Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / AAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHH (Spyware)

Author
Message
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 16th Jun 2004 10:21
Link
WTF?!?!?!?

Somehow I got spyware on my computer, and no matter what I do to IE, it keeps resetting itself.

Normally my home page is about:blank but it keeps getting set to some gay search page. To make matters worse, popups. Lots of 'em.

I ran SpyBot and Ad-aware and Norton and nothing fixed it.

WHAT THE FUDGE DO I DO??


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
Dazzag
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Cyprus
Posted: 16th Jun 2004 11:04
Link
Yeah, I know what you mean. And even when you think it's gone, it comes back sometimes. I had the same thing at home. Will look for the utility to remove it when I get back from work. Am sure I left it on my desktop. Can't remember what it's called, but even spyware programs that detect and remove it don't work 100% and it comes back later. Think it was called something like CWShredder (the removal tool)... may have been CoolWeb or somesuch (the spyware). Also seem to remember it stating that after removal a recent MS patch should stop it coming back.

Is a total pain in the a**e though. I prefer pop-up ads and junk mail to spyware. And the ones that silently take up bandwidth just rip the piss a bit. Apparently Norton and MS are cracking down on it now because it was rated no.1 annoyance in a recent poll, but unlike viruses, it is not illegal. Just a marketing tool. F**kers.... Much like pop-ups, if I find out which company it is, I won't buy from them out of principle.

Cheers

I am 99% probably lying in bed right now... so don't blame me for crappy typing
Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 16th Jun 2004 11:49
Link
look for a piece of software called "hijackthis"

start it up do the scan then carefully look at the registry remarks it finds and delete the one you dont want.

If no-one gives your an answer to a question you have asked, consider:- Is your question clear.- Did you ask nicely.- Are you showing any effort to solve the problem yourself
Back to top
Profile PM Email
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 16th Jun 2004 11:54
Link
http://s89223352.onlinehome.us/mirror/hjt/

Be sure you're completely offline when you run the program, otherwise it won't work.

"eureka" - Archimedes
Back to top
Profile PM Email Website
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 16th Jun 2004 11:57
Link
Ah, Indi got to it before me.
If that doesn't work, or if it comes back, search for "cwShredder"

"eureka" - Archimedes
Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 16th Jun 2004 12:04
Link
hijackthis is Uber for nasty spyware, thumbs up all around

If no-one gives your an answer to a question you have asked, consider:- Is your question clear.- Did you ask nicely.- Are you showing any effort to solve the problem yourself
Back to top
Profile PM Email
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 16th Jun 2004 21:55
Link
Nothing worked.

Used Ad-aware. Spybot. Norton. HijackThis. CWShredder. It's been detected but whatever the hell it is it keeps coming back -- it WON'T go away! It keeps creating EXEs and DLLs in my windows and windows/system32 folders. If I delete one, it creates another. I have no idea what to do.

HELP!


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
Zenincanin 14
20
Years of Service
User Offline
Joined: 14th Apr 2004
Location: In The Cat Lair at Peter Criss\'s House.
Posted: 16th Jun 2004 22:00
Link
Well, if you know the names of the dlls and the exes then search for them on the internet. I had this same problem, if you search for the file i.e. "How do I delete filename.exe".

Drums are a great responsibility... They aren't just for playing around with.
Back to top
Profile PM
IanM
Retired Moderator
22
Years of Service
User Offline
Joined: 11th Sep 2002
Location: In my moon base
Posted: 16th Jun 2004 22:08
Link
What do those packages identify it as?

*** Coming soon - Network Plug-in - Check my site for info ***
For free Plug-ins, source and the Interface library for Visual C++ 6, .NET and now for Dev-C++ http://www.matrix1.demon.co.uk
Back to top
Profile PM Email Website
Pincho Paxton
21
Years of Service
User Offline
Joined: 8th Dec 2002
Location:
Posted: 16th Jun 2004 22:17
Link
Format!

Back to top
Profile PM Email Website
KC27
20
Years of Service
User Offline
Joined: 18th Mar 2004
Location:
Posted: 16th Jun 2004 22:22
Link
HZence - you may want to search google for a Spyware Blacklist, whihc, you will have to manually enter all items into the cookie and information blocker, but is incredibly useful. It removed 95% of the annoying spyware from coming back.

