or Connect
TheCatSite.com › Forums › General Forums › Site Help › Spyware...
New Posts  All Forums:Forum Nav:


post #1 of 9
Thread Starter 
Is TCS linked to some sort of spyware program? Every time I open up TCS, I get the following message.

http://a.tribalfusion.com Warning - Microsoft Internet Explorer
Warning- if your computer has been running slower than usual, it may be infected with Adware or Spyware. To scan your computer for infections - click yes.

Bottom part reads:

Then a direct link to http://www.spywarestormer.com/?a=4-23

I have a system that runs constantly so I know I have nothing on - however, I only ever get this message when I open up the TCS pages.

Just wondered if TCS had a link without knowing it - surely I am not the only one?

post #2 of 9
No you're not the only one, I get it too. I noticed when I registered with TCS that non-paying members are told that pop-up ads will appear - I can only assume that this is one of them. I usually just kill it without opening.
post #3 of 9
That's never happened to me with this site, and I use it on two computers (one at work and one at home).

I'll move this to Feedback where Anne will definitely see it, and can answer you directly.
post #4 of 9
Since I get it on occasion on all three computers that I use for TCS, I assume it is just a popup, my spyware program doesn't find anything either.
post #5 of 9
I get it too!
post #6 of 9
It's just a promo to hook you into purchasing spyware
post #7 of 9
Q: I think my computer is infected or hijacked. What should I do?

Please follow these instructions in a step by step fashion.. This is important.. If you have concerns about your security copy and print this message and disconnect from the internet.

When the step indicates running an update, activate the update function of the program. Once the update is complete, stop and start the program before running your scan. This will ensure your scan is done using the latest program and malware database versions.

1. Update and run any anti-virus and anti-trojan products you already have installed on your computer. Do a full scan of your computer. Record exactly the names of any malware they turn up. Quarantine and cure (repair, rename or delete) any malware found.

2. Run two or three free web based AV scanners. Record exactly the names of any malware they turn up. Then quarantine and cure (rename, move or delete) the malware. (This scanning is the most time consuming step in this checklist, but it is important.)
Go to web based AV scanners

3. Download, install, update and run the following anti-hijacking and anti-spyware products. Then record exactly the names of any problems they turn up. (Tracking cookies are easily cleaned-up by deleting them, so don't bother recording them.) Then quarantine and cure the malware. (Note the links take you to tutorials for the listed software.. Download links are contained within each tutorial. The alternate link is a direct link to the program

3.1 CWShredder (free): http://forum.gladiator-antivirus.com...showtopic=9638
Alternate download site: http://www.spywareinfo.com/downloads...CWShredder.exe
3.2 Spybot S&D (donationware): http://forum.gladiator-antivirus.com...st=0entry32410
Alternate download site: http://www.safer-networking.org
3.3 Ad-aware (donationware): http://forum.gladiator-antivirus.com...showtopic=8050
Alternate download site: http://www.lavasoft.de

4. If problem persists, download, install and update an anti-trojan program. Record exactly the names of any problems it turns up. Then quarantine and cure the malware.

TDS-3 and Port Explorer (30 day free trial): http://www.diamondcs.com.au/index.php?page=home

TrojanHunter (30 day free trial): http://www.misec.net/products/

BOClean: »www.nsclean.com/update.html

5. If the problem persists, download and run HijackThis: http://forum.gladiator-antivirus.com...showtopic=9469
Alternate download site: »http://www.subratam.org/?page=removal

6. Run security analysis products to check your settings and installed software. These analysis products are definitely not 100% thorough in the checks they do. Also, the messages that are produced are usually cautions to check that something is as you want it to be, and are not definite instructions to change something.

6.1 Install and run Belarc Advisor (free): http://www.belarc.com/

When you run Belarc Advisor, look for:

6.1.1 Users you didn't add. Check whether your computer maker or re-seller added the users for support purposes before you bought the computer. Otherwise they indicate a hacker has accessed your system.

6.1.2 Microsoft Hotfixes with red Xs beside them, indicating they can be verified by the automated process, but failed verification. The earlier the version of Windows, the more likely the fix came off "innocently" when new software was added or upgraded. Click on "details". This will take you to a Microsoft webpage explaining the fix, and allowing you to re-apply it.

