Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, im new here & am just about to cry! I have the most awful spyware on my computer I have ever seen! first of all it was embedded inmy desktop & had a hell of a job to remove it. But now on every toolbar it says favorites & there is loads & loads of crap on there & i cant get rid of it. i have adaware & spybot & firewalls & virus checkers, what has happened?? i hope you understand me, im female & have had a computer for 2 years, but just learned myself. bu i am so stressed i feel like breaking down right now because i just installed spyblaster & spyguard because i read they were very good to have, but now as well as the popups im now getting (every minute!!!) "your IE search bar has been changed" click here to restore old value! i hope you can understand this, im just so tired, ive not stopped on here since 9am.
do you have any names of the processes that are causing the problem? you could google on it to find more info or post here so we can be of more assistance. Or even type the following at the command prompt (START > RUN > "cmd")
tasklist > c:\process.log
Then copy the contents of c:\process.log and paste them here.
Also I know you have all those scanners and that's great, but have you tried running them in Safe mode where they can really get rid of everything?
0 
Do you know if it is one of the about:net variants? This program will pop up windows that say "only the best" in them.
Be who you are and say what you feel because those who mind dont matter and those who matter dont mind.
0
You should also run the following:
HiJackThis
On the HiJackThis link, click the link on the page that reads Direct Download. Once you load and run the scan, paste the log file into the window on the provided page, then click the Analyze button at the bottom of the window. The analysis will instruct you on what you should remove.
LL
0
All the above or good suggestions. The problem being that you are embedded with the programs and to my experience you are going to have a hell of a time getting rid of them.
The search bar issue is going to be the biggest problem and as you have just learned the computer system, it will be very difficult to say the least. As your computer is "2 years old" I am suggesting that you save what files you just can't be without by backing them up to cd/dvd whatever you have and do a complete reinstallation of your system with your manufacturer's recovery disc. You will be much happier in the long run.IN THE MATTERS OF STYLE,
swim with the current;
in matters of principle,
STAND LIKE A ROCK
0
The last two programs listed are very good ones to use to solve your problems.
But do me a favor tigerlily, don't appologize for being female. I used to get a lot of crap over that, but I got over it. I too am female and 5 years ago was afraid of the power button. I only wanted a word processor and look at me now. I have built probably over 50 computers and have a repair clientel of about the same. And no it is not my main business. I press shirts for a living. Computers/websites are my hobby.
But back to your problem, I think a program I use would be quite helpful to you and that is: Pest Patrol. It works great, and finds EVERYTHING. It even wiped out all my son's Limewire program. It thought it was a spyware program. Another program you didn't mention that is very good is: spysweeper. If you want any additional information on these programs I mentioned please just email me, ok?When at first you don't succeed...
Ask at Computing.net...
They always have the answers...
0
Hi, you are all so helpful & I wont say about being female again :)
A few points, I think maybe LOP is a problem?? Also although I have had a computer for 2 years this is a new one, ive only had it since 23rd Dec, so im not sure what has happened here to be honest! As for safe mode, didnt know about that..Certainly seems worse since I have put Spyblaster &/or spyware guard.
I dont think it is aboutnet varient, it doesnt say anything about the best. I did start, run & cmd, but it basically gave me a black page. Iam going to download a couple ofthe things you all suggested, thank-you.
0
Hi ... One other thing I can mention is , Whenever you are going to use a program whether it be a spyblocker or whatever and you aren't sure whether its a good program or not , Just post on this site and ask what others think about it , This way when others give there opinion you will know which way to go ...
0
Yes thanks, basically its Spybot, Adaware, Spyblaster & Spyware guard. Also 1 click maintenance.
0
By the way on the task menu, I have 57 processes running, is this ok? Waol.exe & explorer.exe seem to use most memory.
0
earlier you posted that you did the START > RUN > CMD and all you got was a black screen... that was what you were supposed to get... then type in the following (without the quotes) "tasklist > c:\process.log" Then copy the contents of c:\process.log and paste them here.
