Home Page Hijacked, Global Dialers, Favorites Deleted

Hello All,

I hope I am posting this to the right forum and thread. If not please excuse my ignorance, and correct the post.

Anyhow to cut to the chase I have a big problem with a friend's computer concerning these hijacking programs. So far I have installed; McAfee, Ad-Aware6, Spybot S&D, SpyWareBlaster, SpyWareGuard, Xcleaner and Stop the Pop. And I have tried to manually edit over the files also. (ALL updates installed.)

With WinXP I am still getting the IE Favorites hijacked, having all the important saved web links deleted and then replaced with dozens of links like the following:

(I don't recommend clicking on the links.)
hxxp://young-erotic.com/
hxxp://80pictures.com/
hxxp://60pictures.com/
(Substitute other numbers in place of 80 and 60 for more links)
hxxp://top-teen-sex.com/
hxxp://searchlolitas.com/

for security reasons, hxxp has replaced the original http - paul

Now at the same time the homepage is deleted and replaced with with that says something similar to: -http:aboutblank.com/- Also I seem to remember one that says something about coolbits.

And in another area which doesn’t appear as closely related to the above, my friends are getting global dialers installed on their computers and I can’t keep them off. They seem to be specific to one set of dialers
that continueally expands themselves. It says something about in the icon about “tone” with the icon having a yellow circle with triangles around it, which appears to represent the sun.

And this appears on the desktop, as had other similar links, PLUS links for Diet Pills, buy health insurance, buy life insurance, auto insurance, etc……… all of which is only a link to a website.That is all the information
I can get when checking out the Properties.

I can spend the time to manually delete these dialers and icons, which actually takes quiet a bit of time, but they come back in a matter of hours or a couple of days at most.

I am at my wits end. I know nothing else to do but write here.
If anyone has any ideas please let me know.

Thank You,
Mike

 

Hi Mike360000,

Can you please download and run HijackThis from

http://www.mjc1.com/files/merijn/hijackthis.zip

and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

Thanks

 

Ok will do!
However I have just cleaned the computer today.
So maybe tomorrow I can go back and run the program on it, giving it time to hijack everything again.

Looks like I am learning a lot about all this. But gee I've been into computers since the mid 80s and I have never, ever seen anything like what is going on now with viruses, trojans, parasites, hijackers, spam and such. I never would have dreamed this 15 years ago, nor even 10!

I'll get back with you ASAP.

I'll admit, it's quiet a challenge.

Thanks,
Mike

 

Hey Mike

Welcome to Wilders!

Actually, if your issues keep recurring after each clean, then that presupposes the fact that there are some items that the "clean" did not take care of and these should be evident in the HJT log now even if the symptoms have not yet manifested themselves again.

I agree completely with you that the malware front poses incredible challenges, but that is what (to me) makes it so interesting a field of study.

 

Thanks for the welcome.
This is certainly different from the forums I'm used to.
I mostly stay in the overclocking forums, and video card forums.

About what you wrote concerning the log showing evidence.
Do you mean by running the program, it will show the needed information even if I have manually removed the offending files and links just before I run the program? That it doesn't matter about when I cleaned the files as long as they continue to show up short times later?

I worked for almost 5 hours today trying to get that computer clean. It is the worst case of infestation I have ever seen.

What I don't understand is how these people can get away with being allowed to do this over the Internet? I mean really, it is an invasion of privacy. It is one thing for a website or some program to have such and state it, but all this stuff that just floats through cyberspace looking for victims is another. I'd like to see somebody yang their change the same way sometime!

Also I wonder if there is really that much money to be gained in them doing this? Surely there must be since it is so prevailent, but I don't see how there can be so many ignorant people to buy into their way of hijacking your computer to sell you something.

Surely their will eventually be laws to stop this madness?

Cheers, and Thanks again,
Mike

 

BTW on a side note:
I am wondering since I haven't ever used this much anti spam, trojan, parasite and hijacking programs before, but I keep on getting a message that Spybot S&D has blocked "Avenue A Inc." Now this has me me puzzled because I get this Avenue A all the time. I can get it at practically any website I go to. So what's the scoop on Avenue A?

Cheers,
Mike

 

OK here it is.
One problem though.
At this time the computer this was run on is unable to update WinXP.
So do what you can.

Here is the offender from below:

Autorun entries from Registry:
sws.exe = c:\program files\GlobalDialer\tonex00233\svchost.exe -remove

I have removed this several different ways, but to no avail.
Matter of fact I just got through running CWShredder on it and it said the system was clean just before I ran Hijackthis.

