Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 02-20-2005, 03:24 AM   #1 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
spyware HELP please!!

oh Gurus please help me if you can..

Anyone know how to get rid of Virtual bouncer and Addestroyer?
Don't know where i got them but they wont erase with ad-aware, spybot or trojan remover.

I keep getting these annoying holiday and gambling ads all the time.. They pop-up over any prog.

I also have norton but none of the progs above have removed the problem.

It always installs and runs these popups even if the registry doesn't seem to load any weird stuff and "add/remove programs" looks ok...

I have XP.

I have a hijackthis-program, but can anyone of you guys interpret that and then maybe know what's up...

thanks!
Raleighbum is offline  
Old 02-20-2005, 03:30 AM   #2 (permalink)
Go Cardinals
 
soccerchamp76's Avatar
 
Location: St. Louis/Cincinnati
Try running the Ad-Aware or Spybot in Safe Mode.
Hi-Jack this will fix it though. Take out anything that looks suspicious (has the VirtualBouncer in the file name, or ads, or something similar) or any BHO's that have no name or file.
Some of them are tricky, one of the spyware I saw on a kid's computer was "Quicktimee.exe" which normally you would passover but with the extra "e" you know it is fake and most likely a virus/spyware. I have seen Windows.exe before and other such.
__________________
Brian Griffin: Ah, if my memory serves me, this is the physics department.
Chris Griffin: That would explain all the gravity.
soccerchamp76 is offline  
Old 02-20-2005, 09:35 AM   #3 (permalink)
Addict
 
Are you running the messenger service? Are they messenger popups, or just IE popups?
phukraut is offline  
Old 02-20-2005, 12:49 PM   #4 (permalink)
Psycho
 
supafly's Avatar
 
Location: Rotterdam
I use a programm called Hitman Pro, this is a combination of several ad-removers. Maybe this program can help to solve your problem.

http://www.hitmanpro.nl/

It's in dutch but quite straight forward.
Goodluck
__________________
Thumbs up
supafly is offline  
Old 02-20-2005, 01:11 PM   #5 (permalink)
Go Cardinals
 
soccerchamp76's Avatar
 
Location: St. Louis/Cincinnati
Post your HiJack-this log
__________________
Brian Griffin: Ah, if my memory serves me, this is the physics department.
Chris Griffin: That would explain all the gravity.
soccerchamp76 is offline  
Old 02-21-2005, 12:43 PM   #6 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
Quote:
Originally Posted by phukraut
Are you running the messenger service? Are they messenger popups, or just IE popups?

ie programs.. would be nice to be able to just BLOCK those couple adresses where they come from, but that's not possible with explorer, right?
Raleighbum is offline  
Old 02-21-2005, 12:54 PM   #7 (permalink)
Registered User
 
ok..download spysweeper.. it's the best prog I've seen and I use it myself www.webroot.com/downloads.. load it.. get the updates and then go to safe mode and run it.. your computer will thank you
Glory's Sun is offline  
Old 02-21-2005, 03:51 PM   #8 (permalink)
Addict
 
You can block specific addresses through the HOSTS file. Just add the domain and no more connections from that domain.
phukraut is offline  
Old 02-21-2005, 06:40 PM   #9 (permalink)
Upright
 
No disrespect to guccilvr but spysweeper is a piece of junk, stick with ad-aware and spybot, and if you are on XP install microsofts anti-spyware
Cryptie is offline  
Old 02-21-2005, 06:52 PM   #10 (permalink)
Registered User
 
Location: Deep South Texas
maybe--just maybe, it is in one of your system files, and XP protects them with the restore faciclity...

turn off your restore...
run every spy checker you have..
then turn restore back on and reboot..

a little prayer right here, helps..
viejo gringo is offline  
Old 02-21-2005, 07:11 PM   #11 (permalink)
Not so great lurker
 
Location: NY
I believe that using the immunize feature from spybot should help you in the future in blocking the "known" sites from installing spyware.
As for the windows messenger service most people do NOT need to use this (some exceptions apply), and I think that running just about any firewall will block those popups.
heyal256 is offline  
Old 02-22-2005, 04:08 AM   #12 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
Nothing still works.... Safe modes and running all updated Ad-awares and spybots and trojan removers.
It really sucks..
Quote:
soccerchamp76 Post your HiJack-this log
Heres my hijackthis-file :
(could it be those HOST files "- O1 - Hosts: 69.20.16.183 ieautosearch"?)
Can anyone see something weird?

