Baaaad Spyware

[VIKTOR2020]

My wife somehow downloaded the worst spyware I've encountered and I still haven't been able to get it off her computer.
Her browser has been hijacked and a bottom of screen toolbar added that offers Make Money, Sex, Career, Mortgage, etc.
The toolbar is called Search2020 and the hijacked browser keeps connecting with allaboutsearching.com and running a program from that site.
So far, I've deleted all cookies, cleaned the cache, searched and deleted all references to Search2020 or allaboutsearching from her computer; ran Ad-Aware 6.0 and deleted detected spies; cleaned up with symantec SystemWorks; and disconnected the Internet cable feed (because it kept re-installing the crap as fast as I could delete it). Also required prompts for Active X or Scripting...and it still keeps coming back.
What can I do?
Anybody run into one this stubborn before?
Thanks

[Brk]

Download Spybot, SpywareBlaster and HiJackThis and run all three.

[YeOldeStonecat]

They're getting bad. I just spend a whole bunch of hours troubleshooting someones Dell. In the startup folder, on each reboot, you'd have 6x randomly alpha-numeric named .lnk files.
Delete them, they're reappear on the next reboot.
Regedit into Run keys...find a randomly named alphanumeric file, delete it and all .lnk files it made in the all users/startup folder...reboot once..clean, but within minutes the files appeared again, so when you rebooted...bam..all back there.
His antivirus had expired...so scanned at Trendmicro..nothing found. McAfee Stinger...nothing found. Download and installed AVG, updated, nothing found.
Spybot installed/updated, just usual stuff found, I'd clean the junk, reboot...sure enough back again. Adaware installed/updated/scanned, another 90 things found...but still, I'd delete the junk, back it would come.
Manually delelted all .tmp and .log files, all cookies, temp, and temp internet files...reboot..still same problem

ARGHHH

The noticed adaware incorretly removed new.net (no more internet access), so had to restore an old registry. Had to reinstall all above apps...and scan again to clean out the old registry. This time, AVG found a trojan. "Cool..finally" I thought. Removed it..but nope, didn't cure the problem, looked up the trojan, a pretty useless one. So back to square 1.

So I start manually peeling back layers...looking at the directories. I found randomly named files in the C:\Windows directory with March of this year dates on them. Matching the pattern of the random ones loading in the registry that I was removing..apparently there was a whole slew of them in the Windows directory. Something planted a whole bunch of them, so that when you deleted a couple that you may have found in the registry "run"..another would fill it's place. Apparently there was a "check to make sure I'm there" programming in it, to see if it was loading on reboots. If it wasn't loading..it would replace with another one.

No antivirus that I threw at it detected these files as bad, nor did any ad/spyware programs. It must be something somewhat new that isn't in definitions yet.

Since he doesn't have a router, I slapped Outpost on there too.

[mnosteele52]

Download Spybot, SpywareBlaster and HiJackThis and run all three.

Nice to see you in the Security Forum Burke .

I have see all of these things on a daily basis and I have yet to have any problems with the above combination fully removing them all. The only other app I would recommend is AVG antivirus, it seems to be the best I've seen at detecting trojans and most of the pc's I see that are corrupt from spyware also are infected with one or more trojans.

[messiah]

Search 2020 is the nastiest one I have found. I had just formatted and installed XP and my audio software and create my wife an Admin account.

She was on the net for not even 10 minutes before the search 2020 shyt popped up. I was friggen mad beyond belief. I told my wife that I would not turn her face to pudding if it left my profile alone.


Did it? Hell NO! It's installed it across all profiles and pointed my homepage to a friggen trojan.

Managed to clean it and supress it using a few apps, and digging around in the registry. However there are still some services from it in my system32 folder and always in use. You can't edit it or anything.

I COMPLETELY AGREE ABOUT THE SEARCH 2020 BAR. PURE EVIL.

[The Dude]

I've been running winpatrol for a while now. It runs in the background and will warn you when something tries to add new services, tasks, IE helpers, or startup programs. It will also warn you if something tries to change your homepage. This has saved me from spending countless hours trying to fix my step daughters PC. Now all I get are daily reports that something tried to do this, instead of something did this can you fix it.

[Norm]

Get a copy of XP winsock fix as well.

It can work wonders
http://www.spychecker.com/program/winsockxpfix.html

So far no spyware has stumped me. 'Knock on wood'
But let me tell you...

The average user will become an 'average to guru' class tech, or he/she will lose a fortune to tech fees very soon, as all the viruses, trojans, spyware, worms, etc etc get produced faster than any of these removal apps can keep up with new updates.
Not kidding you.
Learn how apps can start at boot, or hook to a legit app, and learn how to keep an eye on what your PC is doing, or you're doomed.
Don't install an app, and then ask how to repair your PC. Ask first about the app, so you won't end up installing something that will cause you grief. The main reason for PC problems is the users lack of research, backups, forethought, or the complete disregard for repeated warnings.

I could write a book about why people have so much trouble with thier computers, and the majority of it would point to the users as their own worst enemy.

This is just the beginning of an overwhelming force(s)
And just because something says "free" doesn't mean you won't pay a 'price'

I'm not picking on you VIKTOR2020, or your wife, but wanted to add all this to my post for future readers. (Like anyone will heed advice anyway lol)

What I recommend is, use the backups you should have made after being repeatedly advized to do so for years now.
Harsh?
Yeah, but it sure makes a lot of sense, cause repeating time after time about making backups doesn't. Echoing the same advice day after day is wearing thin.

