Re: Browser hijack spyware
if you can make it to the site....
try this :
http://www.pestscan.com/
by the ppl that made pest patrol
a fairly nice anti-spyware IMO
turn off system restore as well,
cuz even if you do get it deleted...
it may bring itself back
(you can turn restore back on after you get the system clean and rebooted)
-edit-
i have pest patrol corp if you need it, but...
i no longer use Klite (or ANY kazaa for that matter) :P
but if you have BT or slsk, we can make it happen :)
-edit again-
and get spywareblaster too
keeps shit from loading in the first place :)
-edit again- (damn i am getting stupid) :P
delete all the dowloaded program files in IE
it may help, and if you happen to need something you dowloaded later
(say a plugin from a website or somethin) IE will re-dl em no prob
in IE, go to tools > internet options > settings > view objects
and delete all that shit
-edit AGAIN- (for the umpteeth time) :lol:
and after you get it all cleaned...
clean your registry, at this point its probably gonna be hard to screw somthing up too bad
regseeker is a decent free reg cleaner
Re: Browser hijack spyware
first go to control panel>add\remove programs and see what programs are there that look suspicious and uninstall them (ones you aren't sure about you can search for on google)
then run a spyware scanner (i see you have spybot).
Fix the following with hijackthis!:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.plovnpuigvoybtuqk.com/1v...Y_t4/eIwsB.html
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
then the following look suspiscious but i can't find them on google so im not certain:
O4 - HKCU\..\Run: [Junk win] C:\DOCUME~1\Sara\APPLIC~1\PILETE~1\Option Hope Rdr.exe
O4 - HKLM\..\Run: [Road Lite Inter For] C:\Documents and Settings\All Users\Application Data\Burn1RoadLite\blah name.exe
then restart and it should be fixed.
Re: Browser hijack spyware
Hello!
Also you should delete and fix the following:
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...cab/nce9rck.cab
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
This one should be deleted manually and then check again with HJT to see if it has appeared again if not the thats good!. How to delete it and a descripton of what it is can be found here http://www.giantcompany.com/antispyw...ger-Plus!.aspx
Re: Browser hijack spyware
Quote:
Originally Posted by Joakim Agren
messenegr plus isn't spyware...it installs some if you chose to in the install but the acutal program is not spyware and chances are if it's sara's kids that downlaoded that program they will download it again.
Re: Browser hijack spyware
Quote:
Originally Posted by rossco_2004
messenegr plus isn't spyware...it installs some if you chose to in the install but the acutal program is not spyware and chances are if it's sara's kids that downlaoded that program they will download it again.
Hello!
Yes that is true but chances are that they did install the spyware. She can always reinstall it properly without the spyware to make sure that it is not there. The bundled spyware that might be installed now is C2Media which is also known as LOP.com. How to remove it is described at the link!. After removal reinstallation can be made by Sara and make sure that the bundled shit is not installed!. But one thing that I notice know is that I said that the item should not appear in HJT and that is ofcourse wrong since the actual program is not harmfull so it should not be deleted in HJT!. here is the info from the site:
According to Messenger Plus!'s website you can install the software without the AdWare.
Quote for removing AdWare:
"Go in Add/Remove Programs and double click on "Messenger Plus!" (or click on Remove)
The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. After a couple of seconds, the program will ask you if you want to keep your preferences, it is suggested to say "Yes" if you plan to reinstall Messenger Plus! in the future (this question is not related to the sponsor program).
The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed.
If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.
To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, voila!"
From the FAQ:
"Messenger Plus! comes with an optional sponsor program. This program will show ads from time to time on your computer, add a search bar in Internet Explorer and may change your start page. In NO case this sponsor is mandatory or dangerous. If you don't want it, simply refuse the sponsor agreement during the setup and you will never hear about it again. If you installed the sponsor by error, just uninstall Messenger Plus! (it will trigger the sponsor uninstall program), reboot your computer, and reinstall without the sponsor if you want to continue to use Messenger Plus!.
