I believe by doubleclick. About one month ago, I upgraded to XP. When I went to my mailbox, I still had doubleclick, servedby, and akamai. Before I switched to XP, highjack this did not show any of these pests. The same thing with XP. I believe these things are embedded in my hard drive. Every time I run my trojan scan, I see akamai come up, but I am on a 30 day free trial and they will not help me right now. I have not seen the other two. It could well be that akamai was spoofed. When this first started back in November of last year, I only had doubleclick and servedby. The others started appearing later. Since I run a dail up, I always unplug my phone line everytime I am not running the internet. They can send all the commands they want to start my computer and send out adware, but since I unplugh the phone line, they cannot do this. I do not get much email except for spam. I get lots of that. All my friends, except for about two who live in my area, have died. I am a shut in due to the fact I cannot walk and have to use special equipment to get around in. I was in law enforcement for 27 years and a smart ass kid blew my legs apart with a 12 guage shotgun, so I do not have much humor anymore. I also am ate up with agent orange from the Viet Nam War. I also have some brain damage due to the fact that I died and during cpr, my brain suffered some damage before they brought me around. This is the reason why I probably do not put much information down or not enough information. Just please bear with me and ask questions and I will answer. Its is hard for me to keep things straight and sometimes I find myself writing gibberish or wandering from subject to subject. Just please bear with me and maybe I will find an answer to this problem on my computer.

[nihil]

OK txsidewinder1, I am sorry to learn of your situation, I doubt if I could be as positive as you are if it were me. Let's try get rid of this stuff?

I would recommend:

1. Switch off "System Restore"......instructions can be found on any AV site
2. Update all your anti spy/ad stuff then run it all in safe mode (F8 on bootup)
3. Open Winpatrol and check what is in startup, cookies and IE helpers (BHOs)
4. Open SpyBot S&D in advanced mode, go into "tools" and check what is in all those files/folders............the Windows "Hosts" file for example.

Get CWShredder and run it in safe mode......that's a complimentary product to Spybot that deals specifically with some variants of CWS that Spybot can't handle. Merijn is the author.

In spyBot, go to the "Immunization" screen, take the immunize option and install the browser helper to block bad downloads. Check the box to lock BHOs.

If your mail client is set to open messages in the preview pane.....switch it off, a lot of this crap seems to come with spam mail (just fixed a local hotel computer and got rid of 106 of the varmints....they had preview on!).

I guess that is about all I can think of right now......let us know how you get on.

Cheers


EDIT: when you load the SpyBot browser helper, WinPatrol will come up with a warning..........say "OK" we actually want that one. You also might have a BHO for Adobe Acrobat and possibly some others. My advice is that if you don't recognise it, get rid of it, if it is needed you will be prompted to load it again

[gore]

OK, for the people who know me, don't read any farther than this, because it may make you faint with what I'm about to say.

I'm sorry for about what happened to you. I don't exactly get along with police as my best friend has had his ribs cracked by them for NO reason, but this doesn't mean all of you are alike either, which is why I don't go out of my way to get on the nerves of other police officers.

I found two so far that were actually nice people. I considered they were only doing their jobs when they made me and my friends line up ans they checked us all out for no reason, but they were doing a job, because it was the mall security guy who called them on us for standing in a shaded spot in 100 degree weather.

One of them was actually nice and wasn't pushing us into the cars like usual. You don't have to appologize, it was just hard to read at first but as I said before, I was tired when I read it.

I don't think it's right someone gets shot.

And as for war, I'm totally against it.

Do you get medication to help out at all?

I wish you all the best, maybe one day you will wake up feeling better. Do not doubt.

[ShagDevil]

txsidewinder1,
don't take too much personal offense to negative responses anyone says here at AO. You got to remember that although this site is dedicated to security and security related issues, many of us still have to deal with script kiddies and people with malicious intentions that seem to think it's fun to come here and talk **** and start idiotic threads.

I'm sure no harm was intended in the responses you got. Maybe the way your post was worded, it seemed to other people that you might have just been someone screwing around or what have you. (I'm not exactly clairvoyant, so I can't tell you what people thought of your post)

Trust me though, you couldn't find a better place to get most of your techincal/security questions answered.

[txsidewinder1]

Nihel: I did all you ask me to do. Nothing. Everything was clean. I still think the main problem is going to be in my hard drive, but the scan I was able to do showed that it was clean.

Now when I upgraded to XP, I carried zilch with me. I personally destroyed every single file I had. My computer was clean as a new baby's behind when I upgraded.

I am also in contact with Akamai. I told them about the whole bit I have been through. I also told them that nothing shows on scans or anti-virus. I also asked them that if they had a representative in my area, which is outside Houston, that they were welcome to come look at my computer and see what is going on. The man who repairs my computer from time to time is also stumped and he builds computers. However, I notice that I seem to know a lot more about security and anti-virus then he does. He just tells me that he has never seen anything like this before.

I have spent at least 12 hours, again, working on this thing. I have run everything again in safe mode, start-up, etc. Even turning off system restore and running everything did not help. Before I upgraded, I even looked inside the registery to see if they were embedded in those files. Nothing, plus the fact that they were still there after I upgraded proves that out.

