Solve : you guys are guna love this....? – InterviewSolution

1.	Solve : you guys are guna love this....?
Answer» i have a little problem with spyware/adware sort of speak...... noticed it when my homepage turned into somthing else... i change it and it changes back... i run hijack this and remove what i knew whasnt supposed to be there, and i re-scan it comes back... i goto my Registry edit and remove the items that where there that wernt supposed to be... and the appear right back.. i run trojanhunter.. none found.. same with norton.. i run adware (lavasoft) and it finds 31 PROBLEMS, i remove and quarentine.... re-scan .... they come right back... (even after reboot) i run spyware S&D... finds CoolWWWSearch or somthing and a couple others... it removes them... and guess what They KEEP comming BACK! its like a fly that lands on the same spot everytime you shoo it away.. i wouldnt be posting this unless i was absolutly shure i couldnt handle it myself... so i need some suggestions here... thanks... :-/I had this one too. I struggled with it for hours but no luck. Eventually I found the utility CWshredder. This is what you need to clean up your system. Available here http://www.softpedia.com/public/cat/10/17/10-17-150.shtmli did the cws shredder also... forgot to say that in my first post... i used it and it said it cleaned but they keep comming backHmmm, maybe a new varient. I can only suggest using system restore (if you are using xp?) to restore the registry back to a point before it was infected. Or...and this is DANGEROUS, edit the registry by hand to delete any references to the files reported by adaware. I know you said you have done this, but the trick is to reboot into safe mode only so that the censored thing doesn't autostart and begin repairing itself before you have gotten every trace of it. Good luck!its a clean install.... 1 day old. not shure where i got it first of all... but ill try the safe mode issue, only because i know reg keysshield....www.coolSearch is one bad one to get rid of.... I would suggest running hijackthis again and posting the log here so we can have a look at it......I believe you may have missed something......DO NOT, I REPEAT.....Don't....use your system restore. CW SHedder will identify it and reset your homepage .....but until; you clean it out , will keep coming back. dl65 i ran safe mode and cws shredder and hijack this and removed those adware.... they came [emailprotected]#! its so irritating.... heres me hijack this in next post:Logfile of HijackThis v1.97.7 Scan saved at 9:34:10 AM, on 10/12/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\System32\Ati2evxx.exe D:\Program Files\Sygate\SPF\smc.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\spoolsv.exe D:\WINNT\System32\svchost.exe D:\WINNT\system32\regsvc.exe D:\WINNT\system32\MSTask.exe D:\WINNT\system32\stisvc.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\WINNT\system32\svchost.exe D:\WINNT\system32\Ati2evxx.exe D:\WINNT\Explorer.EXE D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe D:\Program Files\ICQLite\ICQLite.exe D:\WINNT\System\MSMSGSVC.exe D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe D:\WINNT\system32\wuauclt.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]inder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: ICQ 4 (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/? O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.6357175926 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave FLASH Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabi removed the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) and they just keep commming back onHave you tried running all these programs in safe mode?shield....Ok here's what I would like you to do.... 1 open hijackthis...and click info....now make sure that in Configuration / main there is a tick in box 2,3,4,5 and no tick in box 1. 2 In the boxes for the URLs...... enter http://www.msn.com do this for all four..... 3 now click the back button. 4 now click Scan button now I want you to mark for removal all the entries I have put in red R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: ICQ 4 (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/? O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.63 57175926 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab when you have ticked the ones in red.....click the fix checked button...... I would do all of the above in the safe mode . This should clear it .....It wouldn't hurt to scan again now with Ad-Aware and if you have it Spybot. Do you have any kind of a registry cleaner ? ie ......system mechanic pro 5 or registry first aid . If you have run them as well. Then reboot back up normally and see how things are . let us know how it goes dl65 dl65.... i love you... it worked all clean no spyware/adware/nothing..... wanna go out for dinner? LOL thank's bud. shield.....Glad to hear your pest free......hijackthis does a great job ......the key to using it is to research each entry in the log it generates....... cheers, dl65 so do you wanna go for dinner or not shield.......So what did you have in mind? Burger King or McDonalds.......lol dl65

Discussion

No Comment Found

Related InterviewSolutions