Logfile of HijackThis v1.99.0
Scan saved at 14:04:56, on 22.2.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\autoupdt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\peter\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: autoupdt - Unknown - C:\WINDOWS\autoupdt.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Last edited by Raleighbum; 02-22-2005 at 11:17 PM..
Raleighbum is offline  
Old 02-22-2005, 05:51 AM   #13 (permalink)
Upright
 
Use hijack this to pull these keys

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O23 - Service: autoupdt - Unknown - C:\WINDOWS\autoupdt.exe

Download WinsocketFix to repair the lsp hijack

the userinit one is the nasty bugger, if you can't get rid of that it will just reload EVERY time you log on
Cryptie is offline  
Old 02-22-2005, 06:32 AM   #14 (permalink)
Registered User
 
Quote:
Originally Posted by Cryptie
No disrespect to guccilvr but spysweeper is a piece of junk, stick with ad-aware and spybot, and if you are on XP install microsofts anti-spyware

you're kidding right?? You can run adaware and spybot 100 times with all the latest updates and go behind it with spysweeper and find stuff they left behind. IMO (no disrespect either) spybot is a piece of shit. I haven't had a chance to use microshits..err microsofts new anti-spyware stuff so I don't know what to think of it..
Glory's Sun is offline  
Old 02-22-2005, 05:15 PM   #15 (permalink)
Upright
 
I guess my only problem with spysweeper is that it has ALOT of false positives. Which would explain why you can always find extra stuff with it. Not saying it doesn't remove some things that the other two won't, every program out there currently misses something that another one will find.
Cryptie is offline  
Old 02-22-2005, 05:50 PM   #16 (permalink)
Insane
 
Talking about lots of false positives, try using PestPatrol. If you don't set it up right, it will remove a lot of your software. Even after you do set it up, you still get a bunch of false positives. I tried it once and decided not to use that evil thing again.
vinaur is offline  
Old 02-26-2005, 10:37 AM   #17 (permalink)
Insane
 
Location: bangor pa
microsoftantispyware beta search it on microsoft.com free download
__________________
Quote:
Originally Posted by Redlemon
...but if you only add files and you never delete, there's nothing to cause file fragmentation, so pattycakes is correct.
pattycakes is offline  
Old 03-01-2005, 03:50 AM   #18 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
Quote:
Originally Posted by Cryptie
Use hijack this to pull these keys

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O23 - Service: autoupdt - Unknown - C:\WINDOWS\autoupdt.exe

Download WinsocketFix to repair the lsp hijack

the userinit one is the nasty bugger, if you can't get rid of that it will just reload EVERY time you log on

WinsocketFix.. where can i get that?
Raleighbum is offline  
Old 03-01-2005, 07:37 AM   #19 (permalink)
Insane
 
trache's Avatar
 
LSPFix is available here. Not for the faint of heart:
http://www.cexx.org/lspfix.htm

WinsockFix is available here:
http://www.majorgeeks.com/download4372.html

Post a screenshot or the information you find out of any of these programs, and we may be able to help you further.
__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip
trache is offline  
Old 03-03-2005, 01:56 PM   #20 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
Quote:
Originally Posted by trache
LSPFix is available here. Not for the faint of heart:
http://www.cexx.org/lspfix.htm

WinsockFix is available here:
http://www.majorgeeks.com/download4372.html

Post a screenshot or the information you find out of any of these programs, and we may be able to help you further.
Thanks! I'll try with those now..

the connection has become very unstable.. crashing all the time, every 10-15 mins... modem and provider work ok, checked that so -
It could have to do with the "hosts" that keep opening those browser pages..
ads.. spotresults.com etc.. grr...

But trying that now thanks a lot.

Last edited by Raleighbum; 03-03-2005 at 01:59 PM..
Raleighbum is offline  
Old 03-05-2005, 11:22 AM   #21 (permalink)
Junkie
 
G5_Todd's Avatar
 
Location: Reichstag
last time i got infected with spyware...i knew pretty much imediately...so i copied some stuff i was working on to a cd and did a system restored to the day b4...it worked perfectly
G5_Todd is offline  
Old 03-07-2005, 12:49 PM   #22 (permalink)
Psycho
 
Ive been using the Microsoft Antispyware Beta at work, seems to catch a TON of stuff that adaware and spybot miss. That and hijack this seems to work for just about everything.
Exodus is offline  
Old 03-07-2005, 01:42 PM   #23 (permalink)
Insane
 
trache's Avatar
 
Quote:
Originally Posted by Raleighbum
Thanks! I'll try with those now..

the connection has become very unstable.. crashing all the time, every 10-15 mins... modem and provider work ok, checked that so -
It could have to do with the "hosts" that keep opening those browser pages..
ads.. spotresults.com etc.. grr...

But trying that now thanks a lot.
If you find that your hosts file gets replaced every time you try to modify it, you obviously have a process resident in memory that is changing it.

I had taken a look at a computer once that had one of these on it. It loaded itself into the HKEY_CLASSES_ROOT\something or other\exefile\open registry key to make sure that it got itself installed everytime a program was run. Make sure that you run most of these utilities (I'm not sure about LSPFix or Winsockfix) in safe mode. Before that, AVG or Norton etc because they scan registry keys too.
__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip
trache is offline  
Old 03-19-2005, 01:37 AM   #24 (permalink)
Crazy
 
Raleighbum's Avatar
 
Location: Lookin for that above
Thanks all ppl, but It was so damn bad that nothing worked and I decided to Format C:...

That really works!


And changed to Mozilla.

but now I only have to figure out a way to get my backups from my other HD that is formatted with a XP professional to use with this new XP Home version... Grrrr.

That is the stupidest thing I've seen that Microsoft has put this block there that the HD's formatted with a different version are not compatible..
Raleighbum is offline  
 

Tags
spyware


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 12:13 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76