Shopping Wizard

TheMSsForum.com: The Microsoft Software Forum

Yesterday I was doing some window shopping when suddenly any new page I went
to pulled up this wierd generic info page. I installed and completed several
scans with Antispyware (which I have sereval other issues), but the big
problem I think I have is the program that installed itself on my C drive
called Shopping Wizard. When I try to remove teh program it takes me to an
uninstall websit that does not have a signature. The address is:
http://looking-for.cc/uninstall/ShoppingWizard.html.
I am afraid to download this to get rid of the program. Has anyone heard of
this?? Is it safe??
--
carol
Top

Re: Shopping Wizard by PA

PA
Thu Feb 03 15:37:12 CST 2005

MS AntiSpyware is a beta tool and should not be the single anti-malware tool
you rely on.

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

A fully up-to-date Ad-aware (with VX2 Plug-in) should be able to address
your problem.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


carol wrote:
> Yesterday I was doing some window shopping when suddenly any new page I
> went to pulled up this wierd generic info page. I installed and
> completed several scans with Antispyware (which I have sereval other
> issues), but the big problem I think I have is the program that installed
> itself on my C drive called Shopping Wizard. When I try to remove teh
> program it takes me to an uninstall websit that does not have a
> signature. The address is:
> http://looking-for.cc/uninstall/ShoppingWizard.html.
> I am afraid to download this to get rid of the program. Has anyone heard
> of this?? Is it safe??

Top

Re: Shopping Wizard by carol

carol
Fri Feb 04 07:53:02 CST 2005

Well I tried running AdAware SE with the VX2 Plug-in and I still am having
major problems. I keep getting an IST.ISTBar hijacker notice as well as a
Trojan.WindowService.A warning. I also have 4 websites that plopl onto my
Favrite websites every time I reboot. When I run a scan the four following
showup as threats:
Xrenoder Browser Plugin
IST.xxxToolbar
Trojan.WindowService.A
Unclassified.Spyware.BHO.E

I am tempted to call a professional to come in and get rid of all this junk
- or scrap this computer and get a new internet address!!! HEELLPPP!!!

"PA Bear" wrote:

> MS AntiSpyware is a beta tool and should not be the single anti-malware tool
> you rely on.
>
> Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/Darnit.htm
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>
> A fully up-to-date Ad-aware (with VX2 Plug-in) should be able to address
> your problem.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (IE/OE) & Security
>
>
> carol wrote:
> > Yesterday I was doing some window shopping when suddenly any new page I
> > went to pulled up this wierd generic info page. I installed and
> > completed several scans with Antispyware (which I have sereval other
> > issues), but the big problem I think I have is the program that installed
> > itself on my C drive called Shopping Wizard. When I try to remove teh
> > program it takes me to an uninstall websit that does not have a
> > signature. The address is:
> > http://looking-for.cc/uninstall/ShoppingWizard.html.
> > I am afraid to download this to get rid of the program. Has anyone heard
> > of this?? Is it safe??
>
>
Top

Re: Shopping Wizard by Malke

Malke
Fri Feb 04 07:58:37 CST 2005

carol wrote:

> Well I tried running AdAware SE with the VX2 Plug-in and I still am
> having
> major problems. I keep getting an IST.ISTBar hijacker notice as well
> as a
> Trojan.WindowService.A warning. I also have 4 websites that plopl
> onto my
> Favrite websites every time I reboot. When I run a scan the four
> following showup as threats:
> Xrenoder Browser Plugin
> IST.xxxToolbar
> Trojan.WindowService.A
> Unclassified.Spyware.BHO.E
>
> I am tempted to call a professional to come in and get rid of all this
> junk
> - or scrap this computer and get a new internet address!!!
> HEELLPPP!!!
>
> "PA Bear" wrote:
>
>> MS AntiSpyware is a beta tool and should not be the single
>> anti-malware tool you rely on.
>>
>> Help with Hijackware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/Darnit.htm
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>>
>> A fully up-to-date Ad-aware (with VX2 Plug-in) should be able to
>> address your problem.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-Windows (IE/OE) & Security
>>
>>
>> carol wrote:
>> > Yesterday I was doing some window shopping when suddenly any new
>> > page I
>> > went to pulled up this wierd generic info page. I installed and
>> > completed several scans with Antispyware (which I have sereval
>> > other issues), but the big problem I think I have is the program
>> > that installed
>> > itself on my C drive called Shopping Wizard. When I try to remove
>> > teh program it takes me to an uninstall websit that does not have a
>> > signature. The address is:
>> > http://looking-for.cc/uninstall/ShoppingWizard.html.
>> > I am afraid to download this to get rid of the program. Has anyone
>> > heard
>> > of this?? Is it safe??
>>
>>
I think your idea to call a professional is a good one. However, if you
want to try this yourself, here are general malware removal steps. It
is crucial that you do everything in Safe Mode with updated tools.

1) Scan in Safe Mode with current version (not earlier than 2003)
antivirus using updated definitions.

Before you remove malware, get LSPFix (or WinSockFix for XP which you
can get from MajorGeeks) - see links below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Top

Re: Shopping Wizard by PA

PA
Fri Feb 04 20:01:20 CST 2005

Symantec Security Response - Adware.Istbar:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

Download and run the free Removal tool. Follow-up by executing all of the
manual Removal instructions (though you probably won't be able to identity
"[5 random ASCII characters]" = "[path to adware]" in Step 4d without
assistance.

Here's the long version of 'Help with Hijackware'. Do Parts A and B then
post your HijackThis log to an appropriate forum (not here). An expert will
be able to identify the "[5 random ASCII characters]" in your HijackThis
log.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE Tools>Internet Options>General)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (Start>Programs>Accessories>System
Tools>System Restore), then

(2) delete all but the most recent Restore Point
(Start>Programs>Accessories>System Tools>Disk Cleanup>More options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security


carol wrote:
> Well I tried running AdAware SE with the VX2 Plug-in and I still am having
> major problems. I keep getting an IST.ISTBar hijacker notice as well as a
> Trojan.WindowService.A warning. I also have 4 websites that plopl onto my
> Favrite websites every time I reboot. When I run a scan the four
> following showup as threats:
> Xrenoder Browser Plugin
> IST.xxxToolbar
> Trojan.WindowService.A
> Unclassified.Spyware.BHO.E
>
> I am tempted to call a professional to come in and get rid of all this
> junk - or scrap this computer and get a new internet address!!!
> HEELLPPP!!!
>
> "PA Bear" wrote:
>
> > MS AntiSpyware is a beta tool and should not be the single anti-malware
> > tool you rely on.
> >
> > Help with Hijackware
> > http://aumha.org/a/parasite.htm
> > http://aumha.org/a/quickfix.htm
> > http://mvps.org/winhelp2002/unwanted.htm
> > http://inetexplorer.mvps.org/Darnit.htm
> > http://www.mvps.org/sramesh2k/Malware_Defence.htm
> >
> > A fully up-to-date Ad-aware (with VX2 Plug-in) should be able to address
> > your problem.
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-Windows (IE/OE) & Security
> >
> >
> > carol wrote:
> > > Yesterday I was doing some window shopping when suddenly any new page
> > > I went to pulled up this wierd generic info page. I installed and
> > > completed several scans with Antispyware (which I have sereval other
> > > issues), but the big problem I think I have is the program that
> > > installed itself on my C drive called Shopping Wizard. When I try to
> > > remove teh program it takes me to an uninstall websit that does not
> > > have a signature. The address is:
> > > http://looking-for.cc/uninstall/ShoppingWizard.html.
> > > I am afraid to download this to get rid of the program. Has anyone
> > > heard of this?? Is it safe??

Top