6.1.3 Under software versions, software you didn't install. Many software packages include other third party software. So installing one product can make 3 or 4 products show up in Belarc – and this is not a problem. On the other hand, hackers often install legitimate FTP server or email server software, and because the server software is legitimate it will not show up in a virus scan.

6.1.4 Save a copy of the Belarc Advisor results. In a few weeks, compare your saved scan with a new scan, looking for unexpected changes.
6.2.1 Review the results to see that they correspond with how you have set your computer up. Changes might indicate that someone has altered settings. Or the settings may have been altered when other software was added or updated. (Security updates with reason "306460" simply cannot be verified by the automated process. This is normal.)

6.2.2 Save a copy of the results. Compare them with the results in a few weeks, looking for unexpected changes.

7. Different vendors have different names and version identifiers for the same virus, so first look up the virus in the encyclopedia of the scanner's vendor for specific disinfection instructions Use your products link to find the information for your situation

7.1 Install and run Microsoft Baseline Security Analyzer (free):

. In Windows XP and Me, to prevent a virus being restored by the operating system, it is often necessary to temporarily disable System Restore. The instructions are here:
or if you are using Nortons products

8. Depending on the instructions in the virus encyclopedia for your scanner, it may be necessary to use auxiliary virus removal tools.

8.1 First be sure to submit a copy of any malware that is not consistently detected or that doesn't behave as excepted. Submit suspected malware.

8.2 If an auxiliary tool is required, it is best to first try the tool of the scanner's vendor.

8.3 Read the complete write-up of the virus in the encyclopedia of the tool's vendor to find the disinfection instructions. In addition to running the scanner or tool, there may be a few manual steps required.

8.4 Generally each removal tool will only detect and effectively remove the virus variants it says it will.

9. If it was turned off earlier, turn System Restore back on, and confirm that your virus scanner is working: »How can I test that my AV program is working?

10. Re-secure your computer and accounts. The ideas in the following step-by-step guide are useful for cleaning any version of Windows:

10.1 In particular, if private information is kept on the computer, and if the malware found included a "backdoor" or allowed hackers to "run arbitrary code" , and if it is likely that a hacker may have used the backdoor, consideration should be given to backing-up data to be retained, and then re-formatting and re-installing programs on the computer from trusted sources.

This is because a backdoor allows a hacker to make other changes that may reduce your security settings, but that are not readily detectable with current tools.

10.2 If a keystroke logger is detected then hackers may have access to what was typed into your computer, including passwords, credit card numbers, and account numbers.

10.2.1 Immediately cancel any credit cards used on the computer, and ask for replacements with new account numbers.

10.2.2 Using an uninfected computer, change any website or server passwords that were entered on the infected computer.

11. Check these other useful links for tips on disinfection and preventing a recurrance.

How to keep my computer secure a layered apporach ( http://www.broadbandreports.com/faq/8463 ) by dslreports
A test for your AV ) http://www.eicar.org/anti_virus_test_file.htm ) see site you can download a dummy virus to test your aV
Security tips ( http://www.us-cert.gov/cas/tips/ )
Note there are many more. An excellent resource can be found at http://www.dslreports.com

Here are some places to help getting started dealing with problems of hijackings.. infections etc..
for the beginner:

Note that these are faq's that apply to different fora but the main idea applies to any fora where spyware, hijackings, etc are going to be addressed..

Some other good tutorials by Calamity Jane.

SpyBot Search & Destroy
AD-AWARE Standard Edition

Next for the more advanced.. (I mean that.. don't delete something using hijack this if you don't fully understand what you are doing) These are full tutorials on how to interpret the logs from hijackthis..
And here are some additional links to assist with using the hijack this application:
Tutorial: http://computercops.biz/HijackThis.html
Download: http://computercops.biz/modules.php?...ds&d_op=getit& lid=328
Forum: http://computercops.biz/forum67.html

See the items below if you directed here by a hijackthis analyzer or if you are an experienced hijackthis user your self.. This section is not for casual use

If you are identified as having the peper trojan you will be directed to this link http://downloads.subratam.org/Newuninst.exe
with the following instructions
Double click on 'Newuninst.exe' and press *Uninstall*. Let it run and when the progress bar says *complete* you can then press *close*. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access.