Back to top
Profile PM
Dazzag
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Cyprus
Posted: 16th Jun 2004 22:29
Link
Did you use CWShredder with absolutely no explorer windows open?

Cheers

I am 99% probably lying in bed right now... so don't blame me for crappy typing
Back to top
Profile PM Email Website
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 16th Jun 2004 23:01
Link
@IanM: DSO Exploit. At one point, Alexa, but that didn't come back. DSO Exploit is what keeps coming back.


Here's what my home page currently looks like no matter what I do. Notice how it points to a DLL file? That DLL is randomly created; I've already deleted 4 DLL files from my windows folder and a new one keeps re-appearing along with a randomly named EXE. I've checked the contents in NotePad though. All the DLL files that I've deleted have the same contents and are the same size.


This is what HijackThis finds. The first 6 objects have to do with those DLLs I keep telling you about. Look about 17 objects down and you'll notice "addko.exe". That's one of those randomly created exes. I keep ending the process, but it always starts up with internet explorer, so it's definitely a browser hijack.


And of course, DSO exploit. Spybot keeps finding it. I keep deleting it. Low and behold, it always comes back.

I also noticed that whatever this thing is it finds certain "keywords" on webpages and makes them links to a search engine! For example, right now, I'm looking at my DBSpot FTP. There's an image I just uploaded called "spybot.jpg". It's a link that takes me to a search engine to search for "spybot"! This is PISSING ME OFF.

@Pincho: No.

@WMG: Will do in a sec.

@Dazzag: Yes.

Thanks for your help so far; hopefully you can help me get this worked out.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
Pincho Paxton
21
Years of Service
User Offline
Joined: 8th Dec 2002
Location:
Posted: 16th Jun 2004 23:08
Link
Addko looks like the problem. So you have deleted it in the registry. Have you looked for it in Windows? Have you looked for it in startup? Heve you searched the registry for more Addko references? Try searching all of the Run files in the registry. Keep pressing F3, actually it might be harder to search the registry in XP.

Back to top
Profile PM Email Website
Dazzag
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Cyprus
Posted: 16th Jun 2004 23:25
Link
Damn spyware... honestly I've had more hassle from Spyware and virus *killers* than any virus out there. In 15 years of having hardware that can get viruses, the worse I've had is the Italian 1 & 2 (bouncy ball). Virus killers on the other hand have crashed my machine, corrupted work files, and frozen the machine for ages (either processing or clashing with Word normally). Spyware though is really starting to hit home. The background cookie type efforts are a bit forgiveable (you don't notice the broadband hit much, and ad-aware etc get rid of them), but these CoolWeb type search engines are the lowest of the low. Legal marketing aids? Spyware writers should be strung up and left to die. And the same to their families just incase they want revenge in the future. Really really hate spyware.....

Cheers

I am 99% probably lying in bed right now... so don't blame me for crappy typing
Back to top
Profile PM Email Website
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 16th Jun 2004 23:35
Link
Quote: "Addko looks like the problem. So you have deleted it in the registry. Have you looked for it in Windows? Have you looked for it in startup? Heve you searched the registry for more Addko references? Try searching all of the Run files in the registry."


Yes, yes, and yes. Deleted the registry keys for DSO exploit numerous times, but they keep coming back. Addko ain't the problem; like I said, every time I delete one exe, I new, randomly named one takes its place. Don't know what to do.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
zircher
21
Years of Service
User Offline
Joined: 27th Dec 2002
Location: Oklahoma
Posted: 16th Jun 2004 23:44 Edited at: 16th Jun 2004 23:45
Link
Just for fun, why not keep the DLL and edit it to say about:blank and then make it read only?

BTW, you probably have a 3rd party product that is reinstalling the pests. File sharing programs are notorious for being hosts to spyware. Killing the baby pests won't do you any good if you don't find and kill the mother.
--
TAZ

History did not begin with PONG. -- Greg Costikyan

Game Beavers
Back to top
Profile PM Email Website
CattleRustler
Retired Moderator
21
Years of Service
User Offline
Joined: 8th Aug 2003
Location: case modding at overclock.net
Posted: 16th Jun 2004 23:46 Edited at: 16th Jun 2004 23:47
Link
kill the QUEEN!





