Yarr The Pirate! :: View topic - spyware and stuff...

Yarr The Pirate! https://w.yarrthepirate.com/phpbb3/

spyware and stuff... https://w.yarrthepirate.com/phpbb3/viewtopic.php?f=5&t=5002	Page 1 of 1

Author:	HitmanR [ Tue May 17, 2005 9:34 am ]
Post subject:	spyware and stuff...
Well, my friend wants me to take a look at his computer because she has spyware on it... short of wiping the hard drive what should I do to help with this problem... is there something I can download to help get rid of it?

Author:	Matti [ Tue May 17, 2005 9:36 am ]
Post subject:
First of all go download Adaware 6.0 (or whatever version) and install that. You can get it from Download.com for free. What OS is this?

Author:	HitmanR [ Tue May 17, 2005 10:31 am ]
Post subject:
not sure, I'm going over today so I'll know a little bit more... thanks matti

Author:	pyromancer [ Tue May 17, 2005 1:51 pm ]
Post subject:
yah.......... i just had to reformat my comp that made me very very mad considering i had to put ffxi in again

Author:	Rubyxiii [ Tue May 17, 2005 2:04 pm ]
Post subject:
id just wipe everything, nobody really has anything thats extremely important on there computer and if they do they should be backing it up anyway. and wtf hit come back to ff before they cant restore your char

Author:	HitmanR [ Tue May 17, 2005 3:55 pm ]
Post subject:
haha, not like it matters, I've already been told I don't play ffxi and I'm not CKD anymore... so /shrug...

Author:	Kailyn [ Wed May 18, 2005 8:18 pm ]
Post subject:
Use AdAwareSE Personal, then use Spybot S&D and fix all the things they suggest. Once you have finished using those two, run HijackThis (version 1.99), and post the log file, but don't make any modifications unless you know DAMN sure what you are doing with this one. I deal with spyware at my company on a weekly basis.

Author:	Xiona [ Wed May 18, 2005 10:37 pm ]
Post subject:
haha no matter how hard i try, or what i run i cant get rid of the crap on my computer. i cant format and redo because i never got windows disks and shit when i bought the computer... so im stuck with dealing with annoyances /fume

Author:	Imaulle [ Wed May 18, 2005 10:52 pm ]
Post subject:
microsoft antispyware works really good... its free at microsoft.com

Author:	Caduceus [ Thu May 19, 2005 1:40 am ]
Post subject:
Quote: microsoft antispyware works really good... its free at microsoft.com Normally I wouldn't have trusted a Microsft Anti-spyware/Ad-ware program, but ironically it works wonders. Microsoft knows their software. I would actually recommend Microsoft's Antispyware program over Adaware and SpybotS&D. Don't play with some of the advanced features like Track Eraser unless you know what your doing though (approach some features like you would the "HiJack This" program.) Most people here though know their Computer Hardware/Software OS stuff, so I wouldn't be worried. Download this program Here: http://www.microsoft.com/athome/securit ... fault.mspx

Author:	Xiona [ Thu May 19, 2005 2:13 am ]
Post subject:
yea i seem to have like a super uber sneaky virus that dl's spyware and crap right after i delete it. ill run a virus scan and spyware scan and everything will be clean, then i get a pop up 5 sec later saying i have a virus.... its getting annoying

Author:	Kailyn [ Thu May 19, 2005 8:51 pm ]
Post subject:
Xiona, Run HijackThis and post your log. I suspect you simply have a reinstalling spyware like Gator. These can usually be fairly easily removed if you know the procedure to get rid of them. I do like MS Anti-Spyware, but I've found that for the majority of things floating around that Spybot and Adaware SE Personal an considerably more effective in permanently removing them. They all really have the one failing that they are incapable of removing "reinstalling" spyware, which generally have to be removed manually.

