Is someone in my machine?

Discussion in 'malware problems & news' started by Kathyhl, Sep 18, 2009.

Thread Status:
Not open for further replies.
  1. Kathyhl

    Kathyhl Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    186
    Location:
    California
    I haven't been in here for quite awhile, but I remember always getting fantastic help when I use to come in here before. A couple months ago I started getting this message whenever I turned on my machine saying "This action cannot be completed because the other program is busy. Choose "Switch to" to activate the busy program and correct the problem". I immediately ran some of my programs and found a trojan, two worms and loads of cookies. The cookies don't bother me, with the exception I clean out everything, then log on and only get my e-mail, don't go on the net, yet when I run my spy program again, the cookies are racked up again. Am I just paranoid, or has someone found their way into my machine?
    Thank you for any help.

    Kathy
     
  2. JohnnyDollar

    JohnnyDollar Guest

    Will you post some more info? os, service pack, security programs (AV , Firewall, on demand ). Are you on a network?
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    cookies add up quickly , most sites add a few. they don't mean anyone is on your PC.
    The "program is busy" thing , is a normal windows message , although I can't remember what triggers it .

    Just be careful of installing offers of "security" programs from the internet. Some just give false readings.

    & Get Internet explorer 8 or firefox /opera/chrome.
     
  4. Kathyhl

    Kathyhl Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    186
    Location:
    California
    Sorry, I should have given more info. OS is XP, no network, I've got NOD32, regcure, XoftSPYSE, TrojanHunter, and I'm just using my windows firewall. I've tried other firewalls, but some of them NOD32 doesn't like, and others I had seemed to want to take over, so up until this started happening, everything seemed to be running smoothly with what I've had. I may just be paranoid here, but this started about the time some new, not so nice, neighbors moved in, and one of them has a comcast sticker on their car, which is the service I use. I realize this could mean nothing, but with my limited knowledge I figured I'd mention it.

    Thank you,
     
  5. Kathyhl

    Kathyhl Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    186
    Location:
    California
    Thank you Joey, the thing about the cookies is I didn't go to any sites after I cleaned the cookies out, so how can they be back in droves? I used to be on the PC like an addiction for years, but a couple years ago other things started happening and the PC was pushed to the back, now it's only used for my husband to receive work orders every night, and once in awhile I'll look something up, or order books, but I do still try and keep it cleaned and running properly, which is why I was stymied when all of a sudden different things started happening. The 'program is busy' comes on now every time I start the PC in the morning. Maybe there is a place I can go to see exactly what that means, but at this point I just don't know where that place would be.

    Thanks for the response.
     
  6. JohnnyDollar

    JohnnyDollar Guest

    WOT rating for Paretologic the makers of xoftspy and regcure http://www.mywot.com/en/scorecard/paretologic.com
     
  7. Kathyhl

    Kathyhl Registered Member

    Joined:
    Oct 18, 2003
    Posts:
    186
    Location:
    California
    Terriffic, I've just renewed with these people. I never even knew about the WOT site, so thanks for the info, I've bookmarked it. Still, they may not be causing the problem as I've had them for over a year with no other problems, but I won't be renewing next year, and I will probably be relying more on NOD32 and scanning a bit more with TrojanHunter. I also have spybot I haven't used in awhile, so bringing that out probably couldn't hurt.

    Thanks JohnnyDollar, could be a lessen learned in this for me
     
  8. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Try scanning with MBAM and SAS. They might pickup on rogues and spyware, etc. Hitman Pro is another option. Although since its behavioural it might not help with rogue software.
     
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Xoftspy is very dubious. Have it uninstalled in my system a long time ago. Now, all I've got is a HIPS, sandboxie, lite virtualiser and a firewall. Never been so clean and lightning fast unlike when I've countless resident scanners running at the background like spybot SD, spysweeper,Xoftspy and other blacklisting signature based antimalwares.
     
  10. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Hello Kathy,

    Tracking cookies are harmless. You can easily delete them yourself by deleting your browsing history. RegCure and XoftSpySE, created by Paretologic, are not rogue softwares, but aren't really legitimite softwares either. They will tell you have lots of problems with your registry (eg 1000+ errors, most of which are just empty keys anyway) or tell you that you have lots of spyware (most of which are just harmless tracking cookies) and then ask you something like $40 to clean your registry and clean out those tracking cookies. Even the screenshots on the ParetoLogic website for XoftSpySE just show the program cleaning tracking cookies and nothing more. It's legit because it itself is not adware because it shouldn't cause any additonal problems, give you viruses, or steal your personal information, but it won't cure that many or not $40 worth anyways. It acts like a rogue software by only fixing the problems once you pay and overexagerates the threats to encourage the user to buy the product. I've used RegCure before and I think that it might have messed up my Bluetooth drivers which I had to reinstall, although this could have happened with any registry cleaner. Registry cleaners can sometimes cause more problems than what they are advertised to fix. That's why a lot of people don't use them. Others find that they do help fix problems and improve performance which is why registry cleaners are around I guess. I find that they don't normally cause problems with the expection of RegCure (although I don't have that much experience with registry cleaners because I've only used a few before) but don't really improve performance either.