(you know what I mean)


* DBP_NETLIB_v1.3 - NOW WITH VARIABLE WATCHER! * Click Logo
Back to top
Profile PM
spooky
22
Years of Service
User Offline
Joined: 30th Aug 2002
Location: United Kingdom
Posted: 16th Jun 2004 23:54
Link
Have you been doing regular windows updates as they have been fixing loads of exploits recently. Have you SP1 installed?

I would suggest downloading another virus killer like AVG from GRISOSFT as it kills viruses much better than Norton (in my opinion that is). It's free as well.


Boo!
Back to top
Profile PM Website
zircher
21
Years of Service
User Offline
Joined: 27th Dec 2002
Location: Oklahoma
Posted: 16th Jun 2004 23:57 Edited at: 17th Jun 2004 00:00
Link
RIPLEY
... I say we take off and nuke the entire site from orbit. It's the only way to be sure.

BURKE
Now hold on a second. I'm not authorizing that action.

RIPLEY
Why not?

BURKE
Well, I mean... I know this is an emotional moment, but let's not make snap judgments.
Let's move cautiously. First, this physical installation had a substantial dollar value attached to it --

RIPLEY
They can bill me.

History did not begin with PONG. -- Greg Costikyan

Game Beavers
Back to top
Profile PM Email Website
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 00:08
Link
Quote: "Have you SP1 installed?"


I have SP2 installed and have been updating windows constantly.

Anyway...GOOD NEWS!

I saw to myself, screw it. I'm running system restore.

wooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo!

No more spyware.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 17th Jun 2004 04:44
Link
Quote: "Did you use CWShredder with absolutely no explorer windows open?"


That won't do it. You must be completely disconnected, as in ripping the rj45 outa the pc. Also, make sure you have ALL of the MS updates.

"eureka" - Archimedes
Back to top
Profile PM Email Website
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 05:28
Link
Quote: " You must be completely disconnected"


I was. I unplugged my connection entirely.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 17th Jun 2004 06:45
Link
hijackthis should have worked, you probably did not delete the correct registry string.

if the DLL was something like 1234213541234512345.dll which is a unique number to your computer then i pity you because i had that for a while and had to seek help at a spyware removal forum.

one of the good forums is this one should it happen again.
http://www.spywareinfo.com/forums/

If no-one gives your an answer to a question you have asked, consider:- Is your question clear.- Did you ask nicely.- Are you showing any effort to solve the problem yourself
Back to top
Profile PM Email
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 07:15
Link
Quote: "hijackthis should have worked, you probably did not delete the correct registry string."


Oh yeah, I guess not, especially not after sifting through all of the registry values HijackThis reported and working on removing the spyware for four hours in a row.

Quote: "if the DLL was something like 1234213541234512345.dll "


Nope. Like I said, it was randomly named. A random EXE was created as well. Here's what I did when I discovered this:

- Located the DLL file via the URL in my browser.
- Opened the DLL file, deleted its contents, saved it, set it to Read Only.
- Did the same for the accompanying EXE.
- Opened IE. Things appeared to be fine.
- Closed IE. Reopened it to discovered that it came back - only with a NEW DLL file and EXE!
- Did this numerous times; no matter what, it kept coming back.

I figure there must be some other hidden app that no program recognizes that was causing this to happen.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 17th Jun 2004 07:45
Link
that sounds like a nasty peice of spyware called a transponder. I had something very similar.

If no-one gives your an answer to a question you have asked, consider:- Is your question clear.- Did you ask nicely.- Are you showing any effort to solve the problem yourself
Back to top
Profile PM Email
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 08:15
Link
Yeah, wish I knew what it was so I could hack the group that did it to me.

I've got a few exploits of my own I wanna try out


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
TheAbomb12
21
Years of Service
User Offline
Joined: 14th Aug 2003
Location: Amist the blue skies...
Posted: 17th Jun 2004 08:20
Link
in the future, you might want to try keeping your internet securty settings on high...

