Page 1 of 2 12 LastLast
Results 1 to 25 of 31
  1. #1

    weird spyware/adware?

    i have some weird spyware/adware things on my comp that messes with IE. whenever i go to a site that doesn't work, it redirects me to this errorplace.com page, and then to a lycos search page. i also get random pop-ups. i ran ad-aware and spybot S&D several times but they didn't get rid of it. i went to errorplace.com and they had this program which is supposed to uninstall the redirecting thing. i don't know if it was a good idea, but i downloaded it and ran it. it said to exit out of IE but i did, and it didn't do anything else. i searched on google for "errorplace.com" but got nothing. help!

  2. #2
    Close IE then run it. If nothing happens then, run SpyBot in Advanced Mode, becareful what you remove.
    ServeYourSite
    Web hosting done right
    ██ Shared, Reseller and Dedicated web hosting
    An Easy Web Presence Company

  3. #3
    tried both, still nothing
    also ran a virus scan which didn't pick up anything either

  4. #4
    Control Panel >> Add Remove Programs see if it's there. This is wierd ....
    ServeYourSite
    Web hosting done right
    ██ Shared, Reseller and Dedicated web hosting
    An Easy Web Presence Company

  5. #5
    Join Date
    Dec 2002
    Location
    Montreal, Canada
    Posts
    5,320
    Seems like you have a CoolWebSearch virus that is impossible to remove with AdAware nor Spybot.

    Give me one minute, I'll help you. Let me just grab some info on this.
    Hosting Discussion - web hosting community.

    Is your company represented?

  6. #6
    Join Date
    Dec 2000
    Location
    The Woodlands, Tx
    Posts
    5,974
    http://webtracker.info/miniremoval_c...martkiller.exe

    If it is coolwebsearch, this will remove it,.

  7. #7
    Join Date
    Dec 2002
    Location
    Montreal, Canada
    Posts
    5,320
    OK, so you have a virus that will never be noticed by Spybot or AdAware. The virus you got, I think, is CoolWebSearch.

    I had exactly the same problem.

    To get rid of it:

    1. Download HijackThis:
    http://www.zerosrealm.com/downloads/hjt.zip

    Unzip it to a separate folder, then close all windows and Internet programs and run it.

    DON'T FIX ANYTHING on your own. If you are not sure, press Ctrl+A to Select All, then paste results in here.


    2. Most likely, you will see a few lines related to your Internet Explorer search functions that are infected, as well as a few (7-9) sex pages-viruses.

    Do not remove or fix anything through Hijack This - this is just to verify the computer is infected.

    If you see the Internet Explorer/search pages hijacked with other URLs, you DO have a virus.

    If you do, proceed with this:

    Download CWShredder:
    http://www.spywareinfo.com/~merijn/files/CWShredder.exe

    Open -> doubleclick cwshredder.exe -> click "FIX"


    After that, reboot and you are in the clear.

    Make sure your homepage is set to the right page just in case.

    If you feel like it, you can paste in the new scan from Hijack This for verification.

    One of the side effects of this virus is that it slows down your Internet experience and often crashed Explorer. But that its, you should notice you're back to normal operations.

    Best,
    Hosting Discussion - web hosting community.

    Is your company represented?

  8. #8
    Join Date
    Oct 2002
    Posts
    13,624
    SPY SWEEPER is your friend........

    The Dude

    Tinyurl is the answer for posting long urls!!!

  9. #9
    webdude, i tried that program and it said coolwebsearch was not found on my computer

    artashes, i ran hijack-this and this is what it came up with:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {B951EA98-6DB9-4786-BE94-01E61859AE9B} - C:\WINDOWS\xuhhylfzs.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ctrkiao] C:\WINDOWS\jhzwze.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O4 - Global Startup: Versato.lnk = C:\Program Files\MediaKey\Versato.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
    the only thing i think looks weird is the 2 "urlsearchhooks" in the beginning. should i "fix" them?

    i then ran that other program, but it didn't seem to fix anything

    the dude, i will try spysweeper and post back with results.

