porn mole on my rig help!!

[flapperhead]

cw shredder version 1.47.3

 

[I.M.O.G.]

Go ahead and run 1.59 and let us know if you still have no infestation.

1.4 is pretty old.

 

[flapperhead]

i used 159 and it found something and removed it. so far no more porn and hijaked browser links( im holding my breath) I WANT TO THANK ALL OF U WHO TOOK THE TIME TO HELP ME. i am very grateful thankyou very much....... mike

 

[thalzaar24]

It's possible it's not a ad/spyware problem at all. If all those programs didn't pick it up, then chances are it's soemthing else. I would look into getting a trojan/malware detector and running it. i use A squared 2 but i haven't had any trojans that i know of, so it hasn't detected any, hehe. maybe run i and see if it helps.

 

[flapperhead]

its like they picked it up but they couldnt get rid of it till i used cw shreder159. man what a hassle

 

[KILLorBE]

See if there's a folder called 'spad' on your PC, if it's on your PC you got a big problem

You might wanna check http://www.computercops.biz/ but that didn't work for me (I've had 2 variants), while I got rid of one of them (I also got an RMA HDD so the other one doesn't matter), you need to delete that folder, scan with Spybot, Adaware, CWShredder, Pestscan....delete ALL crap (get rid of your cookies), and start all over.

I know it doesn't help much (if any), but that's how I got rid of that crap.

You also said that you could get rid of it for 39.95, I'm pretty sure it's the same stinking ******* that said "Sorry, it was an experiment"....sure you *****....better not meet me

 

[flapperhead]

GOOD GOD IT JUST CAME BACK!! JEESH...... it was fine for 2 hrs.. now its back...

 

[Kendan]

OK try this.
turn off system restore
boot into safe mode
run all the scans again including spybot, adaware, CWShredder, virus scan, trojan scan, hijack this(post the log here), and run Stinger. Good luck

reboot
turn system restore back on.

 

[I.M.O.G.]

If you are still using IE, stop - it is exploited way too much to mess with. Download firefox .9 (just released recently), and you will likely not be reinfected. Many people rave about firefox after trying it.

 

[Kendan]

OMG how does that help him with his problem IMOG? It doesn't.

 

[thalzaar24]

Do what kendan said. Be sure to reboot into safe mode and run all those ad/spy/malware removers, trojan removers, anti-virus and such while having the system restore turned off. This way, NOTHING is loaded into memory or during start up and you can try to blast it out.

Make sure that every program is updated to the latest version before you do this as well. Spybot S&D is up to 1.3 btw, so if you have an older version, you need to download a new one. If i was you, i would download about 3 or 4 of each thing and run them all just to be safe then just uninstall the ones you don't feel do a good job.

 

[flapperhead]

okay guys sorry about the delay my prometeia was giving me probs. ill try what u suggested .thnx again i really appreciate the concern and help

 

[flapperhead]

okay i did as requested... nothing worked ,here is a copy of hijack this (my system)
Logfile of HijackThis v1.97.7
Scan saved at 6:22:37 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\flapperhead.DICTATOR-ZZNF9N\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37898.4068171296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

once again thnx for all the help..

 

[Kendan]

I do not see it there but I am not an expert at reading Hijack this logs. Are you sure it didn't come from a site you visit? Are you running a popup blocker like the google toolbar?

edit it could be in this section

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\FLAPPE~1.DIC\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

[flapperhead]

I do not see it there but I am not an expert at reading Hijack this logs. Are you sure it didn't come from a site you visit? Are you running a popup blocker like the google toolbar?

edit it could be in this section

ill try deleting some of the things u mentioned, gosh, im not sure where i got it. im not into porn. i was surfing to some site- i forgot what and i hit a dead link and alot of stuff starting popping up. ithink thats where i caught it. right now ive got the browser to stay blank at least that way its not bringing up that maddening seach site that gives u a popup saying u have a spy on ur comp. also im not gettin all the unwanted porn popping up. i never believed that this could happen without asking for it ( like surfing porn sites in other countries, but now its happened to me and i believe it) im gettin near retirement at work. maybe i can take some programming lessons (id love to payback these sob's or get them in trouble for what they they are doing) u guys have been great with all the help if u guys have any other suggestion ill try em

 

[thalzaar24]

I would make a backup of your registry before you delete anything, just in case.

I did a google on the programs in your log and they all came out as regular software keys. The only thing that i could see is what kendan had in quotes. not sure what the sp.html thing is so you can either delete those or just empty your temp folder and see if that fixes anything.

is that log from booting up in safemode? maybe try to boot regular and run hijack this again and compare the 2 logs to see if anything is different. Dunno

edit - I would also try to clean your IE cache out in the tools>options menu and it might be a good idea to delete your cookies (you do use IE i assume? )

 

[MRD]

Switching to Firefox would help prevent having such problems in the future. If you use IE you're asking for trouble.

yeah its weird. adawre finds it, but cant delete it. i even deleted it in my registry and it comes back everytime.. ok ill try hijack thnx for ur time.. this is so infuriating.

In the short term if Adaware can find it but can't delete it, try Dr. Delete. That can usually delete anything.

 

[Oni]

OMG how does that help him with his problem IMOG? It doesn't.

I beg to differ, Kendan. As he's tried all of the above solutions, and so far nothing has worked, I think suggesting an alternative browser is a good idea. Internet Explorer if not looked after can be a cause of these problems (due to ActiveX et cetera). Firefox might at least save him some trouble, even if it is only putting a bandaid on a bullet wound, as it seems he has some rather severe malware problems.

 

[Kendan]

I beg to differ, Kendan. As he's tried all of the above solutions, and so far nothing has worked, I think suggesting an alternative browser is a good idea. Internet Explorer if not looked after can be a cause of these problems (due to ActiveX et cetera). Firefox might at least save him some trouble, even if it is only putting a bandaid on a bullet wound, as it seems he has some rather severe malware problems.

Well if that is what you did that would be different. but you posed it as a solution not an alternative. This is OCforums.com not easywayout.com So instead of trying to force a different browser on him you could help us fix the problem.

 

[Oni]

Pardon? You're coming off as a little hostile. I hope it's not intentional.

I'm not trying to force anything on him, and neither was IMOG. It's just a suggestion, and given the circumstances, I think it's a good one.

I'm not saying 'Firefox will solve all of the problems your having'. I'm saying 'Firefox may help you avoid encountering future problems'. It's by no means a 'give up' situation, but just as you and many others in this thread have suggested alternative spyware removal tools, I was suggesting an alternative browser. And it doesn't seem like such a bad idea to me.

Wether or not he takes the advice is solely up to him, of course, but seeing as many different options have been tried (and are still being tried), this is just another option.