    Basically I'm just cautioning you about using software from Paretologic. I would use free tools like CCleaner if you want to clean your registry (what RegCure does) and clean out tracking cookies (the only thing XoftSpySE really does) and MBAM which is free as an antispyware. ESET NOD32 Antivirus is a decent enough antivirus.

    In general just make sure you run scans with your antimalware products every few weeks, make sure they are up to date a couple times a week at least, and get the latest windows updates when they come out on the second Tuesday of every month.

    What version of NOD32 are you running? What browser do you use? Are there any unusual processes running in Task Manager that aren't usually there or one that's consuming an unusual amount of resources? Do you use wireless internet?

    Regards,

    Mark.
     
    Last edited: Sep 19, 2009
  11. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Another good scanning option would be nod32 system inspector. free on their website.

    I'd uninstall the xpspy thingy and see if that helps.
    Something else could have affected it recently and now it could be giving you both the "program running" and cookie problems.
    That would be my best guess at this point.

    Failing that , I'd make a list of any odd behaviour and give it a google search of the "oddest" thing.
     
  12. JohnnyDollar

    JohnnyDollar Guest

    If you use firefox or ie you can install WOT into your browser as a plugin, it is an excellent tool to help keep you away from bad sites. IMO regcure will cause more issues than it fixes. Xofspy is borderline rouge and Paretologic has earned a bad reputation. Even though these apps may not be causing any issues, I would get rid of them just for the sake of housekeeping. I would second Dreg Heda, install SAS and MBAM and use them for on demand scanners, there both free and have earned quite a good reputation as malware killers.

    SAS http://www.superantispyware.com/superantispywarefreevspro.html
    MBAM http://www.malwarebytes.org/
     
    Last edited by a moderator: Sep 19, 2009
  13. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Why not simplify this whole task, there is no need to download and install software, only accept an ActiveX Control from Microsoft:

    First run this online tool from Microsoft.....

    Microsoft Malicious Software Removal Tool:
    http://www.microsoft.com/security/malwareremove/default.mspx

    Then run this online tool from Microsoft.....

    Microsoft Live OneCare Online Protection Scanner (Antivirus and Spyware)
    http://onecare.live.com/site/en-US/center/howsafe.htm

    And finally run this online tool from Microsoft.....

    Microsoft Live OneCare Online Clean Up Scanner (Hard Drive and Registry Cleaner)
    http://onecare.live.com/site/en-US/center/cleanup.htm


    HKEY1952
     
  14. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    There are good tools that will rid your PC of cookies and all of them. CCleaner for instance will eliminate the dreaded hard-to-get-rid-of "flash cookie" as well.

    As for the Microsoft products above. Ehhh. You can do better. Trusting Microsoft with my third-party security is not something I would do with a lot of confidence. Run the MS updates, but other than that, you can do better.

    Try disconnecting from the Internet altogether and see if you see the same things occur.
     
  15. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Who exists better knowledge than Microsoft at cleaning and protecting their own Operating System
    On the contrary, third party software can only penetrate the Microsoft Windows Operating System only as deep as Microsoft permits


    HKEY1952
     
  16. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    You mean, like, the fox guarding the hen house? Getting the most basic of protections from Microsoft took years. If Microsoft is so good at doing as you say, why do they build operating systems that have vulnerabilities big enough to drive a truck through? For example, (one of many), giving better security measures to different versions of their software? I mean, come on. Shouldn't security be more important than just an opportunity for Microsoft to force an upgrade? The most basic version of an OS should have security as robust as it's "premium" versions. The higher-end versions should have better features in other areas of an operating system, but security? They shouldn't skimp on security - ever. But Microsoft does! And we haven't even talked about years of allowing Internet Explorer to be a wide-open target for hackers. Yeah, they've done a bang-up job of "protecting their own operating system."
     
  17. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    About Paretologic programs...
    I concur with the advice to uninstall.
    I don't know about being rogue programs, but their antivirus is junk.

    As far as NOD goes, I think that's a good choice.
     
