Spybot problem

Discussion in 'privacy problems' started by negative creep, Aug 30, 2004.

Thread Status:
Not open for further replies.
  1. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    I got the following error:

    Spybot - Search & Destroy has detected an important registry has been changed.

    Category: browser page
    Change: Value changed

    Entry: SearchAssistant

    Old data: hxxp: //www.gmzyisweqmetvcepralik.biz/iTiDE
    New data: hxxp: //www.qihxzppktbk.biz/iTiDErIUlrhPgrZwr2B


    Then i can choose to allow the change or deny the change, but I have no idea what this is. Can anyone help me?
     
    Last edited by a moderator: Aug 31, 2004
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    That's not an error - that is Spybot's Teatimer telling you that some search assistant spyware is attempting to install itself.
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Yes, and also Detox, what concerns me looking at that, it's trying to update itself by the looks.

    The 'old' value and the 'new' value both have identical components in it.

    Unless I am way off the mark, but to me it would be a concern.

    TAS
     
  4. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    ok thanks, but what should i do?
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi negative creep, and welcome to Wilders.

    Since you are using Spybot S&D, you could go to Net-Integrations forum and post a HijackThis log where one of the spyware removal experts will analyse it and post back instructions on how to remove the hijacker.

    When you go to their forum, please look up near the top and click on the "Malware Removal Procedures". Follow the steps listed there before posting your hijackthis log in their forum.

    Let us know how you do. :)

    Regards,

    snap
     
    Last edited: Aug 31, 2004
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    I guess I should ask, lol. You have done a scan with Spybot S&D since you received that alert from Tea Timer, and fixed everything Spybot S&D listed in red? :)

    If not, please do a scan and fix anything it lists in red, reboot and scan again until nothing else is listed in red. Then go to Net-Integrations and follow their posting proceedures for posting a HijackThis log.

    Regards,

    snap
     
  7. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    hi snapdragon,

    I had already scanned with spybot and deleted all things in red. Now I scanned again and found the same two, I have deleted them again. I hope this fixes it

    problem kind

    C2.lop 2 entries
    DSO Exploit 5 entries
     
  8. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    Well I still have the problem, again it's the search assistent entry, but the old data has changed since yesterday and the new data is changing everytime I click deny change.

    Old data: hxxp ://www.ffejqvlhxwoep.com/iTiDErIUQlrhF
    new data: hxxp ://www.bdypuwvdvz.net/iTiDErIUQlrhPgr
     
    Last edited by a moderator: Aug 31, 2004
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi

    I've found at thread at Net-Integrations where a few other's have posted the similar alerts from Tea Timer:

    http://forums.net-integration.net/index.php?showtopic=21660

    You may want to go to that link and read through it, then followup with posting a HijackThis log in the appropriate forum there (please remember to read their posting procedures first.)

    For the 5 DSO Exploit entries. Those you can ignore if your windows is fully up-todate with it's patches/critical updates. These are false/positives which should be fixed in the next final release. Here's another link that also explains it: https://www.wilderssecurity.com/showthread.php?t=45842

    Please post back and let us know what happens.

    Regards,

    snap
     
  10. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    Should I click on remember this decision? Will the problem be solved then? :doubt:
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    No, I'm fairly sure the problem won't go away until the hijacker is removed completely. I don't want to guess when it comes to these kind of hijackers (constantly changing like this one is), that is why I have suggested you post a hijackthis log so the file that has put the hijacker there will be exposed and deleted. Spybot S&D (and from what I've read in that thread at NI, Adware also) do not seem to be removing this one. It may take manual removal.

    snap
     
  12. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    thank you for the link. I have posted there.
    But hijackthis log o_O

    What is a hijackthis log?

    :oops: sorry for being a newbie.

    NC
     
  13. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi negative creep...

    You could try another program AdAware SE, but in all liklihood you will still have to follow snap's advice in posts above.