[blebs]

I just got done doing one with that thing on it. I had to use CWShredder and HiJack This to get rid of the thing.

http://www.spywareinfo.com/~merijn/downloads.html

[goodwin24]

I have downloaded the Seach2020 toolbar but found that it was a pest. I have uninstalled it however it is still appearing in my "Add or Remove Programs" list. This is very annoying! I have looked in regedit and cannot find it. I would like to take it away from my "Add or Remove Programs" list but I do not know what the technical name for it is.
thanks in advance,
goodwin24 =D

[The Dude]

Try this:
Clear Unwanted Entries from Add/Remove Programs

Intended For
Windows XP
Windows 2000
Windows Me
Windows 98
Windows 95

In Add/Remove Programs in Control Panel,
a list of installed applications is displayed for the purpose of easy removal.
Unfortunately, but there is no obvious method for removing these entries
(either to prevent accidental removal, or if the application was removed some other way)
without uninstalling the programs. To remove an entry, do the following:

Run the Registry Editor (REGEDIT.EXE).
Open HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall,
and remove any unwanted keys under "Uninstall."

[goodwin24]

I have done that but Search2020 is not in there??? Do u have anymore answers????
Thanks in advance,
goodwin24

[Roody]

Specifically what does Winpatrol do to prevent loading spyware other then warn you?

[goodwin24]

I have manually got rid of the Search2020 or 2020Search whichever way you want to put it... However all I need is the technical name for it in Regedit. Because when I go into HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/UNINSTALL
I do not know what Search2020 comes under. Because I cannot find Search2020 myself. I think it is hiding using another name!
Please help, all I need is the name in which search2020 is hiding under in HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/UNINSTALL
Thanks in advance,
goodwin24

[The Dude]

Specifically what does Winpatrol do to prevent loading spyware other then warn you?

Winpatrol home page

WinPatrol Features

Startup Program Alerts
Shorten your initial boot up time.

Approve any programs set to AutoRun.

Temporarily disable startup programs.

Display any additional information about Startup Programs.

Services
Learn more about internal programs used by Windows.

Disable or Stop running Services.

Display any additional details about running Services.

IE Helpers or Browser Helper Objects
Display Information on any Browser Helper Objects which exist.

Monitor if new Browser Helper Objects have been added without your permission

Display additional information on Browser Helper Objects.

Remove malicious Adware and Spyware Browser Helper Objects.

Scheduled Task Monitoring
Display Information on any Tasks scheduled to run on your system.

Monitor new tasks added without your permission

Display additional information on scheduled tasks.

View Active Tasks
Display Information on currently active Programs and Services.

Kill Unwanted or Frozen Tasks.

Display additional information on individual Programs, Tasks and Services.

Cookie Management
Be Alerted when new Cookies are added to you system. (optional)

See what information is being stored in your cookies.

Manage required and unwanted Cookies.

Automatically reject Cookies using WinPatrol Nuts

Options
Easily Customize for Maximum Performance.

Detect if your default Home Page has been hijacked.

Have Scotty passively monitor your computer everyday or every minute.

Assign unique Sounds to WinPatrol Alerts.

Lock or monitor changes to the HOSTS file.


You get alerts based on what you want monitored. For instance if something trys to change my home page Winpatrol intercepts it and asks if I want to let it be changed or not. It's kind of like a software firewall, it detects new programs and alerts me too them. It does a lot more than that, but that's the jist of it.

[Roody]

Thanks

[The Dude]

I have manually got rid of the Search2020 or 2020Search whichever way you want to put it... However all I need is the technical name for it in Regedit. Because when I go into HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/UNINSTALL
I do not know what Search2020 comes under. Because I cannot find Search2020 myself. I think it is hiding using another name!
Please help, all I need is the name in which search2020 is hiding under in HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/UNINSTALL
Thanks in advance,
goodwin24

I have no idea what the code for 2020search would be. If you click on each entry one by one and look at the info in the right hand pane you may find it. I did some more googling and discovered that there may be an easier way. Try this, go to add remove programs and click on the 2020search un-install entry. With some luck you will get a massage saying the un-install info cannot be found, would you like to remove this entry. Just click yes. hope it works.

[VIKTOR2020]

Just to get back to you all: I've tried Adaware professional version along with Hijack This, Spybot, CW Shredder, Norton Anti-Virus, along with a few others I can't recall; as well as doing a series of searches for *.lop, Search2020, Allaboutsearching followed by Delete. I can get the offending stuff off her computer for maybe two days after which it either regenerates itself using the "if it's not loading, reconstruct the file" method or by checking in to a web site in the background and downloading the whole mess again. I'm still trying to get this off my hands.

[goodwin24]

This information is not helping me.
Can anyone help me with what I am trying to do?????!!!

[goodwin24]

I have found it!! Its gone!!!!! YAY I am jumping for joy. its amazing now all I have is what I need. Thanks for your help you lot!!!

[The Dude]

May be time to format C:. That may sound drastic but how much time and frustration do you want to spend trying to find all the bits and pieces. Just nuke it and be done with it.

[VIKTOR2020]

What did you do that worked? goodwin24

To the Dude: Search2020 comes up in the Add/Remove Programs list, but when you click on it it does NOTHING.

[The Dude]

What did you do that worked? goodwin24

To the Dude: Search2020 comes up in the Add/Remove Programs list, but when you click on it it does NOTHING.

What OS are you working On? Someone told me it works for XP, maybe it only works for XP. Um, maybe it doesn't work at all.

[VIKTOR2020]

Xp

[goodwin24]

Im on XP. In the Add/Remove programs it does nothing. but if you want to remove it from that list go into regedit and remove the key HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/UNINSTALL/2020SEARCH note that it is not Search2020 in this case instead it is 2020Search.

[VIKTOR2020]

Thank you, thank you, thank you!

It worked!!!