Author:	Xiona [ Thu May 19, 2005 10:17 pm ]
Post subject:
Logfile of HijackThis v1.99.1 Scan saved at 11:15:45 PM, on 5/19/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\msik.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Trillian\trillian.exe C:\WINDOWS\system32\appev.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Class - {33DA09FC-0D84-29B4-815F-CC48795929D4} - C:\WINDOWS\system32\d3hn.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [appev.exe] C:\WINDOWS\system32\appev.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/do ... gctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcza32.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Author:	Imaulle [ Thu May 19, 2005 11:59 pm ]
Post subject:
C:\WINDOWS\msik.exe doesnt look familiar to me

Author:	arlania [ Fri May 20, 2005 12:34 am ]
Post subject:
Rub a magnet on the HD till all your problems go away

Author:	Ponuh [ Fri May 20, 2005 1:08 am ]
Post subject:
Arlania wrote: Rub a magnet on the HD till all your problems go away There was a kid in 6th grade who thought magnet damage on a screen was temporary so he wrote "Fuck you Mr Hogberg(the teacher)- Love Lewis" on the monitor and it stuck.

Author:	unick [ Fri May 20, 2005 1:36 am ]
Post subject:
HAHA that is funny

Author:	Homsar [ Fri May 20, 2005 2:10 am ]
Post subject:
if you want some of the best help out there try http://www.geekstogo.com

Author:	Xiona [ Fri May 20, 2005 4:15 am ]
Post subject:
msik.exe is a virus that i delete and it comes back. theres a few virus downloaders on my compy that just replace the shit i get rid of. and i cant find the original d/l'ers

Author:	Kailyn [ Fri May 20, 2005 5:40 pm ]
Post subject:
Restart your system in safe mode (by pressing F8 when the system is booting up) Under no circumstances start Internet Explorer while doing this as it will simply reinfect your system Once the system is up, open up the task manager (right click on the toolbar and select task manager). Select the processes tab, and look for appev.exe if it is running. If it is, select it and push the End Process button. Repeat this step for msik.exe if it is running. Ideally these should not be running in safe mode, but I have seem some exceptionally resilient strains of spyware. Once those two processes have been ended, open up HijackThis. Put Checkmarks next to the following selections: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgotb.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qgotb.dll/sp.html#28129 O2 - BHO: Class - {33DA09FC-0D84-29B4-815F-CC48795929D4} - C:\WINDOWS\system32\d3hn.dll O4 - HKLM\..\Run: [appev.exe] C:\WINDOWS\system32\appev.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcza32.exe (file missing) Select the option to Fix selected entries ( I forget the exact wording on that button but that's fairly close). When you have finished this, reboot the system as normal. When the system comes back up, run another hijackthis scan (this time with a log) and then post your log again. Note: Any or all of these files may be hidden. Enable your folders to see hidden and system files. To accomplish this, open a folder (like C:\windows), and select options from the Tools pulldown menu. Select the View Tab, and then scroll down until you see Hidden files and folders. Select the Show hidden files and folders options. Also, de-select the checkmark next to Hide protected operating system files. Delete C:\windows\system32\appev.exe Delete c:\windows\qgotb.dll Delete C:\windows\system32\d3hn.dll Delete msik.exe (You will probably have to scan for this file, but odds are it is sitting in either the c:\windows or c:\windows\system32 directories, or a temp directory. At this point you may wish to re-enable your folders to hide protected operating system files if you have a habit of "deleting stuff". Also, open up Internet Explorer and select options from the Tools pulldown menu. On the Internet Options Menu, select the Security tab, and then highlight the Internet (it should be highlighted by default), and then move the Security level bar back to Medium. If it shows on medium, move the bar off medium, and then back, and then click the Apply button at the bottom. This will reset your ActiveX controls in case they have been compromised. Click Ok, and you should be all done. Run your Anti-spyware programs to clean up the remnants. Reboot one last time. Good luck.

Author:	Xiona [ Sat May 21, 2005 12:29 am ]
Post subject:
haha the funny part about this is i was pist before because i was trying to delete those .exe files and couldnt end them to complete the delete. i forgot all about "safe mode". the one line-- O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcza32.exe (file missing) wont go away. i think thats the only file i was able to sucessfully delete before i used hijack.exe other than that one line everything seems to be working fine, my Aim is even working again lol. thanks a bunch Kailyn. C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yarrthepirate.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.activation.rr.com/install/do ... gctlcm.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\mfcza32.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Author:	Kailyn [ Sat May 21, 2005 12:32 am ]
Post subject:
np, That service isn't a big deal since the file associated with it no longer exists. It's just minor hiccup when booting.

Page 1 of 1	All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/