Author Topic: you guys are guna love this.... (Read 10071 times)

shield · « **on:** October 11, 2004, 06:01:51 PM »

i have a little problem with spyware/adware sort of speak...... noticed it when my homepage turned into somthing else... i change it and it changes back... i run hijack this and remove what i knew whasnt supposed to be there, and i re-scan it comes back... i goto my Registry edit and remove the items that where there that wernt supposed to be... and the appear right back.. i run trojanhunter.. none found.. same with norton.. i run adware (lavasoft) and it finds 31 problems, i remove and quarentine.... re-scan .... they come right back... (even after reboot) i run spyware S&D... finds CoolWWWSearch or somthing and a couple others... it removes them... and guess what They KEEP comming BACK! its like a fly that lands on the same spot everytime you shoo it away.. i wouldnt be posting this unless i was absolutly shure i couldnt handle it myself... so i need some suggestions here...

thanks... :-/

gliss · « **Reply #1 on:** October 11, 2004, 07:58:20 PM »

I had this one too. I struggled with it for hours but no luck. Eventually I found the utility CWshredder. This is what you need to clean up your system. Available here http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

shield · « **Reply #2 on:** October 11, 2004, 08:12:50 PM »

i did the cws shredder also... forgot to say that in my first post... i used it and it said it cleaned but they keep comming back

gliss · « **Reply #3 on:** October 11, 2004, 08:47:50 PM »

Hmmm, maybe a new varient. I can only suggest using system restore (if you are using xp?) to restore the registry back to a point before it was infected. Or...and this is dangerous, edit the registry by hand to delete any references to the files reported by adaware. I know you said you have done this, but the trick is to reboot into safe mode only so that the *censored* thing doesn't autostart and begin repairing itself before you have gotten every trace of it. Good luck!

shield · « **Reply #4 on:** October 11, 2004, 08:53:58 PM »

its a clean install.... 1 day old. not shure where i got it first of all... but ill try the safe mode issue, only because i know reg keys

dl65 · « **Reply #5 on:** October 11, 2004, 09:27:36 PM »

shield....www.coolSearch is one bad one to get rid of....
I would suggest running hijackthis again and posting the log here so we can have a look at it......I believe you may have missed something......DO NOT, I REPEAT.....Don't....use your system restore. CW SHedder will identify it and reset your homepage .....but until; you clean it out , will keep coming back.

dl65

shield · « **Reply #6 on:** October 11, 2004, 10:35:16 PM »

i ran safe mode and cws shredder and hijack this and removed those adware.... they came back@#! its so irritating.... heres me hijack this in next post:

shield · « **Reply #7 on:** October 11, 2004, 10:36:43 PM »

Logfile of HijackThis v1.97.7
Scan saved at 9:34:10 AM, on 10/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\Ati2evxx.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\ICQLite\ICQLite.exe
D:\WINNT\System\MSMSGSVC.exe
D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[email protected]/search/ (obfuscated)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.6357175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

shield · « **Reply #8 on:** October 11, 2004, 10:36:51 PM »

i removed the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[email protected]/search/ (obfuscated)

and they just keep commming back on

Raptor · « **Reply #9 on:** October 11, 2004, 11:20:28 PM »

Have you tried running all these programs in safe mode?

dl65 · « **Reply #10 on:** October 12, 2004, 01:01:45 AM »

shield....Ok here's what I would like you to do....
1 open hijackthis...and click info....now make sure that in Configuration / main there is a tick in box 2,3,4,5 and no tick in box 1.
2 In the boxes for the URLs...... enter http://www.msn.com
do this for all four.....
3 now click the back button.
4 now click Scan button

now I want you to mark for removal all the entries I have put in red

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[email protected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[email protected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[email protected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[email protected]/search/ (obfuscated) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.63 57175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

when you have ticked the ones in red.....click the fix checked button......

I would do all of the above in the safe mode .
This should clear it .....It wouldn't hurt to scan again now with Ad-Aware and if you have it Spybot.
Do you have any kind of a registry cleaner ? ie ......system mechanic pro 5 or registry first aid .
If you have run them as well.

Then reboot back up normally and see how things are .

let us know how it goes

dl65

shield · « **Reply #11 on:** October 12, 2004, 05:54:41 PM »

dl65.... i love you... it worked all clean no spyware/adware/nothing..... wanna go out for dinner? lol thank's bud.

dl65 · « **Reply #12 on:** October 12, 2004, 06:52:15 PM »

shield.....Glad to hear your pest free......hijackthis does a great job ......the key to using it is to research each entry in the log it generates.......

cheers,

dl65

shield · « **Reply #13 on:** October 12, 2004, 06:56:57 PM »

so do you wanna go for dinner or not

dl65 · « **Reply #14 on:** October 12, 2004, 06:59:18 PM »

shield.......So what did you have in mind?

Burger King or McDonalds.......lol

dl65

Computer Hope Forum

News:

Author Topic: you guys are guna love this.... (Read 10071 times)

shield

you guys are guna love this....

gliss

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

gliss

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

dl65

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

Raptor

Re: you guys are guna love this....

dl65

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

dl65

Re: you guys are guna love this....

shield

Re: you guys are guna love this....

dl65

Re: you guys are guna love this....