Spyware troubles

Darkside Heartless · Post by **Darkside Heartless** » Tue Jan 18, 2005 8:08 pm

[insert typical spyware problem here]An idiot friend of mine set up a redirector on his website to another site that is full of the afore mention software and now my computer is infested and spybot search and destroy AND ad-aware can't get it all. There's a dropper somewhere, and it's getting on my nerves because I usually have a very clean system. That an having a respawning XXX rated search bar does tend to agravate me

What software can get rid of this stuff?

PS: Don't worry, he's gonna get his and it involves his car and varnish

CDN_Merlin · Post by **CDN_Merlin** » Tue Jan 18, 2005 8:13 pm

c:/> format C:

Grendel · Post by **Grendel** » Tue Jan 18, 2005 8:16 pm

Your problem sounds like a malware BHO, get M$' AntiSpyware (~6MB). It's a very good supplement to Adaware & S&D.

MD-2389 · Post by **MD-2389** » Tue Jan 18, 2005 9:24 pm

Post a Hijack This! log and I'll see what I can do.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

And for goodness' sake, give IE the finger...

DCrazy · Post by **DCrazy** » Tue Jan 18, 2005 10:12 pm

Your best solution: http://www.getfirefox.com

Asrale · Post by **Asrale** » Wed Jan 19, 2005 1:44 am

I'll go ahead and cast a biased vote for Spy Sweeper ($20 this week at Best Buy, usually $30). :p Even if it doesn't completely remove the trojan/dropper and toolbar, I can guarantee you it'll cripple enough to make everything defunct. (And I can hook you up with something additional if you go buy a copy.)

Apart from that, I'd second the reformat, that's the only foolproof way. In the future, have a drive image on CD/DVD-R handy, so you can restore your system to a clean slate quickly.

Top Gun · Post by **Top Gun** » Wed Jan 19, 2005 2:00 am

DCrazy wrote:Your best solution: http://www.getfirefox.com

Look up.

suicide eddie · Post by **suicide eddie** » Wed Jan 19, 2005 4:42 am

run the removal tools in windows safe mode if possible, you,ll have a chance to remove a lot of the nastys before they start up.

DCrazy · Post by **DCrazy** » Wed Jan 19, 2005 5:24 am

I did. He pointed to mozilla.org, not mozilla.org/products/firefox.

Darkside Heartless · Post by **Darkside Heartless** » Wed Jan 19, 2005 6:52 am

I'd use firefox if it was capable of displaying any of the 3D viewers.
The fomat is out of the question as I have well over 100 GIG of things I need to keep.

I'll grab Hijack this when I get home, and the Antispyware stuff, see if it can catch everything. If not, I have several hours of backing up I have to do

Nitrofox125 · Post by **Nitrofox125** » Wed Jan 19, 2005 8:00 am

www.arasian.com/transfer/avg.exe

Free virus scanner, Don't know if it'll get anything new, but it's worth a try.

Darkside Heartless · Post by **Darkside Heartless** » Wed Jan 19, 2005 10:08 am

car's been varnished

and I got and installed all that stuff, and here's the log file http://upl.silentwhisper.net/textview.p ... ea42f75e48

Tyranny · Post by **Tyranny** » Wed Jan 19, 2005 11:43 am

Grendel wrote:Your problem sounds like a malware BHO, get M$' AntiSpyware (~6MB). It's a very good supplement to Adaware & S&D.

I think one thing is certain. When MS decides to make an app to compete with some of the smaller 3rd party groups, it sure looks purty

Top Gun · Post by **Top Gun** » Wed Jan 19, 2005 2:43 pm

I'd try out the Microsoft scanner, but their validation process seems needlessly asinine.

Vander · Post by **Vander** » Wed Jan 19, 2005 2:55 pm

You know, I've been using Firefox for almost 2 years, and I have to wonder why people still use IE. I've never had more than a handful of tracking cookies found during spyware scans. Firefox has really sheltered me from much of the spyware brouhaha. IMO, it's the single most effective way to avoid spyware.

BUBBALOU · Post by **BUBBALOU** » Wed Jan 19, 2005 3:18 pm

just stop surfing Pr0n...

tools: for free
Spybot 1.3
ActiveX SpywareBlaster
MS AntiSpy Beta

nothing else needed..Except active scanning with your AV

IE or Mozilla. same shiz different Pr0n

Grendel · Post by **Grendel** » Wed Jan 19, 2005 3:33 pm

Top Gun wrote:I'd try out the Microsoft scanner, but their validation process seems needlessly asinine.