  18. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Kathyhl, the only breach in security here would be if your non-networked computer were connected wirelessly or hardwired by cable, to an wireless access point/router without proper security settings.
    Without proper security settings for the wireless access point/router, "anyone" with an wireless network adapter within range of your unprotected wireless access point/router can wirelessly connect to
    your unprotected wireless access point/router and gain access to the Internet using your Internet connection. Also, any shared resources on any computer behind the wireless access point/router are available
    to the intruder, the "My Documents" folder, shared by default, for example.

    To plug this security breach, first password protect the wireless access point/router. This prevents any unauthorized access to the wireless access point/router's configuration pages.
    Next, enable the wireless access point/router's Wireless MAC Filter and populate the list with the MAC Addresses of all the network adapters, both Ethernet and Wireless, connecting to the wireless access point/router.
    This will prevent any unauthorized access to your Internet connection, and to any computers connected to the wireless access point/router, by limiting connections only to the MAC Addresses listed in the Wireless MAC Filter.
    MAC stands for Media Access Control, it is the twelve alpha numeric string embedded into all Internet/Network enabled devices, example: 00-AA-11-AB-22-A1 This alpha numeric string (MAC Address) can be found by
    opening up an Command Prompt and typing in: ipconfig /all -and then press Enter, the MAC Address will be listed as "Physical Address".
    Finally, enable encryption on the wireless communications by utilizing Wireless Encryption Privacy (WEP) or the recommended Wi-Fi Protected Access (WPA). This prevents anyone from openly reading the transmitted
    communications, and connecting to the wireless access point/router. Instructions for all if this can be found in the instruction manual provided by the manufacturer of the wireless access point/router.


    HKEY1952
     
  19. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Attempting to help you,

    XoftSpySe seemed familiar, not in a good way.

    I decided to download it and have it checked by Virustotal.
    I tried to download it from this link: download.cnet.com/XoftSpy-SE.../3000-8022_4-10493744.html

    IE 7, and for this occasion I had blocked both direct and indirect cookies.
    Guess what ? My computer froze ! I had to turn off the power (electricity) to get control over my computer again. Taskmanager didn't work, the IE process grew to over 500 MB ! In the end, I tried to disable the IE process, which froze my computer. I tried that twice. I never knew that download.cnet.com was so dangerous ! This issue may be something for others to consider.

    Then I downloaded it from the paretologic website and submitted it to Virustotal. Clean according to all scanners.
    Some more googling: supposedly XsoftSpy(SE?) was once considered rogue security software, but no more.
    However, I stick by 'once a rogue, always a rogue'.

    Anyway, I googled for: xsoftspyse rogue security software.
    Xsoftspy was a rogue, made by Paretologic. XsoftspySE is also made by Paretologic. Need I say more ? Paretologic business practices are at least questionable, and there is an issue with their affiliates.

    Regcure is also made by Paretologic. (Btw, I recommend avoiding registry cleaners, even legitimate ones !)

    I recommend removing both programs.

    Quote: 'yet when I run my spy program again, the cookies are racked up again'. That seems like rogue security software behaviour, or present infection(s).

    It's a good idea to scan your computer for any resident malware.
    Some free ones: MBAM, free a-squared, trial version of Counterspy.
    Online scan by Kaspersky.
    If you want, you can also try the Avira rescue CD ( http://www.avira.com/en/company_news/rescue_cd_.html ) and DR WEB LiveCD (http://www.freedrweb.com/livecd/) You need to burn these on a CD or DVD, don't use the infected computer.

    After doing this you could consider posting a Hijackthis log at www.bleepingcomputer.com . Those people tend to be very helpful, and if you don't know where to get the Hijackthis program, they will. Don't post it here, it's not allowed by policy.

    Btw, are you sure NOD32 is still up to date ?

    Now, time for me to restore an image. :p
     
    Last edited: Sep 20, 2009
  20. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Hi there,

    IMHO it is not malware. I used to get the same message for a long while 2-3 years ago on an XP home system, and I remember it drove me nuts trying to figure out what it was. I had it for a few months and then suddenly disappeared.

    If you 'google' the exact wording of the message
    you'll find that the problem is very well known to Microsoft.

    http://support.microsoft.com/kb/320364

    http://support.microsoft.com/kb/240809

    http://www-01.ibm.com/support/docview.wss?uid=swg21285622

    I'm sorry I can't help you with a real fix other than suggesting some research or if it happened to me again nowadays I would reinstall my system anew. As I a said it suddenly disappeared after a few months and I didn't investigate itany further.
     
Loading...
Thread Status:
Not open for further replies.