Spyware, safe mode, and partition.

Factual Questions
1

I recently have been using a direct internet connection with no proxy server. I have Internet Explorer and Windows XP. Yesterday I was attacked by spyware. It caught me by surprise, even though I should have seen it coming. I deleted all the bad files and applications, and this was done for the spyware applications in safemode.

I was able to get rid of mssearch.net but could not get rid of stickrep.exe. So I figured that I would have to go back into safe mode and try agian. The second time I booted in safe mode there was a list of files being partitioned. Gasp! I immediately powered off and started up in normal mode.

Is there suppose to be a partition in safe mode? I do not recall seeing a partition screen on the first time I started safe mode. Please explain to why there would be a partition when I started safe mode. I would have probably finished fixing the problem but I need to be extra cautious. I do not want to lose any data.

Also, any Dopers have a Spyware problem that logs you off SDMB when switching forums, or previewing posts? This is very frustrating!! I can’t even preview my own post without being logged off! :mad:

2

Without more info or a screenshot of the actual message, it’s hard to say for sure what it was. Do you remember the exact message and what it looked like?

What you might have seen is a fake dialog box generated by the spyware to make you think something bad is happening – like those “YOUR COMPUTER IS INFECTED!!! CLICK HERE TO BUY OUR FAKE ANTISPYWARE PRODUCT FOR ONLY $30 AND YOUR SOUL!” ads you see on websites. Generally, you don’t “partition” files… partitioning is something you do to entire hard drives to split them into smaller virtual drives. “Partition” might just be a nasty-sounding jargon term that the spyware is using to try to scare you.

But if a spyware program actually WANTED to harm your files, it’s definitely capable of deleting everything on your hard drive. We’re just lucky that most of them don’t.

How critical are your files? If you’re willing to take a risk, you can back up the most important files to an external HD or to a CD/DVD first and then try the cleanup under safe mode again. My two cents is that it’ll PROBABLY be ok… but it can’t be guaranteed.

If your files are absolutely essential and you don’t want to take any risks, the only safe thing to do at this point is to take out your hard drive and have it scanned by another known-good computer. You can have a knowledgeable friend do this for you or pay somebody like GeekSquad to do the same thing.

P.S. I really don’t mean this in a preachy way, but if your data is that important, you should be taking more measures to protect yourself. Use Firefox or Opera – ANYTHING but IE; don’t browse the Web with an Administrator-level user account; make sure you’re using a real-time virus scanner and spyware scanner, not just something that performs scheduled checks; and regularly back up everything that matters to you on non-rewritable media (so malware can’t overwrite it). It’s very inconvenient, I know, but there’s always a tradeoff :frowning: Ya gotta decide, for yourself, how much trouble you’re willing to put up with in order to protect your data. Or you can get a Mac and hope that they stay clean in the years to come…

3

I am not so much concerned about my data per se because I periodically tranfer my files to CDs for backup. It’s just that I’d have to reload alot of programs. I would see the only expert friend I trust, but he’s out of reach from where I am now.

Thanks for the tip about not using IE. I will use my former ISP web-browser but only after I resolve this problem. BTW, I checked again and there is partition in the files stings. Is there any other way to go into safe mode? Or another way to remove those files. I really want to fix this problem.

See I previously used an ISP web browser on a non-Admin. account. Now I have a direct connection to the apartment and don’t need an ISP. Are you sure that I shouldn’t be on a Administrator account when using a browser? There was one night when I powering off without logging off and a message alterted me that, “There is another user logged on. Are you sure you want to shut down?” No way am I risking a hacker getting into my Administrator account! For that reason, I only use my Administrator account. And on that point, what other ways could I go into safe mode?

4

Don’t rely on an ISP web browser unless you know exactly what technology it’s based on. To be safe, download one of the Mozilla-based browsers (Firefox, Netscape, AOL Explorer) or Opera and use that instead. Very, very few companies truly make their own web browsers and most ISPs (especially in the past) just use IE and tack on their own logos and maybe one or two additional features.

Can you rephrase this, please? I don’t understand. What exactly did you see?

What have you tried so far? If you haven’t read the “Have a computer question? Read this first.” thread, do that and follow its instructions. Most spyware infections these days are too complicated for simple search & delete operations.

And I don’t believe there’s any other way to get into safemode aside from pushing F8, if that’s what you’re doing.

But there are other options… you can try disabling certain startup programs, for example, or reinstalling Windows on your current hard drive. But try the antispyware methods listed in that thread first because the other tactics are more difficult.

(Assuming you’re using Windows 2000 or XP) Yup, I’m positive that you should not use an administrator account except when absolutely necessary. Give it a password, too, and don’t store that password anywhere on the computer. This has nothing to do with whether you’re using a separate ISP or connected to the apartment’s network… spyware doesn’t care about that. Spyware generally gets installed through holes and bugs in the browser or operating system that you’re using and that’s a risk anytime you’re connected to the Internet no matter how you’re connected.

An Administrator-level account* has full access to your computer, and thus any spyware you catch while logged into that account has full access to your entire computer.

Limited accounts, on the other hand, are limited to their personal profile directories – My Documents, My Music, etc. While logged into such an account, you (or any spyware you catch) will be limited to those directories. You can’t touch the other files on the computer even if you wanted to, thus severely limiting the amount of damage the infection can do. You’re localizing the potential damage, basically.