    Download AdAware SE Personal here: http://www.lavasoft.nu/

    Instructions in case you are not familiar with it: :)

    When installed, start it, and on the main GUI, you will see a link: "Check for Updates Now" click that.
    A window will open, and it will commence to download updates.
    When updates dl'd, the Cancel button will change to Proceed, click that.

    Now on top right of main GUI you will see some symbols, click the one that looks like a gear cog. [AdAware Configuration Window for Settings]
    A window will open which will give you options, click on the Scanning button and check off like mine.

    Click Proceed.

    Back on main window, click on Start, it will take you to another screen within the main GUI.
    Select Full System Scan in the 'Select a Scan Mode' option, then click next.
    Let it run thru and see if it can find anything.
    When scanning finished, you will see what to do next.
    Check items and click Next and it will ask if you want to quarantine the selected items. OK...

    But, as I said, you probably will have to follow snap's directions above.

    OH.. DSO Exploit.. Quote from LowWaterMark:
    Cheers, TAS

    EDIT: lol.. I see snap has already said AdAware also may not fix it.
    Oh well you will have 2 scanners anyway. :D


    If you already have posted, they should tell you where and what to do with HiJackThis. Best wait for instructions from them.
     

    Attached Files:

    • 074.GIF
      074.GIF
      File size:
      20.2 KB
      Views:
      172
  14. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    hi tassie_devils,

    I already had Adaware SE

    It all started like this:

    Yesterday I turned on my computer and I found new shortcuts on my desktop . :eek:. Things like casino, travel something, ink cartridges. (also my starting browser page changed to something unknown) I deleted those and I ran Adaware. I deleted everything that was found. Next thing i know, same shortcuts again on my desktop. That's when I downloaded spybot S&D and deleted everything in red.

    c2.lop
    dso entries
    coolwwwsearch (or something like that, I can't remember the exact name)

    No more unkown shortcuts on my desktop, but this problem with teatimer.

    NC
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi negative creep...

    Coolwebsearch... very bad news mate. :mad:

    Follow snap's advice and also the Rules/etc. at NI when they ask you to post a HJT log. You will be in fine hands. :)

    Cheers, TAS
     
  16. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    you could try a couple of these options first... to get coolwebsearch under control a bit.

    Download and unzip

    cwshredder 1.59

    Disconnect from the internet, make sure ALL browsers are closed first, then run CWShredder by clicking on the *Fix button and follow the instructions you will receive when the program runs. Reboot if prompted.
    Actually do a reboot anyway and rerun Shredder *FIX button NOT scan.

    Then..

    Disk Cleanup Utility [Information only, not actually something you download.

    Go to your Start button -->Select 'Run' and type in the box: cleanmgr, hit enter/click OK This will bring up the Disk Cleanup Manager from your system.

    Place a check mark in the box beside Temporary Files, Temporary Internet Files, and Recycle Bin.
    Then click "OK" and the Disk Cleanup Wizard will delete the files you've placed a check mark beside.

    Then rerun Spybot, and post finding at NI, and wait for further assistance. You will still have some work to do. ;)

    The reason being that CWShredder is not being updated anymore, and there very well may be mutated strains in your system it won't competely clean.

    TAS
     
  17. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
    I downloaded CWShredder and it found nothing. Maybe Adaware fixed it already.

    I will now run the disk clean up wizard.
     
  18. negative creep

    negative creep Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    17
    Location:
    Netherlands
  19. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    ok NC... I guess that's about all that can be done here at that point I am afraid unless someone else has an idea. But, frankly, it's now a HiJackThis analysis I reckon.

    So follow up with your post over at NI.

    Please let us know the outcome.

    Best, TAS
     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    those entries are LOP entries

    It's a new version of lop that adaware etc haven't caught up with yet

    it's easy to fix using a hjt log

    & one of the forums that analyse HJT logs will soon fix you up
     
Thread Status:
Not open for further replies.