QUOTE(Jayken @ Jul 24 2005, 08:57 AM)
Read up on it here > http://www.grc.com/stm/shootthemessenger.htmFeel free to ask if still in doubt
sUBs
Spyware & Browser Hijack removal & links
|
Jul 24 2005, 09:16 AM
|
VIP
3,941 posts Joined: Jan 2005 |
QUOTE(Jayken @ Jul 24 2005, 08:57 AM) Read up on it here > http://www.grc.com/stm/shootthemessenger.htmFeel free to ask if still in doubt sUBs |
|
|
|
Jul 27 2005, 06:19 AM
|
Junior Member
17 posts Joined: May 2005 |
Wondernig why my sent and receive the sent will more than the receieve ?? and i tried to use hijackthis spyware doctor etc to scan but nothing happen...
|
|
Jul 27 2005, 08:09 AM
|
VIP
3,941 posts Joined: Jan 2005 |
QUOTE(wakl @ Jul 27 2005, 06:19 AM) Wondernig why my sent and receive the sent will more than the receieve ?? and i tried to use hijackthis spyware doctor etc to scan but nothing happen... @waklI have already moved your post to a new thread. You know where it is. http://forum.lowyat.net/index.php?showtopic=180575 You already have a thread dedicated to your problem. Please do not post in this sticky. |
|
Jul 29 2005, 01:21 AM
|
Junior Member
34 posts Joined: Jul 2005 |
Hye..
a friend of mine also have a pc which affected with spyware..pls help her Her pc also running very slow (P4 2.8 ghz) attached here with hijack this log and antispyware log for the pc: 1)Hijack this log Logfile of HijackThis v1.99.1 Scan saved at 1:29:09 PM, on 28/07/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\slserv.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINNT\system32\igfxtray.exe C:\WINNT\system32\hkcmd.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\WinZip\winzip32.exe C:\Documents and Settings\Izzuddin\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.184.94.19:3128 R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SpywareStopper] C:\Program Files\SpyBlocker Software\SpywareStopper\spywarestopper.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [1A2DFECE] C:\WINNT\system32\csl70nfg.exe O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [8BCD3353] C:\WINNT\system32\aaamtmli.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: n8401.bat O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122367453718 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...544/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe 2) antispyware log Started Scanning Internet Cookies Found '2o7.net' in 'Internet Explorer Cache' Found 'doubleclick.net' in 'Internet Explorer Cache' Found 'atdmt.com' in 'Internet Explorer Cache' Programs in Memory Windows Registry Found '' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn' Found 'http' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' Found 'Order' in 'Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Free Hardcore Porn' Internet URL Shortcuts Files and Directories Found 'GPInstall.exe' in 'C:\WINNT' Finished Scanning Started Backup Finished Backup Started Cleaning Finished Cleaning Started Scanning Internet Cookies Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Found 'GPInstall.exe' in 'C:\WINNT' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\WINNT\GPInstall.exe' in shortcut areas. Checking for 'C:\WINNT\GPInstall.exe' in startup areas. Cleaning 'C:\WINNT\GPInstall.exe' Finished Cleaning ty |
|
Jul 29 2005, 12:16 PM
|
VIP
3,941 posts Joined: Jan 2005 |
sUBs ...coughing blood..