Thanks,
Mike


StartupList report, 1/6/2004, 3:01:09 PM
StartupList version: 1.52
Started from : C:\1XP\HijackThis\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Touchpad\Gesture.exe
C:\WINNT\System32\taskswitch.exe
C:\WINNT\System32\fast.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\WINNT\System32\glidew32.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\spywareguardcp.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\WINNT\System32\Fast.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\rasautou.exe
C:\1XP\HijackThis\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Lee Kiser\Start Menu\Programs\Startup]
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
SoundMan = SOUNDMAN.EXE
CirqueGesture = C:\Program Files\Touchpad\Gesture.exe
CoolSwitch = C:\WINNT\System32\taskswitch.exe
FastUser = C:\WINNT\System32\fast.exe
MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
Glide = glidew32.exe
TangoManager = C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
sureshotpopupkiller = "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
sws.exe = c:\program files\GlobalDialer\tonex00233\svchost.exe -remove

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\OBROTH~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL - {00000185-C745-43D2-44F1-01A1C789C738}
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Microsoft Excel - (no file) - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}
(no name) - (no file) - {689E84CC-9549-4003-9B0F-2F807CF71FCC}
(no name) - C:\WINNT\hh.dll - {BCF96FB4-5F1B-497B-AECC-910304A55011}
(no name) - (no file) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Update Check (LEE-Administrator).job
McAfee.com Update Check (LEE-Brenda).job
McAfee.com Update Check (LEE-Lee Kiser).job
McAfee.com Update Check (LEE-Matthew).job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[McAfee.com Operating System Class]
InProcServer32 = C:\WINNT\System32\mcinsctl.dll
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.5521643519

[YahooYMailTo Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll

--------------------------------------------------
End of report, 6,479 bytes

 

Hi Mike360000,

What you posted is a StartUpList, we will need a HijackThis log made like this:
Run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.

We can see what's wrong with the StartUpList, but it offers no means to correct it. HijackThis does.

Regards,

Pieter

 

Oooops, sorry about that.
I'll try this again.

Logfile of HijackThis v1.97.7
Scan saved at 4:54:04 PM, on 1/6/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Touchpad\Gesture.exe
C:\WINNT\System32\taskswitch.exe
C:\WINNT\System32\fast.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\glidew32.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\spywareguardcp.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\Fast.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINNT\explorer.exe
C:\1XP\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.inf/?id=54
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - (no file)
O2 - BHO: (no name) - {689E84CC-9549-4003-9B0F-2F807CF71FCC} - (no file)
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINNT\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINNT\System32\fast.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SpywareGuard Control Panel.lnk = C:\Program Files\SpywareGuard\spywareguardcp.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.5521643519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C02DC1FD-417E-438D-BAC2-811B66750A6C}: NameServer = 166.102.165.11 166.102.165.13

Thanks,
Mike

 

Hi Mike,

Can you first make sure all hidden files and folders are set to show :

Here's how

Then , navigate to :

C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL <- and send me this file -> [unzy @ wilders.org] Thanks!

Next, can you try fixing the following with HijackThis :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://about-blank.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://aifind.inf/?id=54
R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {00000185-C745-43D2-44F1-01A1C789C738} - C:\DOCUME~1\LEEKIS~1\LOCALS~1\Temp\BHO010~1.DLL
O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - (no file)
O2 - BHO: (no name) - {689E84CC-9549-4003-9B0F-2F807CF71FCC} - (no file)
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hh.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

Reboot after doing so and make sure you update XP to the latest service pack (SP1) and that you have the latest version + updates of IE as well, at windowsupdate.com

Also make sure to clean out your temporary internet files

Hope this helps,

Keep us posted

Cheers,

 

Hi Unzy,
OK I have everything done but I have a question about one of the keys.

"R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com"

Is the above key important or not? I say this because they are using Yahoo as well as I. I left it for the time being.

I sent you the file you requested.

Also as I mentioned in my email; I can't understand why McAfee AV, AdAware6, Spybot S&D, Xcleaner, Spywareblaster nor Spywareguard could not stop this from continueally happening to the computer. Not only that but all of them failed to recognize all the things you said to remove. Any idea as to why they missed all this? I saw and recognized some of the files you mentioned and had removed them yesterday before you posted above this post.

Thanks,
Mike

 

Hi Mike,

Don't worry about that key, it's harmless.

About antivirus not stopping these attacks, that's because they aren't of a viral nature. Spyware is usually not detected by AV's

That BHO you had is a new , unknown one, therefor not detected or blocked by programs as SB or SG. Still puzzling out what exactly it does.

In fact spybot/adaware must have detected some other ones, because all the (no file) entries are leftovers from previously cleaned malware.

As for the startpage hijack, spywareguard should have given you a notice at the exact time the hijack happened, offering you a choice to restore old values or keep new one.

Needless to say of course you should on a frequently basis (let's say at least once a week) update SB and SG, as well as SpyBot and Adaware.

Is everything ok now?