Scroll the page down -- "Get the software w/o validation now"..

Mobius · Post by **Mobius** » Wed Jan 19, 2005 4:11 pm

C:\Documents and Settings\David Julian\Desktop\HijackThis.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\program files\180solutions\sais.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\David Julian\Desktop\miscelaneous\tkc-release1-61\KeyCount.exe

Trusted Zone: *.xxxtoolbar.com
Trusted Zone: *.frame.crazywinnings.com
Trusted Zone: *.scoobidoo.com

C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
http://www.xxxtoolbar.com/ist/softwares ... _adult.cab

OMG - that's the best laugh I've had in ages!

DCrazy · Post by **DCrazy** » Wed Jan 19, 2005 4:21 pm

Darkside Heartless wrote:car's been varnished

Pics plz.

MD-2389 · Post by **MD-2389** » Fri Jan 21, 2005 12:21 am

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe You don't really need this unless you like playing with your voice (making it sound different).
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll kill
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" Bloatware, you can kill this without any nasty side-effects.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Both of these are completely unnecessary. Matter of fact, you don't even need either of them. Use Media Player Classic instead, as it reads QT and RP formats natively.
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 Weatherbug...a program notorious for being spyware infested. Uninstall it pronto.
O4 - HKLM\..\Run: [C.tmp] C:\DOCUME~1\DAVIDJ~1\LOCALS~1\Temp\C.tmp.exe 0 28129
O4 - HKLM\..\Run: [E.tmp] C:\DOCUME~1\DAVIDJ~1\LOCALS~1\Temp\E.tmp.exe 1 28129
O4 - HKLM\..\Run: [C.tmp.exe] C:\DOCUME~1\DAVIDJ~1\LOCALS~1\Temp\C.tmp.exe 1 28129
O4 - HKLM\..\Run: [E.tmp.exe] C:\DOCUME~1\DAVIDJ~1\LOCALS~1\Temp\E.tmp.exe 1 28129 Those four don't look legitimate to me.
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - Startup: Shortcut to KeyCount.exe.lnk = C:\Documents and Settings\David Julian\Desktop\miscelaneous\tkc-release1-61\KeyCount.exe Kill these for sure.
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll -
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) Nuke

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - h__p://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
Kill those pronto.
O23 - Service: Creative Service for CDROM Access - Unknown - C:\WINDOWS\System32\CTsvcCDA.EXE (file missing) Totally unnecessary. You don't have to kill it, but its a waste of memory IMO.
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe Kill that thing immediately!

Asrale · Post by **Asrale** » Fri Jan 21, 2005 1:11 am

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

Actually, you do NOT want to remove that line if you regularly use packet writing with CD-RW discs.

whuppinboy · Post by **whuppinboy** » Sat Jan 22, 2005 7:01 pm

what MD failed to tell you is that you have to run hijack this with "normal startup" selected in order to catch everything on your system. you also need to turn off system restore if you're running Windows XP. malware, adware and other trojans, virii hide if you run "selective startup". after cleaning your system, than turn it back on.

the things MD told you to check and delete won't help your problem and MS anti-spyware tool isn't really theirs. they bought giant's tool and put their name on it. it's generic at best and MAY find a couple of things that spybot and adaware don't catch but it's not the end all be all.

go to trendmicro.com (http://housecall.trendmicro.com/houseca ... t_corp.asp) and run their utility and then use the stinger program from mcafee (http://vil.nai.com/vil/stinger/), both are free and will do a good job of getting rid of any virii or trojans.

also, i would recommend plopping the twenty bucks for spysweeper or just their 30 day trial if you don't normally get infected with internet crap.

if you need REAL help with your hijack this log, than go to http://forums.thatcomputerguy.us/ and post your HJT log.

i simply hate people that don't do any research **cough** MD **cough**

BUBBALOU · Post by **BUBBALOU** » Sat Jan 22, 2005 9:39 pm

Now looking above at all that CRAP, visiting 1 webpage? . . . . . . . NOT!

Pr0N is your Downfall!

MD-2389 · Post by **MD-2389** » Sat Jan 22, 2005 10:07 pm

Asrale wrote:
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Actually, you do NOT want to remove that line if you regularly use packet writing with CD-RW discs.

Actually, if he wants to use Roxio's CD burning program instead of Direct CD, he'll have to because both programs fight eachother like rabid dogs. (Which was STUPID on Roxio's part since Direct CD is enabled by default, and you will not be able to use Easy CD Creator with it running at all.)