lanroba - click here < Post new topic > to start a new thread & post that log there. |
|
Jul 31 2005, 02:09 PM
|
VIP
3,941 posts Joined: Jan 2005 |
QUOTE(lanroba @ Jul 31 2005, 01:42 PM) Hee..heeQuite simple. Just go to this page > http://forum.lowyat.net/index.php?showforum=25 Locate & click the button. It's situated near the top & to the right hand side. I'm not trying ot make life difficult for you. This is help you become more familiar with the forum's features so that you can be more of a regular member at LYF. sUBs |
|
Aug 5 2005, 03:25 AM
|
VIP
3,941 posts Joined: Jan 2005 |
Uninstall List - Add/Remove Programs
180 Solutions 180SAInstaller Class 180 Search Assistant 2020Search 404Search 411Ferret Toolbar 7FaSSt Search The ABI Network- A Division of Direct Revenue (online uninstallation) Active Alert Ad Service Advanced Search AdvSearch AdwareAlert Alexa Toolbar AM Server ATP autoSearch B3d Projector Bargain Buddy / Bulls Eye Network / CashBack / NaviSearch BookedSpace Browser Enhancer BrowserAid BrowserPal Bulls Eye Network / CashBack / NaviSearch / Bargain Buddy Cash Toolbar CashBack / NaviSearch / Bargain Buddy / Bulls Eye Network Chinese keywords ClickTheButton ClockSync CommonName Context Display Cosmi Cpr CxtPls DailyToolbar Date Manager DealHelper DelFin Media Viewer / PgTools / PGate / DisplayUtility / DMVLite Desktop Toolbar [WhenUSearch] Download Receiver DownloadWare E2Give Browser Add On Easy Search Bar Ebates_MoeMoneyMaker Elite SideBar Elite ToolBar eXact Search Bar ezSearchBar F1 FlashTrack Uninstall flt FreeScratchAndWin FT Remove FTApp Fun Web Products Easy Installer eXact Search Bar eZula TopText Gator eWallet Go GogoTools Hotbar Huntbar Httper Hyperlinker IconForge IE Helper IE Menu Extension toolbar IE Toolbar IEDriver IMZ InetDoor Internet 404 (internet connection is needed for removal) Internet Optimizer Internet Washer Pro IPInsight ISTBar ISTSvc iWon Plus KeenValue KeywordPlugin Live 0n line Portal LookSmart Search L.O P. Uninsta11 Lycos Search Lycos Sidesearch masterbarHallmedia.net MaxSpeed mc Media Access Media Motor MidADdle MoreResults Movie Viewer 2.1 MS AUpdate MS Updates mscman MSIETS MWSearch My Way Speedbar My Web Search NavExcel Search Toolbar Nav Helper NaviSearch / Bargain Buddy / Bulls Eye Network / CashBack Neo Technology Search Engine Netpal Games NewtonKnows Oemji Toolbar Onflow Orbit PeopleOnPage PowerSearch Toolbar PowerStrip Precision Time Preview AdService POP PuritySCAN qidion - toolbar Quick Browse ?? QuickSearch Toolbar RapidBlaster RelatedLinks Rich Editor RON Display RSyncMon RVP SafeGuard Save / WhenU Search / WeatherCast / ClockSync Security IGuard Search 2020 Search Assistant Search Assistant Utility Search Fast Search Maid Search Relevancy Search Toolbar (internet connection is needed for removal) Searchit - toolbar SearchSquire Select Cashback ShopAtHomeSelect Agent Shopping Community Side Find Side Search SideStep Slotchbar Software Update Manager supaseek - Toolbar SuperBar IE Plugin Surf SideKick 3 Surfairy SysAI TBPS Tools for Internet Explorer (internet connection is needed for removal) Toolbar - My toolbar TopText TSA TV Media Twaintech UCmore Ultimate Browser Enhancer URL Display VBRunDLL Veevo Virtual Maid VVSN WareOut WAST Web Offer Web_Rebates WebHancer Web Toolbar Web Tools by Hotbar whazit tools WhenU Search / Save / WeatherCast / ClockSync WhileYouSurf WinSrv Reg wincomp Windows SyncroAd wintrim WebSearch Toolbar (internet connection is needed for removal) WebSearch Tools Windows AdTools Windows AFA Internet Enhancement WinTools Win-Tools Easy Installer (internet connection is needed for removal) WSEM Update XDiver Your Site Bar YuupSearch Toolbar Zango Zipclix ZZ |
|
Aug 24 2005, 12:02 AM
|
Staff
7,932 posts Joined: Jan 2005 From: Soviet Sarawak |
sUBs:
i had one silly n00bie question here, about the eZula TopText. Removed it using search & destroy. even restarted the pc (as directed by S&D). the adware/spyware seems to be gone, but the directory in c:\program files still exists and cannot be deleted. 1. does this mean i am still infected? (thorough search + scan and no ezula running tasks in the services) 2. any way to remove the annoying files that end w/ *.tmp? i tried many software but still cannot remove the annoying drectory. thanx edit: problem 1 and 2 solved. my trust bitdefender deleted the *.tmp files, and thus letting me delete the annoying directory. however, new prob arises: In the add/remove dialogue, the TOPTEXT, MYSEARCH and SEARCH ASSISTANT still exist. 1. does this mean I am still INFECTED? 2. can i just delete it from the registry entries manually? 3. any way to remove it w/o using registry edit? edit : PROBLEM SOLVED. multiple software used to deal all this. sheesh... just ONE wrong click, and i pent 2 hours cleaning each and every parasites... how did this happen? my 8 months w/o spyware record has been busted This post has been edited by lucifah: Aug 24 2005, 12:57 AM |
|
|
|
Aug 24 2005, 12:29 AM
|
VIP
3,941 posts Joined: Jan 2005 |
You should have uninstalled the programs with Add/Remove programs before allowing the antivirus to forcibly remove them. It may leave several orphaned entries in your Registry.
