Help with Adware/Spyware please.

Discussion in 'General Software and Applications' started by dcx_badass, Aug 2, 2006.

  1. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    Do you have DAEMON Tools installed with Searchbar and Save Now ?

    (DAEMON Tools Searchbar and Save Now)
    http://www.castlecops.com/t161905-partypoker_pop_ups_and_windows_explorer_crashing.html

    Name: Hijacker.Agent.a
    Path: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E5PRLAYH\popup[1].htm ([2].htm, [3].htm , [4].htm etc. etc.)
    Risk: High


    Don't install winantiviruspro it's not ok -- http://www.sophos.com/security/analyses/winantiviruspro.html

    Winfixer, WinAntiVirusPro & misc porn popups
    http://www.mcse.ms/message2233879.html


    Post a new HijackThis log please.



    If you find something like this: O4 - HKLM\..\Run: [NI.UWAS6_0001_N85M1306] "c:\documents and settings\*YouProfile*\application data\winantispyware2006freeinstall[1].exe -nag. It might not be using [1] in the name and the profile folder might not be your profile, but it is most likely. You should remove it but HijackThis might not be able to fix it, if not remove it manually.

    Location:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    NI.UWAS6_0001_N85M1306
    c:\documents and settings\*YouProfile*\application data\winantispyware2006freeinstall[1].exe

    And delete the file
    c:\documents and settings\*YouProfile*\application data\winantispyware2006freeinstall[1].exe

    ---

    Again your weak point is clearly IE. If your not careful and have loos restrictions you can practically get anything on your system. Im talking "drive-by infection" with all kinds of nastiest just by loading a page some asshat has infested using cross-site scripting, a little ActiveX and Javascript.

    If you do not have spywareblaster get it NOW, update and enable all protection http://www.javacoolsoftware.com/spywareblaster.html

    I would also suggest you get Spybot - Search & Destroy, update enable all protection and then do a scan as well http://www.spybot.info/en/index.html
     
  2. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I'm back, i won't install the antivirus thing, i don't have daemon tools or anything, latest hijack this:
     
  3. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I got Ad-Aware SE Personal and that removed a few things, some related to yazzle, but now my explorer is crashing every few mnutes.
     
  4. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    You should start by updating your Java, it's important to keep it updated.

    D/L this one >>> "Java Runtime Environment (JRE) 5.0 Update 8" -- http://java.sun.com/javase/downloads/index.jsp

    Which reminds me, have you updated XP this month ? It's very important that you have/do.


    Yazzle: Remember to remove any reg stuff
    http://www.symantec.com/security_response/writeup.jsp?docid=2006-040610-1330-99



    Figuring out why Explorer is crashing may take some work.

    Start by seeing if you get any info from the crash (like a module name) use the event viewer and look at the Application list and find the application error. e.g. Faulting application hl2.exe, version 0.0.0.0, faulting module datacache.dll, version 0.0.0.0, fault address 0x0000b413.

    If you can narrow down the faulting module to a dll which is not a XP/IE system dll but one from a program you have installed then uncheck it in msconfig and test running without it. If it fixes the issue you have to uninstall the app or try reinstalling it (edit: you might need to uninstall "it" anyway to really tell, not just unchecking it in msconfig). If it's a system dll then it can still be caused by a 3party app but it's harder to tell. Try running a selective start up with nothing loading.

    One other possibility is rundll32.exe, i always disable anything using rundll32.exe as it can causes issue. The only thing i can say with some certainty you might have running is the NV tray icon, which uses rundll32.exe. But that should not cause any major issue although i don't let it run.

    Theme stuff is also well known for being a troublemaker (WinStylerThemeSvc.exe) you can test if it's a issue or not.


    You can always try running a sfc /scannow and see if there is a system file issue.


    This really should point to your ISP or some OEM branding etc. i don't think toysrus qualify for being in the IE reset file.

    O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk/
     
    Last edited: Aug 13, 2006

  5. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    Thanks as for the Toysrus, thing i dunno how that got there as my homepage is google, my default when i bought the pc was www.aldi.com, and the manufacturers Medion.
     
  6. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    Been using a install of tinyxp to game with, as with bf1942 u only need cd key in reg, and left xp home(problem one) alone just booted in to use my card reader and got this from NOD32:
    [​IMG]
    What should i do?
    Manually delete it?
     
  7. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    Yes let NOD32 fix the in memory first.


    You might need to boot in safe mode before deleting the dll or use killbox and delete on reboot, as the dll is being used (which is why it's in memory). Also not being on-line might be the best.


    1. Find and delete this: :\WINDOWS\SYSTEM32\winosz32.dll

    Get killbox and use delete on reboot if needed -- http://www.bleepingcomputer.com/files/killbox.php


    2. Then run HijackThis and fix: O20 - Winlogon Notify: winosz32 - winosz32.dll (file missing) (should say file missing after you have delete the dll)

    3. Run Trojan.Vundo Removal Tool http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

    4. Do a system scan with NOD32

    5. Post the Trojan.Vundo Removal Tool log or just note the scan result and let me know if it removed anything.

    Post a new HijackThis log.
     

Share This Page