That should list all 57 processes and then we can review them for you... the two you mentioned above:
Waol.exe - seems to be related to America Online (but has been called in bandwidth hog in some forums) ... may be able to be removed from startup with no problems.
explorer.exe - This is the basic windows explorer shell that runs windows... this is a necessary system process.
later!- Michael
0
btw... you posted this:
> As for safe mode, didnt know about that..
but did you run the scanners in safe mode yet? that could get rid of a lot of your headache if you haven't already done that.
0
Another question from a novice. I have no problem , sometimes, with my computer, but my daughters notebook was running slow, so I thought I'd run adaware. It stops at a certain spot and won't continue. I uninstalled it an installed it again. Same thing. I ran Spybot, and hijack this and got rid of somethings. then reran it. It stopped again, but it ran a little further. I wrote down where it stopped, if it means anything. CLSID {AABC1235-776D-11D2-8010-00104B9B8592} Does it? and what can I do about it? Thanks
0
first thing you gotta do is post your running processes by doing what trdj says: "tasklist > c:\processes.txt". Let us take a look at what's eating up your system...
0
SORRY! i couldn't help but crack up laughing at the "basically a black screen" comment but hey i'm no expert at all :) ...also if you just got the computer and don't have much stored in there or can quickly retrieve your wanted data, you might consider just wiping it clean. I know many people hate that solution including myself when it would take me hours to figure out what to rescue...but it SHOULD be something to consider...once unwanted spyware or worms get inside, it can take hours to get it out and things may never go back to normal completely anyways. Consider only the quickest solution...PEACE!
0
get a firewall- the crappy one that comes with xp lacks features YES EVEN THE ONE FROM SP2. This will certainly stop spyware/adware cold in their tracks, @least for the purpose they serve. The however do place a load on your computer so all the other programs mentioned above are the cleanup/detection phase excetp for spyblaster which works more as a prevention tool.
Truth can become lie, but if lies become truth we're in trouble.
0
Frankly, if this machine is only 2 weeks old I would be reaching for the restore CD to set it back to "out of the box".
It would certainly be the end of all the problems.
If you continue struggling to clear out whatever gotcha you could waste hours if not days and and still possibly be left with lingering problems.
0
: "tasklist > c:\processes.txt". Let us take a look at what's eating up your system...
This just takes me to a plain white box!Glad I gave someone a laugh though...
0
Ok, does this help anyone???
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINXP\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINXP\system32\cidaemon.exe
C:\WINXP\Explorer.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINXP\system32\wscntfy.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINXP\system32\cmd.exe
C:\Program Files\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojpksauqaow.com/g5StDgVdSZH7aPWADWtHEwaGOAkTMYKvp_glcy_H_3nxUkEYu3r8ODnJShGjU0QP.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10F52FC2-37E9-0577-5A4A-7CEAC11FB679} - C:\DOCUME~1\LEVI~1.DRA\APPLIC~1\Birdref\Bone Grim.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINXP\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [Bias acid] C:\DOCUME~1\SHARON~1.DRA\APPLIC~1\STOPWI~1\WindowAceUser.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINXP\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINXP\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06B3C3B1-5A2E-4C6D-80E8-4ECFD9F7E1E4}: NameServer = 195.93.33.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD49A944-1FA2-4B60-8A37-48C9ADFEA69F}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{06B3C3B1-5A2E-4C6D-80E8-4ECFD9F7E1E4}: NameServer = 195.93.33.134
0
Posted Earlier:
> I would be reaching for the restore CD to set it back to "out of the box". It would certainly be the end of all the problems.Just an FYI... there are many different ways that a restore CD can work, one of which (and is popular with Compaq, and even heard of some HPs) is to use the restore CD to pull an images of a reserved partition on the local hard drive. If ever a restore CD uses an image off the Hard Drive, then this will NOT "certainly be the end of all the problems" as any image saved on a hard drive (even a separate partition) has the ability of being infected as well.
Tigerlily,
In answer to your question above, yes it always helps to see what processes are running on a computer and the Hijack This log as you have listed above is great for doing that. At a first glance I am not seeing any virus or malware... my only concern would be all the many AOL processes that are running at startup:
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\Common Files\AOL\aoltpspd.exeIf you do not use AOL or do not need all of these processes starting up, then I would consider removing some of them, but this is definitely NOT the cause of your problem and probably the least of your worries.