Important: if you wish to get rid of the sponsor program, you must uninstall Messenger Plus! from the Add/Remove Programs window. If you start deleting files on your own you will prevent a full system restore as some of the files copied by the sponsor are backups of your original configuration files."
Advise: Keep This software is not necessarily adware. However, it does install other adware programs as well as perform potential hazardous actions on your computer. In either case this software is not to be trusted. - Since this application gives you the option to not install the adware that comes bundled, we recommend ignoring it.
Author: Patchou
Author URL: http://www.msgplus.net
Author description: "Messenger Plus is designed to enhance MSN Messenger and Windows Messenger by adding a lot of new features directly into its interface. With Messenger Plus, you can automatically log your instant messages and encrypt them to text files, customize your user interface, create shortcuts to hide or lock Messenger on your station (useful for school or work usage), use IRC commands, customize the appearance of your messages, create text aliases, and play sounds. All the features are accessible in new menus of various Messenger windows, and you can set your options in a brand-new Preferences panel
Re: Browser hijack spyware
Hi Sara, you have a lop infection.
Lop comes bundled with Messenger Plus! 3.
I recommend uninstalling Messenger Plus! 3 in add/remove programs. If you insist on using it, uninstall for now, clean out lop then reinstall with all the "extras" unchecked on the installer.
Download this LOP uninstaller http://lop.com/new_uninstall.exe
Close other programs and run it to remove LOP.
I will include the entries for lop to be fixed in hijackthis, fix any that remain after running the uninstaller.
Create a new folder in your program files and move hijackthis.exe inside it.
Backups made of the lines fixed will be placed there.
Scan with hijackthis and place a checkmark at the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.plovnpuigvoybtuqk.com/1v...Y_t4/eIwsB.html
O2 - BHO: (no name) - {A35B2803-21D7-934C-8231-C201EFC45411} - C:\DOCUME~1\Sara\APPLIC~1\MFCDBO~1\support up.exe
O4 - HKLM\..\Run: [Road Lite Inter For] C:\Documents and Settings\All Users\Application Data\Burn1RoadLite\blah name.exe
O4 - HKCU\..\Run: [Junk win] C:\DOCUME~1\Sara\APPLIC~1\PILETE~1\Option Hope Rdr.exe
O4 - HKCU\..\Run: [Junk win] C:\DOCUME~1\Sara\APPLIC~1\PILETE~1\Option Hope Rdr.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...cab/nce9rck.cab
the following lines are optional to fix if you choose:
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE<--Reminder to register Creative Labs SoundBlaster Live! cards, not needed
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"<-- fix if you decide to get rid of it
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart<-- same as above
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE<--Resource hog that launches common MS Office components to help speed up the launch of Office programs. Not needed to start office.
Close all browsers and open windows and click "fix checked"
Reboot to safemode
Restart the computer,as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.
Some files and folders may be hidden , change these settings to show them.
Open Windows Explorer & Go to Tools > Folder Options.
Click on the View tab
Place a checkmark at "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Uncheck "hide extensions for known file types"
click "Apply to all folders"
Click "Apply" then "OK"
Delete the following files and folders marked in bold
C:\DOCUME~1\Sara\APPLIC~1\MFCDBO~1<-- this is a shorthand version of the file path, its at C:\Documents and Settings\Sara\Application Data\, Delete the folder name that starts with MFCDBO
C:\DOCUME~1\Sara\APPLIC~1\PILETE~1\In your applications folder again, delete the folder that starts with PILETE
C:\Documents and Settings\All Users\Application Data\Burn1RoadLite\<-- delete the folder
Reboot, scan with hijackthis and post a fresh log.
Re: Browser hijack spyware
Ok...thanks everyone...am gonna give these suggestions a go and will let you know how I get on.... :)
Re: Browser hijack spyware
So far so good....seems like you guys have sorted it for me....thanks again.... :) :) :)
here's my new hijackthis log...
Logfile of HijackThis v1.98.2
Scan saved at 23:18:54, on 20/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\PeerGuardian\PeerGuardian_1.99b_pr14-3.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian\PeerGuardian_1.99b_pr14-3.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
Re: Browser hijack spyware
looks fine now.
so everything works ok now? :)