Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Returning Malware [CLOSED]


  • This topic is locked This topic is locked

#16
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
No, the new one did not work. Forgive me if I'm being difficult or obnoxious, this spyware constantly returning is getting on my nerves!
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's ok. I know this is frustrating, especially when it seems that all possible methods were tried already.

I will try my best to help you out here, but if it's still not working, I might have to ask you to ask in another forum that might better assist you.

OK, we did the registry merges and it should have worked. So now I want you to go in the registry and manually check to make sure that the key has the value of 67 in it. Be careful not to edit anything else in there - everything done is LIVE.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2

I want you to double click on the flags key (on the right pane there). Make sure that Decimal is selected there and type in 67 and hit OK. Close out the registry editor.

Restart. Is it still greyed out now?
  • 0

#18
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Its no longer greyed out! Nice job! I've tried simply removing the nasty site with the 'Remove' button in the 'Sites...' list. I tried fixing it with HJT. I tried installing that .inf file that was supposed to clear out the trusted zone, nothing has worked. I did all of these before logging on, but now I'm going to try them all again in Safe Mode and reboot after each one. We're almost there!
  • 0

#19
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
;) ;) :) It's gone! The 'Sites...' is empty and it stayed that way! But I had do it sort of my own way. I wrote down the name of the site that wouldn't go away, went into Regedit, and used the Find feature. I found the key containing all the information on it, and just deleted it. After that I added the same site to the Restricted zone. I'm a little cautious though, don't wanna count my chickens before they hatch. :tazz: I'm going to maintain a connection and see if everything comes back, I have faith though! Thanks for everything!!
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: I knew we would get it eventually. So you did it the manual way that I mentioned earlier and got it to work? Just want to make sure, since this may be useful if another user encounters this problem ;)

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#21
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
:/ It was clean for an entire day almost, but it's all back again. I had the 'Sites..' cleaned out and everything was running smoothly but it's back the way it was. I'm guessing this is way more serious than previously thought? We were so close! ><
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Just want to know this:

So you did it the manual way that I mentioned earlier and got it to work? Just want to make sure, since this may be useful if another user encounters this problem

You mean the O15 entries are back in HijackThis? OK, give us a new log. I will take another look at it.
  • 0

#23
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
You know, it's funny. I deleted the 015 entries and then scanned again and they stayed gone. Now, whenever the programs start to download/install onto my computer, my internet connection suddenly terminates. This has been a MAJOR help but also a MAJOR annoyance. It interrupts the programs from installing/loading, but it kicks me offline. I just scanned, and it's clean but here it is:
Logfile of HijackThis v1.99.1
Scan saved at 3:37:03 PM, on 6/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cableone.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CableONE.net
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WESTWOOD\SPYBOT~1\SDHELPER.DLL
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL


And with the manual fix thing, what I did was manually went into regedit like you said, and forced the 'Flags' value to be a decimal 67.

Last but not least, is the spyware evolving before my eyes? The programs that rountinely install themselves are CHANGING THEIR NAMES!! One of the originals was Tool.exe, then it became Todol.exe, and now its BigTraffic.exe. Another one was Private-Zone, which is now Privdate-Zone. Is this a sort of counter-delete measure? Is it changing the name of the program to keep me/anti-malware programs from finding them?
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, some of these can change their filenames after a restart.

Strange, I don't see anything suspicious here.

Download WinsockFix http://www.greyknigh...sockFix.sfx.exe and uncompress it. Then double-click on the uncompressed file to run it. See if that helps the internet connection problem.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#25
SblDude9889

SblDude9889

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
...the WinsockFix didn't work, or it doesn't seem to. I still lose connection every 10 minutes or so. I tried to download TDS-3, but the download time was about 14 minutes so I figured I would lose connection. I tried anyway, and at about 60% I lost connection. I'm going to try and download it a friend's house, burn it to a blank disc, and then copy it to my hard drive and run it. Or is there a better way?
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If it's not too much trouble, then yes go to a friend's house to get it. Or if you want, get a download manager so that even if it breaks your connection it will resume it next time (most downloads allow you to resume after a internet connection problem). Go to Google and search for Download Express. It's freeware.

I assume you are on dial up right? Is it a problem with the phone line or your internet service provider? It could be a server problem also.
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP