Results 1 to 25 of 31
Thread: weird spyware/adware?
-
04-26-2004, 04:27 PM #1Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
weird spyware/adware?
i have some weird spyware/adware things on my comp that messes with IE. whenever i go to a site that doesn't work, it redirects me to this errorplace.com page, and then to a lycos search page. i also get random pop-ups. i ran ad-aware and spybot S&D several times but they didn't get rid of it. i went to errorplace.com and they had this program which is supposed to uninstall the redirecting thing. i don't know if it was a good idea, but i downloaded it and ran it. it said to exit out of IE but i did, and it didn't do anything else. i searched on google for "errorplace.com" but got nothing. help!
-
04-26-2004, 04:42 PM #2Hmmm....
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,341
Close IE then run it. If nothing happens then, run SpyBot in Advanced Mode, becareful what you remove.
███ ServeYourSite
███ Web hosting done right
███ Shared, Reseller and Dedicated web hosting
███ An Easy Web Presence Company
-
04-26-2004, 10:33 PM #3Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
tried both, still nothing
also ran a virus scan which didn't pick up anything either
-
04-26-2004, 10:44 PM #4Hmmm....
- Join Date
- Apr 2003
- Location
- UK
- Posts
- 2,341
Control Panel >> Add Remove Programs see if it's there. This is wierd ....
███ ServeYourSite
███ Web hosting done right
███ Shared, Reseller and Dedicated web hosting
███ An Easy Web Presence Company
-
04-26-2004, 10:52 PM #5Web Hosting Master
- Join Date
- Dec 2002
- Location
- Montreal, Canada
- Posts
- 5,320
Seems like you have a CoolWebSearch virus that is impossible to remove with AdAware nor Spybot.
Give me one minute, I'll help you. Let me just grab some info on this.
-
04-26-2004, 11:36 PM #6Web Hosting Master
- Join Date
- Dec 2000
- Location
- The Woodlands, Tx
- Posts
- 5,974
http://webtracker.info/miniremoval_c...martkiller.exe
If it is coolwebsearch, this will remove it,.
-
04-26-2004, 11:42 PM #7Web Hosting Master
- Join Date
- Dec 2002
- Location
- Montreal, Canada
- Posts
- 5,320
OK, so you have a virus that will never be noticed by Spybot or AdAware. The virus you got, I think, is CoolWebSearch.
I had exactly the same problem.
To get rid of it:
1. Download HijackThis:
http://www.zerosrealm.com/downloads/hjt.zip
Unzip it to a separate folder, then close all windows and Internet programs and run it.
DON'T FIX ANYTHING on your own. If you are not sure, press Ctrl+A to Select All, then paste results in here.
2. Most likely, you will see a few lines related to your Internet Explorer search functions that are infected, as well as a few (7-9) sex pages-viruses.
Do not remove or fix anything through Hijack This - this is just to verify the computer is infected.
If you see the Internet Explorer/search pages hijacked with other URLs, you DO have a virus.
If you do, proceed with this:
Download CWShredder:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Open -> doubleclick cwshredder.exe -> click "FIX"
After that, reboot and you are in the clear.
Make sure your homepage is set to the right page just in case.
If you feel like it, you can paste in the new scan from Hijack This for verification.
One of the side effects of this virus is that it slows down your Internet experience and often crashed Explorer. But that its, you should notice you're back to normal operations.
Best,
-
04-27-2004, 09:32 AM #8An Awesome Dude
- Join Date
- Oct 2002
- Posts
- 13,624
SPY SWEEPER is your friend........
The Dude
Tinyurl is the answer for posting long urls!!!
-
04-27-2004, 10:23 PM #9Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
webdude, i tried that program and it said coolwebsearch was not found on my computer
artashes, i ran hijack-this and this is what it came up with:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B951EA98-6DB9-4786-BE94-01E61859AE9B} - C:\WINDOWS\xuhhylfzs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ctrkiao] C:\WINDOWS\jhzwze.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Versato.lnk = C:\Program Files\MediaKey\Versato.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
i then ran that other program, but it didn't seem to fix anything
the dude, i will try spysweeper and post back with results.