Cheers,

 

Hi Unzy,

About that BHO you are looking at. Does this fit the bill?
http://www.doxdesk.com/parasite/SmartBrowser.html

The CLSID's are similar and the filename fits.
Could be a new variant.

Regards,

Pieter

 

That's exactly it Pieter

good job

Cheers,

 

I'll add it to the list.

Good job right back at ya.

Regards,

Pieter

 

Hi Unzy,
Alrighty, so we've gotten somewhere. Everything seems fine so far.
No more hijacks, but I won't pass on it untill tomorrow.

I do have some comments though.
I understand what you say about the McAfee AV. Just I have seen McAfee in use give reports of possible threats on some parasites. NOT that McAfee said it was a virus but a possible threat.

I agree with Pieter's link also. That fits my problem exactly.
As for the anti-spyware and hijack programs I am running, I have a question.
Will this new parasite variant be added to any of the program I listed that I used? I guess I am really wondering which programs I used are taking a look at this forum and this post, and which you may be directly involved with?

I had personally cleaned out several pieces of spyware/parasites, manually that I knew was wrong. And then of course I will agree the programs I used removed much more of the spyware/parasites...etc..(malware) than I ever could have. The computer was a complete mess when I got to it. I would barely run IE on the net, and even off the net the desktop was getting several Icons advirtising different things. I've spent close to 10 hrs trying to clean this thing.

There was mention of some yet unidentified installer file that was needed.
I found a suspicious installer file in the C:\ drive root while manually checking. The file was called icinstaller.exe I ran a check on it but never came up with anything.

Spywareguard was running but I never received any warnings from it. I wonder why it didn't detect these changes?

I'm really interested in which anti-spy/malware programs will be integrating the fix for this parasite.

Thanks again,
Mike

 

As for the first question, a program like SpywareBlaster will take that BHO and clsid into it's database, hopefully thus blocking it from entering your machine in the future.

As for SpywareGuard, I really don't know why SG did not give you a warning when your homepage was changed. When you say it is running, do you see the red SG icon in the system tray (below right) ?

Also, esp. for SB it's important you update frequently

Cheers,

 

Hi Unzy,

You asked:
"As for SpywareGuard, I really don't know why SG did not give you a warning when your homepage was changed. When you say it is running, do you see the red SG icon in the system tray (below right) ?"

Sure was!
Did that file file I sent show you anything of help?

Thanks,
Mike

 

Hi Mike,

Yes that file indeed helped out, thanks (as described above.)

About SG, does it look like this ? :

(check everything : engine, definitions, version etc...)

 

Yes, and it was the most recent version.
Actually I think there was an update to at the end of December......
Strange it didn't find the parasite, no?

Thanks,
Mike

 

Let's hope it was a one timer

Anyway, glad all seems to be well now again

Take care

Cheers,

 

Mike,
I've been experiencing identical behaviour on my machine, requiring hours of manual cleaning. On Jan 6 you posted..."
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE"
as a file/directory listing.
As you can see 'svchost.exe' is listed twice because I believe they're actually two different files (check the sizes). Pressing CTRL/ALT/DEL will show a svchost.exe process using approx 10,000k of memory. Killing this prevents my popups and redirection (on WinXP w\ IE6). (((ALTHOUGH I'M NOT SUGGESTING YOU START KILLING PR0CESSES, ITS SIMPLY SOMETHING I FOUND ON MY MACHINE)))).
Checking your run key under HKLM or HKCU will list something similar to...."sws.exe=C:\Program Files\...\...\sws.exe -remove" The problem is... I've never found a file named "sws.exe".
I wonder if spyware or an unknown/unsuspecting file (similar to svchost.exe) is really disguisted as a system file and is constantly "listening" for removal attempts. Possible polling the system every few hours and then replaceing the files/registry entries.
Global Dialer was being installed into my "C:\Program Files\ GlobalDialer directory. Using the UnInstall pretended to remove it, but since it was in the "C:\Documents\***\Local Settings\Temporary Internet Files" it would reinstall within hours.
Another one of my many problems was that my homepage was being redirected to "IDGSearch.com". Thankfully they have a link and application that will remove/fix the problem in their "Contact Us" or "Support Page". I hope this helps quite a few people, since it's driving me nuts doing the QA/Testing on it.

 

Hi PumkinHead,

Welcome at Wilders.

A few comments on your approach.

Why are there multiple instances of svchost.exe running?
As long as the file is found in the System32 directory I would recommend not to end-task it.

Removing the GlobalDialer folder in safe mode and getting adequate protection so it can't return, will effectively stop it, after which you can clean out any other leftovers (mostly in the registry).

IDGsearch is a CWS variant and I would recommend using the tool offered at Merijn's site as opposed to the one provided by the site the hijack leads to.

Regards,

Pieter