But this one however is a little suspicious of a browser Hijack:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojpksauqaow.com/g5StDgVdSZH7aPWADWtHEwaGOAkTMYKvp_glcy_H_3nxUkEYu3r8ODnJShGjU0QP.html
anyone have more info on that one possibly? It looks like www.ojpksauqaow.com is a bogus domain and it's plugging in as a browser search/toolbar. I might consider backing up that branch of the Registry and deleting that key.
Also I find the following entries a little suspicious as well, but that is more than likely because I am not familiar with them:
C:\DOCUME~1\LEVI~1.DRA\APPLIC~1\Birdref\Bone Grim.exe
O4 - HKCU\..\Run: [Bias acid] C:\DOCUME~1\SHARON~1.DRA\APPLIC~1\STOPWI~1\WindowAceUser.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
Someone else that is more familiar with the Hijack logs may be of better assistance... I will see if I come up with anything else and post back later if I do.Hope that helps!
- Michael
0
Thankyou Michael, it is a great help.
The reason I am reluctant to clear & start again is because of all the saved stuff from the old computer.
Yes, I am on AOL. The waol.exe always seems to take up so much memory, as done Iexplorer.exe. This I checked in task manager.
That search bar is a real problem!
T.
Also everytime I get to desk-top just before I sign on to AOL I get this message about"NT Scanner problem send error report..
Internet explorer which I never use seems to be a problem, I went & chcked on it earlier & pop-ups appeared all over the place!
0
yes I saw reference to a scanner in your Hijack log... maybe you could try uninstalling it or removing the reference from the Registry to prevent the error (always backup before editing the registry) if you feel comfortable with it.
Also on the Search bar, I believe that you can just go to the Registry Key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Mainand remove the entry for "Search Bar" without any problems, just make sure you backup the registry branch first by selecting FILE > EXPORT so you have something to fall back on if there are issues.
Also I need to ask you again if you have run the scanners in Safe Mode? earlier you mentioned that you didn't know about Safe Mode, but if you haven't already you should boot into Safe Mode and run all of your scanners... it could safe you a lot of grief. Running scanners in regular mode will not get rid of everything, running them in safe mode however usually does the job 99.9% of the time. So post back and let me know.
As for the Iexplorer.exe this is the process for Internet Explorer and while you may not think that you use it, I believe that AOL somehow uses and integrated version of IE in their browser, in other words I think the AOL web browser IS ie.
Hope that helps!
- Michael
0
You may want to try the lop uninstaller.
http://simplythebest.net/info/spyware/lop_c2media_spyware.html
Good luck
0
Another tip, check in ad/remove programs and uninstall the following if listed:
window searching you will be asked to type in a 7 or 8 didit # to complete uninstall.
Reboot when done.
If above don't work.
Reboot into safe mode and run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit Fix checkedR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojpksauqaow.com/g5StDgVdSZH7aPWADWtHEwaGOAkTMYKvp_glcy_H_3nxUkEYu3r8O DnJShGjU0QP.html
O2 - BHO: (no name) - {10F52FC2-37E9-0577-5A4A-7CEAC11FB679} - C:\DOCUME~1\LEVI~1.DRA\APPLIC~1\Birdref\Bone Grim.exe
O4 - HKCU\..\Run: [Bias acid] C:\DOCUME~1\SHARON~1.DRA\APPLIC~1\STOPWI~1\WindowAceUser.exe\Show hidden files and folders:
Open folder options in control panel.
Click view tab
under hidden files and folders check: "show hidden files and folders"
Apply and ok changes.Find and delete:
C:\DOCUME~1\LEVI~1.DRA\APPLIC~1\Birdref<delete this folder. it has a longer name starting with Birdref
C:\DOCUME~1\SHARON~1.DRA\APPLIC~1\STOPWI~1<delete this folder also. it has a longer name starting with STOPWI~1
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