-
04-27-2004, 10:35 PM #10Web Hosting Master
- Join Date
- Dec 2002
- Location
- Montreal, Canada
- Posts
- 5,320
The "URLSearchHooks" might really be the one.
Do NOT fix anything with Hijack This. You have to be a system expert to understand what you're fixing.
Instead:
Download CWShredder:
http://www.spywareinfo.com/~merijn/files/CWShredder.exe
Open -> doubleclick cwshredder.exe -> click "FIX"
After that, reboot and you are in the clear.
Make sure your homepage is set to the right page just in case.
I hope this will fix the glitch you are having.
Best,
-
04-27-2004, 10:57 PM #11MAOMPSMITCUT (rmbr this? lol)
- Join Date
- Aug 2003
- Posts
- 2,071
O4 - HKLM\..\Run: [ctrkiao] C:\WINDOWS\jhzwze.exe
-
04-27-2004, 11:04 PM #12Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
i already ran cwshredder, but that didn't seem to fix anything
what should i do about jhzwze.exe?
and i just tried spy sweeper...it removed a bunch of stuff, but still didn't fix my problem
also, a couple days ago, i was getting occasional slowdowns (fps drops) in CS...probably related to that virus/adware/spyware
-
04-28-2004, 03:13 AM #13MAOMPSMITCUT (rmbr this? lol)
- Join Date
- Aug 2003
- Posts
- 2,071
If you don't recognize the file as well (ctrkiao or jhzwze.exe), and you don't think it is anything that you've installed, you can remove it by doing these steps:
Call up task manager (crtl + shift + esc in win XP/2000, single click ctrl + alt + del in win 9X/ME)
Look for the task jhzwze.exe and kill it
Then, launch registry editor: Start => Run => "regedit.exe"
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
Look for the ctrkiao key and delete it.
Double check in HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunServices to make sure that it doesn't have a replica entry, as well as HKEY_CURRENT_USER>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
After that, reboot and it should get rid of the auto run. Go to C:\WINDOWS\ to find the file. Before you delete it, right click and go into properties (DO NOT DOUBLE CLICK IT as it may add that registry etc all over again) to check if it is a legitmate software (I hgihly doubt it), delete that file just to be safe. It might disguise itself as an installer or some generic window's executable's icon, so be careful.
Rgds,
Alf
-
04-28-2004, 03:31 AM #14Aspiring Evangelist
- Join Date
- Mar 2003
- Location
- Edmonton, Canada
- Posts
- 380
You can also post the report from hjt on spywareinfo.com. That is what they do is assist people who have been infected with Browser hijackers and other spyware. There is a area on their forums just for this.
Great people there and very well respected in the industry.Glen Millar
Tyger Hosting Services
http://www.tygerhosting.com
Affordable Direct Admin Linux Hosting Since 2003
-
04-29-2004, 05:25 PM #15Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
ok thanks for the help guys
i made a post at spywareinfo.com but nobody's responding
-
04-29-2004, 05:30 PM #16KM Carpenter
- Join Date
- Feb 2003
- Location
- Albany, New York
- Posts
- 3,026
I had the same problem...And everyime time i tpyed a page without a http:// in front of it, it when to http://www.ehttp.com/www.BLAH.com where BLAH.com is hte site I was trying to goto. If the site existed, it connected to it, if not it went to a search engine thing. I used a program to fix it but messed my computer up and ended up reformatting :-\
-
04-29-2004, 06:27 PM #17Web Hosting Guru
- Join Date
- Nov 2003
- Location
- Ljubljana, Slovenija, Europe
- Posts
- 298
So is this adware just a product of a sick mind or is someone really trying to advertise something? If one finally gets to a search engine, why does one get there. Would a search engine have anything to do with the whole thing? I think not, people behind search engines, especially some well know search engines, are serious people. Even If some adware is directing you to a certain page you would not want to go otherwise, that site could have serious problems. Basically adware is not spam, but it is spam in a sense, so wouldn't the people operating the site, you got redirected to, have problems, if one contacted their host? I should think so. Besides, mostly will adware direct you to a porn site of some sort. Shouldn't we just contact the host or the hosts Internet provider or something like that and just kill their uplink? I trust we should.
I know what was my first reaction when a window popped up with some naked porn chicks showing stuff. I just closed the window, but perhaps I was wrong. Perchance I should have found the owner / operator / host / provider and made them some problems.
What do you think?
Airnine
-
04-30-2004, 05:38 AM #18New Member
- Join Date
- Apr 2004
- Posts
- 3
O2 - BHO: (no name) - {B951EA98-6DB9-4786-BE94-01E61859AE9B} - C:\WINDOWS\xuhhylfzs.dll
I think this...
(random file name).dll
-
04-30-2004, 04:57 PM #19Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
thelynx, how do i get rid of that?
-
04-30-2004, 09:59 PM #20KM Carpenter
- Join Date
- Feb 2003
- Location
- Albany, New York
- Posts
- 3,026
delete it?
-
04-30-2004, 10:24 PM #21New Member
- Join Date
- Apr 2004
- Posts
- 3
1. run HijackThis
2. click scan
3. select 02 - BHO(no name)....~
4. click fix checked
5. restart
6. delete dll file
-
05-01-2004, 12:00 PM #22Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
thanks thelynx, i think that did the trick
-
05-03-2004, 02:26 PM #23New Member
- Join Date
- May 2004
- Posts
- 2
This one is a very tricky. I am still in the process of removing it, so any feedback would be most appreciated.
I found out that if I run the latest version of Ad-Aware 6 with the virus definitions updated (may 3rd), it will find it, but not really remove it. It lists something called "roings" (that's what hijack-this found for creepcolony, one before last). Ad-aware found me many programs associated with it: rnoq.exe, dekxiaxof.exe, cvpmripi.exe - all 32kb in size and all in C:\windows, those are random names I suppose. Also, the supposed uninstallers I got from errorplace were marked as malware, so DON'T fall for that. In "c:\windows\donwloaded program files" there was the heart of the roings program, his .exe, .inf, so I deleted that and some other things I found suspicious in that directory. I also deleted all links to anything ad-ware found suspicious from the system registry, removed the three exe's from msconfig's startup, deleted the search.vbs from start menu-programs-startup and deleted the exe's from c:/windows. You should also look for exe's with the same white/blue rectangular icon and a weird name in c:/windows - i found there two others, so I deleted them too. Also deleted all temporary internet files, to which some were linking, where the roings had its .cab's. With that I thought I'd should be fine and rebooted. Although to my surprise it kicked in (with all that heavy register deletions) and the IE startpage was back to normal, the errorplace thing was still there. Now I found there are .dll's in c:\windows with weird names but all the same size - 69'632, they contain masked URLs of errorplace.com and similar stuff, masked so that they can't be discovered (each letter on one line). Windows won't let you delete them, so I used Safe Mode w/ command prompt and after a reboot all worked fine, AT LAST.
I agree this could be a little confusing, so lets go over it once again...
1. Download Ad-aware 6, update the reference file, run full scan
2. Manually delete all results that do not have a trusted CompanyName such as Microsoft, Compaq, NVidia... (these will be mainly weird named exe files). Also delete all the registry entries Ad-ware finds. In order to be sure, make a search in the registry editor and delete all that involves the given string.
3. Go to your windows directory and look for the exe's which have the same icon as the file you downloaded from errorplace.com - delete them. They will all have weird names. In order to be able to delete them, stop them running in Task Manager
4. Delete the dll's in windows directory that have the size of 69632 bytes.
5. Reboot and let me know if it worked.
-
05-03-2004, 02:49 PM #24Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 82
ooooo, I got that too. But I was being bad when I got it. I was browsing a warez/crack site. I didn't download anything either, I guess that's why they say curiousity killed the cat.
I've just been using mozilla. Spybot did not work. Virus check did not work....That'll teach me!!
<<Signature to be setup in your profile>>Last edited by anon-e-mouse; 05-11-2004 at 09:53 PM.
-
05-03-2004, 05:05 PM #25Mad Skillz
- Join Date
- Jun 2001
- Posts
- 377
ok thanks for the help astmin
i ran adaware, and it found 2 roings things, so i removed them
i looked in my windows directory and only found 1 file with the white/blue rectangular icon...it was called unstall.exe and was 19kb...i deleted it
there were no dll files 69632 bytes in size
how do i know if i have completely gotten rid of this?