Besides hard disk, is there anything else that they could be embedded in? The only thing that came with the upgrade was hardware. There was no SOFTWARE! This thing is going to drive me

[nihil]

Hi txsidewinder1,

This is interesting. In answer to your question of other hiding places, I am not aware of any spyware that would store itself in the BIOS.............that would require flashing, would almost certainly damage some machines and get them sued to hell and back. So I reckon we can rule out BIOS?

Do you have any other storage devices like a USB drive (some people call them "thumb drives")?

Did you save files from your old system onto CD or floppy disk.............bit of a long shot, but that could be how re-installation is happening?

To try something else, can you get the problem to show up (akamai) then minimise the window and run HijackThis. Then save the HijackThis log and post it as an attachment...........or attach it to a PM, but it would be better if we could all look at it.

I agree that it must be on your hard drive, but I am trying to find out how it keeps coming back after all that we have done.................removable media would be the obvious one?

Cheers

[txsidewinder1]

nihil: No, no disks, no floppy disks. The only disks used were software from microsoft, or disks that were already scanned and found clean. Since these things are only on earthlink, do you think that maybe earthlink was hacked and myself and some others were infected before earthlink caught it? They were awful defensive when I quiered them about it. They said it was impossible. Then they told me that I was being paranoid and needed to be psychologized for thinking such a thing. This was from their security department. When I asked them if they were doctors, they ignored me. The only thing I can get out of them is that it was my fault for getting these things. This is the last thing I can think about. If they got on my hard drives and I change hard drives and they are still there, I am going to be very angry. I really cannot afford to do that since I only have a very small pension and social security.

[nihil]

Hi txsidewinder1,

You would not need to replace hard drives unless you wanted to do it for other reasons such as more space, faster kit and so on.

The furthest you would have to go is to reformat the drive and reinstall your operating system & software. That is a complete format of the hard drive, and fresh installation ( NOT fdisk, or "repair") This is what I recommend after a machine has been "owned", as you never know what else a perp might have left on your machine, and whilst the code/files will still be there, the links to them will have been destroyed, so they cannot work again. I AM NOT SUGGESTING THAT....YET! (It is a pain in the butt!)

I am wondering now, if it really is on your machine? You will have to be a bit patient with me, as I am in England and things are different here. I have two internet providers one is ADSL Broadband from our major telco, and the other is a 56.6 dial-up from an ISP. I pay for the ADSL but the dial-up is free. If I log on to the ADSL then I get a link and that is all.........all other software (browser, mail etc) is exactly as I loaded it. The dial up, on the other hand, defaults me to their website, with loads of adverts and a custom version of the IE browser.

My question is: are you using a mail service on the eathlink site, or are they "only" providing you with a connection?

Another "free" service that I tested a little while back was even less subtle.........it hijacked the IE6 browser so it now comes up with "Internet Explorer Provided By XYZ" even when I open IE in "offline" mode. Now that IS on my local drive.

You mention your "mailbox", what exactly is that..............are you downloading messages from their server into Outlook/Outlook Express (typical POP3 arrangement), or is the mail file (postbox) on their server, and you are using remote software to manage it?

Basically, I am asking if you can read your mail without being connected to earthlink............if you can, and you can still see this stuff, then I would say that your mail client has been hijacked, just like the IE browser I mentioned.

If you have to go onto their site to read any of your mail, and are not using Outlook/Outlook Express, then I would say that the software and files are entirely on the remote server, and it is advertising that they have put there, or at least something to do with them.

If you are paying for a service, you should NOT be getting adverts in my opinion. Is that why they were defensive?

I am sorry about this, but I am going to have to wait for you to get back to me and bring me up to speed on how things work over in the USA.

At this point, things seem to be looking a lot better................more like your ISP behaving badly than malware on your machine that we cannot destroy?

Cheers

[txsidewinder1]

It is a pop server. I have never tried to get my mail off line.

I do not believe that Earthlink would post something like that. I would rather believe that they would have been hacked into then place something like that on your computer. I believe it would be a matter of not admitting anything happened. No provider in the U.S. that I know about would admit to being hacked, yet we know MSN is always brought down. I honestly believe that anyone, I do not care who it is, can the hacked. If these hackers can get into military secrets, they sure can get to a provider. Also, given the chance that Earthlink could be sued would also make them very defensive on letting persons know they have been hacked. What they do not realize is that by disallowing the truth, if the truth comes out, then they will be sued.

Earthlink is my provider. I pay them a certain amount of money each month. I have 3 other mailboxes. None of the spies are on these mailboxes. This is another reason I believe that Earthlink may have been hacked. If they are embedded on my computer, how come they are not anywhere else? Now I know that other spies were invited to my computer because I use to see them. a1.adserver.com is a spy network that sends spam. When I am through with my computer, I disconnect from the internet and pull my phone plug. I live in an area of Texas where thunderstorms can pop up very fast and all that lightning we have could fry my modem. They can send all the commands they want, nothing will happen. After two or three months, a1.adserver.com disappeared from my computer. I never did find it. This was before I upgraded. I also had securebonzi.com and adserverbonzi.com that were also there. I found those two and got rid of them. They are both the same company, but do different things. If any of this helps you, let me know ASAP. I will probably be up til about 3 a.m. my time. It is 8:15 p.m. my time right now.