Amist the Blue Skies...
Back to top
Profile PM Email Website
zenassem
21
Years of Service
User Offline
Joined: 10th Mar 2003
Location: Long Island, NY
Posted: 17th Jun 2004 09:46
Link
I browsed through some of the comments and in-case it wasn't suggested, here are my suggestions especially for XP.

get these programs (most were mentioned)
-adaware
-cwshredder
-hijackthis
-spybot s & D (spybot search & destroy)
-spyware blaster

(first check task manager for any obvious processes that shouldn't be running. rather then just ending the process, be sure to right-click the process and choose "end process tree". this will end all associated processes.)

for XP you need to run these programs for every account on the computer. (don't forget the built-in administrator account)

With one as ugly as this you will need to run the scans (for each account) in "safe-mode" as well. (*make sure that all reference files are updated!)
run.
1>adaware
2>cwshredder
3>hijackthis
4>spybot S & D

I've seen many instances where hijackthis & cwshredder look clean, but turn up the spyware when run in safe mode

after your computer is cleaned. Install spyware blaster, and enable all protection for internet explorer. You can also manually enter blocks ClSID's.

Lastly, consider opting for a different browser than IE. I tend to like Opera.

~zen


Back to top
Profile PM Email
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 10:05
Link
Thanks. But I already fixed it with System Restore.

Which I now worship.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
flibX0r
21
Years of Service
User Offline
Joined: 14th Feb 2003
Location: Western Australia
Posted: 17th Jun 2004 13:02
Link
Quote: " Thanks. But I already fixed it with System Restore.
Which I now worship."


:: booming voice ::

All hail the mighty System Restore, for thou haseth returned thee from the clutches of evil.


I love System restore. One time for no reason, me login just disappeared. Files were still there, but no login. System restore saved me


http://www.jellystudios.tk
Back to top
Profile PM Email Website
jasuk70
21
Years of Service
User Offline
Joined: 3rd Dec 2002
Location: Hemel Hempstead
Posted: 17th Jun 2004 13:54
Link
I've registered and use a product called PestPatrol. Had a similar attack on my machine. Since i've had that running it has never got one piece of spyware on my machine again. It even deletes dodgy cookies almost as soon as they get put on your machine. It has another thing running that monitors the memory and stops the spyware software from loading in the first place.

Jas

----
"What is this talk of 'release'? Klingons do not'release' software. It escapes leaving a bloody trail of developers and quality assurance people in its wake!"
Back to top
Profile PM Email Website
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 17th Jun 2004 20:17
Link
Now that is cool. Where can I get that from?


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
jasuk70
21
Years of Service
User Offline
Joined: 3rd Dec 2002
Location: Hemel Hempstead
Posted: 18th Jun 2004 12:51
Link
It should be http://www.pestpatrol.com/

But there seemes to be a problem getting to it at the moment.

Jas

----
"What is this talk of 'release'? Klingons do not'release' software. It escapes leaving a bloody trail of developers and quality assurance people in its wake!"
Back to top
Profile PM Email Website
OSX Using Happy Dude
21
Years of Service
User Offline
Joined: 21st Aug 2003
Location: At home
Posted: 18th Jun 2004 13:54
Link
If your using XP, I would strongly recommend you geting the SP2 RC2 - dont wait for the gold version.


The place for great plug-ins and things.
There's the right way, the wrong way and the TCA way...
Back to top
Profile PM Email Website
Arkheii
21
Years of Service
User Offline
Joined: 15th Jun 2003
Location: QC, Philippines
Posted: 18th Jun 2004 14:41
Link
I have ZoneAlarm. Prevents apps from accessing the net without your permission. It does it's job for most of them at least, and a pretty good popup blocker. Also prevents some sites from installing crap in your PC. Not perfect though, but I always make sure to install it after reformats.

Back to top
Profile PM
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Jun 2004 05:01
Link
zonealarm lmao, its a little more than that free firewall buddy

If no-one gives your an answer to a question you have asked, consider:- Is your question clear.- Did you ask nicely.- Are you showing any effort to solve the problem yourself
Back to top
Profile PM Email
HZence
21
Years of Service
User Offline
Joined: 9th Mar 2003
Location:
Posted: 19th Jun 2004 05:13
Link
Used to use zonealarm, didn't allow IE to work for some reason, even after I put it under program permissions. I gave up on that.


Team EOD :: Programmer/Storyboard Assistant
Back to top
Profile PM
Back to top

Login to post a reply

Server time is: 2024-09-22 02:58:46
Your offset time is: 2024-09-22 02:58:46