It’s an even better idea to have multiple limited accounts… one where you store your important documents and another that you use to browse the web. Limited users can’t touch each other’s files, so if you get infected with your web-browsing account, nothing will happen to your documents in the other account.

*It’s important to note that the account called “Administrator” is NOT the only administrator-level account. Any Windows user account can be set to Administrator or Limited in the “Users” control panel, so make sure you choose the right one when you create a new user or change an existing one. Also, if you’re using XP, make sure you’re using Service Pack 2. The firewall in that update helps a lot.

Did you have another user partially logged on at the time? Windows XP has a feature called “Fast User Switching”, which means that if you don’t completely log out of an account (you’ll hear a distinct four-note melody) but instead just switch to another user (you’ll hear a short chime), the old user will still be there and waiting in the background. If you try to shut down the machine in this state, you’ll get that warning because Windows just wants to make sure you didn’t forget to save your documents or whatever in the other account.

If you don’t want a hacker getting into your Admin account, that’s precisely the reason to stay OUT of it. If you’re logged into your Admin account, anything that gets on your computer automatically has the same level of control you do – i.e., complete and utter dominance over your system. But if you’re only logged on to a Limited account, anything you get will first have to try and break into your Admin account – something that’s much harder to do.

5

Only browse using an Admin account if you are sure you can avoid the risks. Using a non-Admin account is much safer.

If people are able to log into your PC, you are screwed no matter which account you are currently using. You being in the Admin account won’t help.

Reboot, hit F8 just after your BIOS has completed it’s little routine and started to load windows. You’ll then be offered the menu of Safe Mode with/without networking and so on. Incidentally, my new motherboard freaked me out a bit when I did this recently because the BIOS responds to F8 during POST by offering a selection of boot devices, but this is even better because you can F8 to choose what to boot from, then F8 again to choose how to boot windows.

6

Ok. I can’t access safe mode. I did, however, get my system stable after the attack. Except for infrequent pop-ups, everything is working fairly well. And the good news is that I can now preview my posts.

But I still want to know if there is another way to access safe mode besides F8 at BIOS. There is the word “PARTITION” in the file string (non-moving). The good news is that it doesn’t seem to affect my system, the bad news is that I can’t get to safe mode. How can I get into safe mode? Perhaps in command prompt. Could I delete the suspect files in safe mode-command prompt?

7

If you want to start in safe mode, assuming this is a Windows XP system, run MSCONFIG from the Start, Run box. Select the BOOT.INI tab and check the box for /SAFEBOOT.

Also, I’m confused about the partition you mentioned. Some manufacturers (like Dell) build a small partition on the hard drive containing some diagnostic tools to use when the system won’t boot properly. Others build a partition that’s used to store a factory image of the hard drive so it can be restored when you want to do so. You might be seeing one of those.

8

I’m going to bumb this! I know, I know. But I just realized that there are so many knowledgeable Dopers given all the tech threads.

What do you commonaly or occasionally use the SAFEBOOT for removing? I do have the timestap for the faulty processes. I’m going to do what **Dewey ** says later tonight. Hope it works.

9

Safemod can be used for a variety of reasons.

Basically Safemode starts Windows in its most basic configuration. That is, nothing beyond the minimum needs to get to your desktop is allowed to start (among other things it totally ignores everything in your Startup folder). So you can expect to see Windows start in 640x480 resolution because your video driver is not allowed to run. Sound will probably be nonexistant. Antivirus will not start (and so on).

The reasons for doing this can be to get rid of something like a virus or spyware (it is not allowed to load when Windows starts) or to undo something like a bad video driver (imagine you installed a new driver and everytime you start Windows the screen goes black…this will put you in a basic mode so you can see what you are doing and uninstall the driver). Or perhaps Windows crashes on startup because of something you installed…again you can get in like this to get rid of the offending program.

As mentioned some spyware can be shockingly tenacious (a few viruses too). Even going in to Safemode and getting rid of various pieces may not be sufficient to stop it. I had one once (IIRC it was CoolWeb) that actually saw that I was Googling on information about it and redirected my search so I could not get info on how to remove it (stopped AdAware from running too). Even a Safemode start and deleting files in Startup and running AdAware and Spybot did not get rid of it. The ultimate fix required a good deal of noodling about and deleting files and making registry changes. Most spyware is not quite so difficult. I have to admit this particular spyware was pretty damn impressive in its ability to remain on the system…still love to have 10 minutes with no consequences for my actions with the guy who wrote it though.

Spyware has become so ubiquitous and dangerous I really think it is worth buying some dedicated anti-spyware programs (antivirus programs do not handle these [although some have a “suite” of applications that include both antivirus and antispyware]). Antispyware programs, unlike antivirus programs, may run in tandem with other antispyware programs. I have found AdAware and Spybot to be nearly useless these days. These free programs are used by so many people that many savvy spyware programmers make a point of circumventing these. Better than nothing but not as good as you may think. Check reviews from known magazines and pick one or two antispyware programs to buy and run BOTH on your system at the SAME time. Personally I use Spyware Doctor and Spysweeper with Microsoft’s Antispyware (still free) program as a final fallback. It may seem like overkill but no one product seems to catch everything. Run together they are pretty hard to get by and I have had zero issues with spyware since running them.

Note that antispyware programs, like antivirus programs, need to be updated to remain effective. Some (like Microsoft’s Antispyware) will update itself silently. Others require you to manually engage the update. This should be done weekly at a minimum.