New instructions if you have Newdotnet

At some point you may be requested to set windows to show hidden files.. Here are instructions for all windows operating systems:

You also may be requested to boot in safe mode
for this see this symantec article ( http://service1.symantec.com/SUPPORT...rc=sec_doc_nam )

This is also for all windows operating systems

1. First, make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

2. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

3. Next, open Task Manager (Ctrl-Alt-Del), highlight ievq32.exe (The name may change and you will be instructed to use the correct name for your hijacking)
and click End Process.

4. Close all open windows, scan with Hijack This and put checks next to all the following, then click "Fix Checked".

Note that the particular dll's may change names but the instructions will reflect that..
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\txbbx.dll/sp.html#96676

R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = res://txbbx.dll/index.html#96676

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = »ca8.hpwis.com/

R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = res://txbbx.dll/index.html#96676

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = res://C:\\WINDOWS\\txbbx.dll/sp.html#96676

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = res://txbbx.dll/index.html#96676

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = res://C:\\WINDOWS\\txbbx.dll/sp.html#96676

O2 - BHO: (no name) - {4A73A1CA-0346-9AB9-3C2D-8D627CE729A7} - C:\\WINDOWS\\system32\\atlom32.dll

O4 - HKLM\\..\\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\\..\\Run: [ievq32.exe] C:\\WINDOWS\\ievq32.exe

5. (copy the following instructions so you have them handy as you may not be able to go online in safe mode)

Reboot to Safe Mode
How to start the computer in Safe mode
See instruction above..

and delete the following files named in bold if present.


C:\\WINDOWS\\system32\\atlom 32.dll



6. Go to Start --> Run and enter 'regedit', press 'Enter'

Navigate to:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\__NS_Serv ice_3
If ( __NS_Service_3) exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY__ _NS_Service_3
If (LEGACY___NS_Service_3) exists then right click on it and choose delete from the menu

If you see something very close to those names but not quite the same reply back here with the names you see

Exit regedit

7. Reboot to normal mode, scan again with Hijack This and post a new log here.

Next, this infection removes a few files. To restore them, do as follows:

Go here: http://www.spywareinfo.com/~merijn/winfiles.html and download the version of control.exe for your operating system. For Windows XP, copy it to c:\\windows\\system32\\.

Download the Hoster tool from here: http://members.aol.com/toadbee/hoster.zip . Unzip it and run it, then click "Restore Original Hosts"' and click "OK". Exit the program.

If you have Spybot Search & Destroy installed you'll need to replace one more file. Go here: http://www.spywareinfo.com/~merijn/winfiles.html . and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\\Program Files\\Spybot - Search & Destroy).

That should do it. If the problem should return, please post back.

To reduce the chances of future spyware/hijacking problems, please follow the suggestions here: http://www.wilderssecurity.com/showthread.php?t=27971

As we're still trying to figure out where this is coming from, do you remember visiting any particular sites or doing anything else around the time this started (it may not have shown itself until the next reboot)?

Another method that works in most cases is to use ad-aware set up in the following manner:
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R323 20.06.2004 or higher listed.

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.

Don't scan yet, please. We need to do the next steps in SAFE MODE, so please copy these instructions so you have them handy since you will probably not be able to get online in safe mode.

Now, Reboot into safe mode (see instructions above in case you need them.)

Open Adaware, Press *scan now* and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

Scan once more with Hijackthis and don't remove anything yet in the log. Post it back here so we can see what may remain to be fixed

some programs to help deal with these issues are available as well..
Get Spybot S&D here:
or here:

Get Ad-Aware here:
Set it up per this procedure

Get CWshredder here:

Get Hijackthis here:

Get SpywareBlaster and SpywareGuard (Plus more)Here

If you have no AV get a free one here.. Please note..The pay ones may be better (quicker to update) but this program is very good and has never been more than a few hours behind the best in updates.
or this one.. reccomended by microsoft and free for a year it includes a firewall:
or avast another freebie.. at http://www.avast.com

for firewalls I like Zone alarm and sygate (there are other good choices)
get free and pay ones here:

Please note that Norton and Mcaffe both provide software at a cost that will do these jobs.. Norton has many more features than the ones listed.. But these programs are functional ans will do the job!!!