Try this first.. Download Trend Micro(tm) Anti-Spyware (by clicking the "Scan and Clean your PC" button).
It's quite good at removing such entries. If that doesnt work, run HijackThis Go to Config > Misc Tools - Open Uninstall Manager Select the program & click "Delete this entry" |
|
Aug 24 2005, 01:02 AM
|
Staff
7,932 posts Joined: Jan 2005 From: Soviet Sarawak |
sUBs: problems all solved. thanx to your guides and tips.
time taken to be infected: less than 1 minute time to clean: 2+ hours here are the list of softwares that i've used: 1. BitDefender (the main s/w that alerted me 2 hours ago and stopped system wide infection) 2. Spybot Search & Destroy (sUBs recommendation) 3. Spyware Blaster (again, thanx to sUBs) 4. AdAware (long time forgotten s/ware tucked inside my hard drive) 5. RegCleaner (the registered version by the great Juno) - this is used to delet all the annoying add/remove lists identified spyware: 1. 180solutions 2. search assistant 3. my search 4. ezula toptext This post has been edited by lucifah: Aug 24 2005, 01:03 AM |
|
Aug 30 2005, 04:28 PM
|
VIP
18,182 posts Joined: Jan 2005 From: Dagobah |
LOP is a sneaky adware/spyware which I came across often before. It can infect both IE and Netscape/Mozilla as well, however only way it can enter your system is still thru IE (aka Idiot Exploiter). One it infects the system, your browser, desktop, explorer and search functions are hijacked. It also create/modify registry entries so that it can be used with Mozilla or Netscape. On some machines, especially those running older Windows ME operating systems, it randomly crashes the system.. usually causing Explorer crashes and illegal operations.
Anyway, DO NOT trust the uninstaller tool from the creators of LOP themselves. Its better to get a 3rd party utility to clean out that pesky LOP. |
|
Jan 16 2006, 10:12 AM
|
VIP
16,825 posts Joined: Jan 2003 From: Siberia |
CWShredder or HijackThis closes immediately after opening?
There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them. If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums). |
|
Jun 20 2007, 01:48 PM
|
VIP
2,496 posts Joined: Jan 2003 From: LowYatDotNet Status:Agast |
QUOTE TechNet On-Demand Webcast: Advanced Malware Cleaning Learn from Mark how to use the Sysinternals tools to identify malware infestations, from standard spyware to kernel-mode rootkits, and clean them off your systems. http://www.microsoft.com/emea/itsshowtime/...spx?videoid=359 he teaches you the functions of process explorer & autoruns to specifically to find and remove malware. here are the slides Sysinternal__s_Mark_Russinovich___Advanced_Malware_Cleaning.zip ( 889.87k ) Number of downloads: 277 This post has been edited by AsenDURE: Jun 20 2007, 01:48 PM |
Topic ClosedOptions
|
Change to: | 0.0161sec
0.34
6 queries
GZIP Disabled
Time is now: 28th March 2024 - 06:24 PM |