Jump to content


Photo

Singing the adware blues :(


  • Please log in to reply
12 replies to this topic

#1 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 10:20 PM

Hi,
I have adware or maybe spyware in my pc and I can't get rid of it. Spybot catches it every time, but it just pops back up when I go to the web. Spybot consistantly catches the same 11 programs, but they come back. Also it seems to have changed my registry. I know that this ware comes from I-Lookup, Link Synergy, MediaPlex, Doubleclick, Advertising.com and Avenue A Inc. This is what Spybot catches. I tried to download the "Hijack This" program but another link popped up stating that site could not be found. Any suggestions?? This thing is driving me crazy! :techsupport: Thanx in advance!

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 01 June 2004 - 10:24 PM

Things to do. Try these mirrors for Hijack this.

http://www.spywarein.../HijackThis.exe
http://tools.zerosrealm.com/hjt.zip

Then Unzip it if you downloaded it from link #2 and Put it in its own Folder. For example C:\Hijack This\ Program here. Double click it and hit scan. Then hit save log. Save it to your desktop. Open the log and select all objects. Then Copy the whole thing and paste it here. Good luck. See if those links work, if not tell us.


- RD -


Edit: I had to come back for this. That is the best topic ive ever seen lol ;)

Edited by RubbeR DuckY, 01 June 2004 - 10:26 PM.

Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 10:28 PM

Thanx Ducky, your help is appreciated! I will try those links.

#4 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 10:37 PM

Just to let you know I got it downloaded. I raed that I should go to the Hijack forums and read there first before using so I'll do that. Thanx again for the help and it's cool that sites like this exist! Thanx!

btw...I thought that topic was a good chuckle as well... take care.

Spoonbread

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 01 June 2004 - 10:38 PM

You can go ahead and procede with my second directions :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 10:48 PM

Ok, here's the log.....

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\ClearSearch\Loader.exe
C:\DOCUME~1\Michael\LOCALS~1\Temp\bundle.exe
C:\Program Files\RCPrograms\RCSync.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\ASTART.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Michael\My Documents\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
O2 - BHO: (no name) - {000000F1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\FOne.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec32.dll
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec32.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WebInstall2] C:\DOCUME~1\Michael\LOCALS~1\Temp\ins5.tmp /R /A
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Michael\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ASTART] C:\WINDOWS\ASTART
O4 - HKLM\..\Run: [PrizeSurfer] C:\Program Files\RCPrograms\v2\prizesurfer.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Michael\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\Palm\HotSync.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://nsw-chat.bigp...com/java/cr.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsy...0006/btiein.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned33.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7592.8151388889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} (iiittt Class) - file://C:\install.cab


Is this what I should be looking at? I see the I-Lookup, but not the others that Spybot catches. Any suggestions?

#7 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 01 June 2004 - 10:52 PM

Ok Download www.Spywareinfo.com/~merijn/files/CWShredder.exe and save it to your desktop. Double click it and hit Fix. Then let it run and hit exit. Restart your computer and post a new log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#8 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 10:58 PM

Ok...will do.

#9 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 11:05 PM

Ok, kinda confused here, and I want to be sure I'm doing this right. I downloaded the shredder and hit scan. This is what it posted...

CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.or.../hijackthis.zip
http://www.spywarein.../hijackthis.zip

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://i-lookup.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://i-lookup.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://i-lookup.com/search.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http://i-lookup.com/search.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Infected data: http://i-lookup.com/search.html
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (1528 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A)

- END OF REPORT -

The shredder program only has 2 buttons, scan and exit. Where do I go from here, do I use Hijackthis?

#10 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 01 June 2004 - 11:07 PM

Look what i said, hit fix :D. At least we know that itll find something hehe :). Ok hit Fix not scan and let it run. Then hit exit and restart your computer. Then post a NEW hjt log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#11 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 11:43 PM

Ya know, sometimes the obvious escapes us!! LOL!
Ok, I did it ( Really! The button said "next", not "fix", but when I rebooted the pc it said fix! Geeez....lolol!) This is the report from the shredder....

Done!
Your system was completely clean.

CWShredder v1.57.0
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://www.spywareinfoforum.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywarein...chronicles.html

For donations to help support CWShredder, visit:
http://www.spywarein...ijn/donate.html

BUT!...... I still have the problem. One of the things this "bug" does is highlight words like virus, virus removal, etc., in orange. If I click on that word, it sends me to a virus removal web page. So when I returned here, I found those words highlighted again. Also I ran a scan with HijackThis and found the same I-Lookup there.

#12 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 01 June 2004 - 11:56 PM

Ok, I don't see Ducky around, can anyone else help with this problem??

#13 spoonbread

spoonbread

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 June 2004 - 02:14 AM

ok..bump!..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button