  10. #10
    Join Date
    Dec 2002
    Location
    Montreal, Canada
    Posts
    5,320
    The "URLSearchHooks" might really be the one.

    Do NOT fix anything with Hijack This. You have to be a system expert to understand what you're fixing.

    Instead:

    Download CWShredder:
    http://www.spywareinfo.com/~merijn/files/CWShredder.exe

    Open -> doubleclick cwshredder.exe -> click "FIX"

    After that, reboot and you are in the clear.

    Make sure your homepage is set to the right page just in case.

    I hope this will fix the glitch you are having.

    Best,
    Hosting Discussion - web hosting community.

    Is your company represented?

  11. #11
    Join Date
    Aug 2003
    Posts
    2,071
    O4 - HKLM\..\Run: [ctrkiao] C:\WINDOWS\jhzwze.exe
    I may be paranoid, but if you ask me, that file name seems... suspicious and google doesn't have any search results with the entry name nor the file name...

  12. #12
    i already ran cwshredder, but that didn't seem to fix anything

    what should i do about jhzwze.exe?

    and i just tried spy sweeper...it removed a bunch of stuff, but still didn't fix my problem

    also, a couple days ago, i was getting occasional slowdowns (fps drops) in CS...probably related to that virus/adware/spyware

  13. #13
    Join Date
    Aug 2003
    Posts
    2,071
    If you don't recognize the file as well (ctrkiao or jhzwze.exe), and you don't think it is anything that you've installed, you can remove it by doing these steps:
    Call up task manager (crtl + shift + esc in win XP/2000, single click ctrl + alt + del in win 9X/ME)
    Look for the task jhzwze.exe and kill it
    Then, launch registry editor: Start => Run => "regedit.exe"
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
    Look for the ctrkiao key and delete it.
    Double check in HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunServices to make sure that it doesn't have a replica entry, as well as HKEY_CURRENT_USER>SOFTWARE>Microsoft>Windows>CurrentVersion>Run

    After that, reboot and it should get rid of the auto run. Go to C:\WINDOWS\ to find the file. Before you delete it, right click and go into properties (DO NOT DOUBLE CLICK IT as it may add that registry etc all over again) to check if it is a legitmate software (I hgihly doubt it), delete that file just to be safe. It might disguise itself as an installer or some generic window's executable's icon, so be careful.

    Rgds,
    Alf

  14. #14
    Join Date
    Mar 2003
    Location
    Edmonton, Canada
    Posts
    380
    You can also post the report from hjt on spywareinfo.com. That is what they do is assist people who have been infected with Browser hijackers and other spyware. There is a area on their forums just for this.

    Great people there and very well respected in the industry.
    Glen Millar
    Tyger Hosting Services
    http://www.tygerhosting.com
    Affordable Direct Admin Linux Hosting Since 2003

  15. #15
    ok thanks for the help guys
    i made a post at spywareinfo.com but nobody's responding

  16. #16
    Join Date
    Feb 2003
    Location
    Albany, New York
    Posts
    3,026
    I had the same problem...And everyime time i tpyed a page without a http:// in front of it, it when to http://www.ehttp.com/www.BLAH.com where BLAH.com is hte site I was trying to goto. If the site existed, it connected to it, if not it went to a search engine thing. I used a program to fix it but messed my computer up and ended up reformatting :-\

  17. #17
    Join Date
    Nov 2003
    Location
    Ljubljana, Slovenija, Europe
    Posts
    298
    So is this adware just a product of a sick mind or is someone really trying to advertise something? If one finally gets to a search engine, why does one get there. Would a search engine have anything to do with the whole thing? I think not, people behind search engines, especially some well know search engines, are serious people. Even If some adware is directing you to a certain page you would not want to go otherwise, that site could have serious problems. Basically adware is not spam, but it is spam in a sense, so wouldn't the people operating the site, you got redirected to, have problems, if one contacted their host? I should think so. Besides, mostly will adware direct you to a porn site of some sort. Shouldn't we just contact the host or the hosts Internet provider or something like that and just kill their uplink? I trust we should.