Careful surfing out there..

Just as an add on. and due to all the Denial of Service Attacks goind on out there One mirror for a lot of the Antispyware programs including CWshredder and Hijackthis plus other is here:

May also want to get for further protection spywareguard and spywareblaster. These two programs work together to keep many spy programs from being installed in the first place.. and aid in preventing your home page from being hijacked.. Spyware guard will prevent most homepage hijackings.. (Note it will not fix an already hijacked homepage). Do not install this program if your homepage is already hijacked. Install after getting everything corrected to prevent future hijackings.. Get them here:

And also now a couple of AntiTrojans that are free (both also have pay versions with more features but the free versions are very good as well)
http://www.ewido.net/en/ Ewido
This one requires registration but is still free
http://www.emsisoft.com/en/ a²
And now I thought I'd add one more thing.. And possibly The most important of all Some links telling you about THOSE THINGS YOU SHOULD NOT USE to remove spyware..
Please review these before getting spyware removal tools

Some assorted fixit tools for security spyware issues (Do not use if you don't understand or are not directed by someone who does....

In addition to all the GREAT spyware removal tools mentioned, get proxy filters to prevent your browser from downloading harmful content. If you are semi-technical, I suggest taking a look at http://www.privoxy.org (junkbuster replacement) that uses regex expressions to strip harmful content out of your browser. It is not a replacement for the other tools mentioned, but another real-time scanner if you will.

The free versions of Adaware and Spybot do not do real-time scanning, so most people get this false sense of security. Your computer can still be hijacked, infected and transmitting information until you decide your going to run Adaware or Spybot. And like others mentioned, use them both, not one or the other. I too have found that one finds spyware that the other does not.

Finally, if you are using outlook express, get Spampal. http://www.spampal.org. This SPAM filter is by FAR better than anything you can purchase, hands down. It uses a myriad of tools to prevent SPAM. This program sits as a proxy between your mail program and the mail server, so it will work with any POP3/IMAP4 mail client. This accurately filters 98%+ SPAM. Spampal is by far one of the most intelligent programs that I have seen.

Not only does it use DNS based client filtering, it looks at the body for things like "http://" and checks the website against spews.org and much much more. Looking at the header information of filtered messages will reveal how powerful spampal really is.

Please read these links carefully before downloading and running any antispyware program See this link
or this link
and what ever you do beware these programs:

AdwareHunter (adwarehunter.com/browser-page.com)
AdWareRemoverGold (adwareremovergold.com)
InternetAntiSpy (internetantispy.com)
NoAdware (noadware.net/netpalnow.com)
PurityScan (purityscan.com/puritysweep.com)
Real AdWareRemoverGold (adwareremovergold.com/sg08.biz)
SpyAssault (spyassault.com)
SpyBan (spyban.net) -- noadware clone
SpyBlast (spyblast.com/advertising.com)
Spyblocs/eBlocs.com (eblocs.com)
SpyDeleter (spydeleter.com/
SpyEliminator (securetactics.com) -- dead?
SpyFerret (onlinepcfix.com) -- also Lop Uninstaller, Xupiter Uninstaller
SpyGone (spygone.com)
SpyHunter (enigmasoftwaregroup.com\\spywareremove.com\\spybot-spyware.com\\
spy botsearch.com\\blacklistonline.com\\\\1spybot.com\\
spybot -download.com\\deletespyware.net\\spybots.net\\spybot-search.com)
SpyK iller (spy-killer.com/maxionsoftware.com/spykiller.com/spykillerdownload.co m/
SpyKillerPro (spykillerpro.com)
Spyware Annihilator (solidlabs.com)
SpywareBeGone (spywarebegone.com\\freespywarescan.org)
SpywareCleaner (»www.checkforspyware.com/ - »www.spw2a.com/sc/)
SpywareCrusher (spywarecrusher.com)
SpywareNuker (spywarenuker.com/trekblue.com/trekdata.com/spyware-killer.com/
ad aware.com/ada-ware.com/spy-bot.biz)
SpywareKi lla (spywarekilla.com)
SpywareRemover (spy-ware-remover.com/spywareremover.com)
SpywareThis (spywarethis.com)
SpywareZapper (spywarezapper.com) -- looks like it may be TZ Spyware Adware Remover
SpyWiper (mailwiper.com)
ssppyy pro (ssppyy.com)
TZ Spyware Adware Remover (trackzapper.com)
VBouncer/AdDestroyer (spywarelabs.com/virtualbouncer.com)
Warnet (warnet.com)
XoftSpy (download-spybot.com/paretologic.com/downloadspybot.com/no-spybot.com ) -
this may be a SpyHunter clone
ZeroSpyware (zerospyware.com/zeroads.com)
Soybouncer (spybouncer.com)
Misc. BS domains:

safe spy.net
< br>Rogue knockoffs:

BPS Spyware & Adware Remover (bulletproofsoft.com) -- AdAware knockoff,
uses hacked SpyBot db
SpyFerret (onlinepcfix.com) -- uses hacked SpyBot db
SpyGone (spygone.com) -- SpBot S&D ripoff
SpywareNuker (spywarenuker.com/trekblue.com/trekdata.com) -- uses hacked SpyBot db

Questionable anti-parasite software

Since the issue of adware and spyware has become better known, many companies have been jumping on the bandwagon and offering anti-parasite software. Not all are as trustworthy as one would hope, for a company offering to take care of your computer’s security.

TrekBlue offer a spyware removal program called Spyware Nuker, which is advertised through junk e-mail from its affiliates and misleading fake-dialogue-box web advertising. TrekBlue are the same company as e-mail marketers ‘TrekData’ and ‘Blue Haven Media’, who control the 'InContext' spyware and distribute this and other spyware through ActiveX drive-by-download on web pages. (They also used to work for Lions Pride Enterprises, who made and controlled the ‘wnad’ spyware).

WarNet offer software including an adware remover. However, WarNet is owned and run by the same people who own and run C2 Media, producers of the infamous lop parasite.

SpywareLabs produce a parasite detection program called Virtual Bouncer, with a removal option requiring payment. It which is distributed by the same bundling and drive-by download techniques as the parasites it claims to remove, so definitely qualifies as unsolicited commercial software in itself. It also has an update feature that can download and execute arbitrary code.

RedV offer an adware remover called AdProtector. However, the installer used to download this and the other RedV ‘Protector’ applications is itself adware, and RedV are the same company as Web3000, one of the earliest large spyware makers.

Bulletproof Soft offer a commercial Spyware Remover; OnlinePCFix offer a utility called SpyFerret; Ideal World Online offer SpyGone. All have copied Spybot Search and Destroy’s definitions database without permission or attribution; additionally, SpyFerret includes actual program code taken from Spybot, and SpyGone is an unlicensed copy of SpyRemover.

eAcceleration advertises a general security product called Stop-Sign. However it was itself piggyback-installed without consent with other software (such as file-sharing applications). eAcceleration also wrote the DownloadReceiver adware. StopSign detects the free spyware removers Ad-Aware and Spybot as “attackwareâ€.

Razor Media offer a free scanner-only promotion for their software ‘SpyAssault’. Since the scanner itself installs the commercial trojan FavoriteMan/Ss32 their credibility is somewhat questionable.


SpyWiper (aka SpyDeleter)

SpyKiller Pro (not same as 'SpyKiller'?)

SoftDD offer a free ‘trial version’ of ‘Spy Guardian Pro’, which always tells you you have spyware installed (even on a completely clean machine), but won’t tell you where, asking you to buy the full version to find out.
post #8 of 9
I have the same pop-up regularly and I delete it. But it is worrying, thinking about who can have access and whether you could even trust those who claim to be able to remove the problem.
post #9 of 9
Spybot S&D and Ad Aware are both great products. I use both since they both get "almost" all the spyware.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Site Help
TheCatSite.com › Forums › General Forums › Site Help › Spyware...