    I know what was my first reaction when a window popped up with some naked porn chicks showing stuff. I just closed the window, but perhaps I was wrong. Perchance I should have found the owner / operator / host / provider and made them some problems.

    What do you think?

    Airnine

  18. #18
    O2 - BHO: (no name) - {B951EA98-6DB9-4786-BE94-01E61859AE9B} - C:\WINDOWS\xuhhylfzs.dll

    I think this...
    (random file name).dll

  19. #19
    thelynx, how do i get rid of that?

  20. #20
    Join Date
    Feb 2003
    Location
    Albany, New York
    Posts
    3,026

  21. #21
    1. run HijackThis
    2. click scan
    3. select 02 - BHO(no name)....~
    4. click fix checked
    5. restart
    6. delete dll file

  22. #22
    thanks thelynx, i think that did the trick

  23. #23
    This one is a very tricky. I am still in the process of removing it, so any feedback would be most appreciated.
    I found out that if I run the latest version of Ad-Aware 6 with the virus definitions updated (may 3rd), it will find it, but not really remove it. It lists something called "roings" (that's what hijack-this found for creepcolony, one before last). Ad-aware found me many programs associated with it: rnoq.exe, dekxiaxof.exe, cvpmripi.exe - all 32kb in size and all in C:\windows, those are random names I suppose. Also, the supposed uninstallers I got from errorplace were marked as malware, so DON'T fall for that. In "c:\windows\donwloaded program files" there was the heart of the roings program, his .exe, .inf, so I deleted that and some other things I found suspicious in that directory. I also deleted all links to anything ad-ware found suspicious from the system registry, removed the three exe's from msconfig's startup, deleted the search.vbs from start menu-programs-startup and deleted the exe's from c:/windows. You should also look for exe's with the same white/blue rectangular icon and a weird name in c:/windows - i found there two others, so I deleted them too. Also deleted all temporary internet files, to which some were linking, where the roings had its .cab's. With that I thought I'd should be fine and rebooted. Although to my surprise it kicked in (with all that heavy register deletions) and the IE startpage was back to normal, the errorplace thing was still there. Now I found there are .dll's in c:\windows with weird names but all the same size - 69'632, they contain masked URLs of errorplace.com and similar stuff, masked so that they can't be discovered (each letter on one line). Windows won't let you delete them, so I used Safe Mode w/ command prompt and after a reboot all worked fine, AT LAST.
    I agree this could be a little confusing, so lets go over it once again...

    1. Download Ad-aware 6, update the reference file, run full scan
    2. Manually delete all results that do not have a trusted CompanyName such as Microsoft, Compaq, NVidia... (these will be mainly weird named exe files). Also delete all the registry entries Ad-ware finds. In order to be sure, make a search in the registry editor and delete all that involves the given string.
    3. Go to your windows directory and look for the exe's which have the same icon as the file you downloaded from errorplace.com - delete them. They will all have weird names. In order to be able to delete them, stop them running in Task Manager
    4. Delete the dll's in windows directory that have the size of 69632 bytes.
    5. Reboot and let me know if it worked.

  24. #24
    ooooo, I got that too. But I was being bad when I got it. I was browsing a warez/crack site. I didn't download anything either, I guess that's why they say curiousity killed the cat.

    I've just been using mozilla. Spybot did not work. Virus check did not work....That'll teach me!!

    <<Signature to be setup in your profile>>
    Last edited by anon-e-mouse; 05-11-2004 at 09:53 PM.

  25. #25
    ok thanks for the help astmin
    i ran adaware, and it found 2 roings things, so i removed them
    i looked in my windows directory and only found 1 file with the white/blue rectangular icon...it was called unstall.exe and was 19kb...i deleted it
    there were no dll files 69632 bytes in size
    how do i know if i have completely gotten rid of this?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •