Go Back   Forums @ The Digital Fix > Gadgets and Gizmos > Computing Forum

Reply
 
Thread Tools Display Modes
Old 12-08-2004, 14:05   #101
LIGHTRAY
Vandelay Industries
 
Join Date: Aug 2001
Location: Somewhere..beyond the sea...somewhere...
Posts: 1,303
Thanks: 13
Thanked 4 Times in 4 Posts
Help!

Spysweeper has found "PaulSnerf.exe" in my registry and start up. I've disabled it, with a program but every time i delete it , it come back instantly. Spysweeper is the only program to find it.

Anyone help me get rid of it ?

Last edited by LIGHTRAY; 12-08-2004 at 14:06.
LIGHTRAY is offline   Reply With Quote
Old 16-08-2004, 14:00   #102
Mr Flibble
Trusted User
 
Join Date: Jun 2000
Location: Kelso
Posts: 5,809
Thanks: 78
Thanked 37 Times in 22 Posts
Another person with a problem here!

In my start bar, just next to the system tray I get two boxes, one marked 'search the web' and another that lets you enter search text - this takes you to a websearch results page called 'BlazeFind' I've tried Adaware, and Spybot but had no joy - searching on google I've tried a few of the suggestions, but hit a brick wall - anyone else had this happen to them?


--edit--

Turns out there's an update to Adaware available to download, just ran it now, and it's deleted all traces of the dreaded BlazeFind

Last edited by Mr Flibble; 16-08-2004 at 14:17. Reason: Fixed it myself !!
Mr Flibble is offline   Reply With Quote
Old 22-08-2004, 12:10   #103
Big A
OTBC
 
Join Date: Jun 2002
Location: East
Posts: 3,771
Thanks: 35
Thanked 7 Times in 7 Posts
Whats the best way of stopping spam, as i'm getting loads recently
Big A is offline   Reply With Quote
Old 25-08-2004, 23:55   #104
Guest 5704
Trusted User
 
Join Date: Mar 2001
Location: London
Posts: 698
Thanks: 0
Thanked 0 Times in 0 Posts
I had a problem that kept coming back no matter what program I used to get rid of it. Found that if I ran Adaware in safe mode, the skyware was deleted. If you are stuck, it might be worth running HJT, Adaware etc in safe mode. Worked for me.
Guest 5704 is offline   Reply With Quote
Old 07-09-2004, 19:44   #105
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
Very annoyed at the moment as I too am having homepage problems. I had these Forums as my homepage but now it comes up "about blank" and redirects me to some Yahoo search page. Ad Aware couldn't sort it and Spy Bot found some things that Ad Aware didn't but it's still got me stumped. Also I can't get rid of "trusted sites" in the bottom right hand corner no matter how many times I click on the Internet globe option. Seems to be making my 'puter run really slow too. Any ideas before I try CW Shredder?
Guest 30486 is offline   Reply With Quote
Old 19-09-2004, 23:20   #106
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
It didn't work
Guest 30486 is offline   Reply With Quote
Old 20-09-2004, 06:17   #107
Guest
 
Posts: n/a
Have you run HiJack This ??
  Reply With Quote
Old 23-09-2004, 00:20   #108
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
Not yet. Bit afraid to be honest. Running "Spyware Guard" at the mo and it's good when it warns me that the homepage is trying to change. Seems to have put an end to those annoying pop-ups too.
Guest 30486 is offline   Reply With Quote
Old 23-09-2004, 06:21   #109
Guest
 
Posts: n/a
Quote:
Originally Posted by Jay Sherman
Not yet. Bit afraid to be honest.
After you have run it don't delete anything until you have got some advice from either on here or else where. There are forums out there that are set up especially for people's HiJack This logs.
  Reply With Quote
Old 24-09-2004, 02:32   #110
Guest 40950
Registered User
 
Join Date: Mar 2004
Posts: 293
Thanks: 0
Thanked 0 Times in 0 Posts
what is the best config for blocking this cack, rather than removing it post facto?

i have added a load of crapware sites to my ie block list with one of the utils in this thread, and have spywareguard running.....
Guest 40950 is offline   Reply With Quote
Old 28-09-2004, 14:20   #111
Guest 18858
Trusted User
 
Join Date: May 2002
Posts: 1,770
Thanks: 0
Thanked 0 Times in 0 Posts
I really appreciate this sticky, thanks!

I have tried your suggested fixes but I still get taken to (or try to get taken to, to be more precise!) http://www.zoombar.net:8000/

Any suggestions on how to get rid of this would be much appreciated!

Thanks

Dave

Last edited by DaveJP; 28-09-2004 at 14:39. Reason: Maybe fixed now
Guest 18858 is offline   Reply With Quote
Old 28-09-2004, 17:00   #112
Dan
Passed away :(
 
Join Date: May 2002
Posts: 18,791
Thanks: 1
Thanked 3 Times in 2 Posts
Quote:
Originally Posted by DaveJP
I really appreciate this sticky, thanks!

I have tried your suggested fixes but I still get taken to (or try to get taken to, to be more precise!) http://www.zoombar.net:8000/

Any suggestions on how to get rid of this would be much appreciated!

Thanks

Dave
Got this from their website

http://www.zoombar.net:8000/remove.html
Dan is offline   Reply With Quote
Old 28-09-2004, 20:07   #113
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
Just about had enough of this rubbish now . Might try a couple more things before the last resort which is saving all my stuff to disk and starting from scratch. Bloody annoying
Guest 30486 is offline   Reply With Quote
Old 28-09-2004, 23:34   #114
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
Ok I've run Hijack This. Now what? Here's my log:-

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\MFCSR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.play.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sumff.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {52FC6CF6-B6EF-E8BC-7A02-C68DF6D6318D** - C:\WINDOWS\SYSTEM\WINMD32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467** - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [MFCSR.EXE] C:\WINDOWS\MFCSR.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .cfm: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPPL3260.DLL
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6** (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000** (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {25336921-03F9-11CF-8FD0-00AA00686F13** (Microsoft HTML Document 5.0) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD** -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D** (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B** (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C** (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF** (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000** (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F** (Update Class) - http://v4.windowsupdate.microsoft.co...237.4930439815

Some of them look suspicious especially "about blank" which has been my homepage for the past few weeks no matter how many times I try to get rid of it. Also the "trusted sites" are annoying. I've tried to get back to having the Internet globe in the bottom right hand corner but to no avail. Any help getting things back the way they were would be much appreciated
Guest 30486 is offline   Reply With Quote
Old 29-09-2004, 07:41   #115
Guest 18858
Trusted User
 
Join Date: May 2002
Posts: 1,770
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by Dan
Got this from their website

http://www.zoombar.net:8000/remove.html
Thanks Dan, that's done the trick!

Our proxy server only allows port 80 in and out (and 443) so I got to the site by removing the 8000.

Thanks again

Dave
Guest 18858 is offline   Reply With Quote
Old 29-09-2004, 08:49   #116
Mr Flibble
Trusted User
 
Join Date: Jun 2000
Location: Kelso
Posts: 5,809
Thanks: 78
Thanked 37 Times in 22 Posts
Unhappy

Right - I've got probs now with something trying to continually change my Internet Explorer home page - I've got Spybot SD-resident running in the background, so that keeps popping up and alerting me that something is trying to change it - so I can keep saying 'deny change' but it's annoying that this keeps happenening a lot of the time.

Running HijackThis produces the following info:

Quote:
Logfile of HijackThis v1.97.7
Scan saved at 09:45:17, on 29/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Windows NT\dialer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dave Grainger\My Documents\HijackThis (1).exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xqsrnpvwokjg.com/IGLcAWcO...i90k9Ef2o3.jpg
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3** - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F** - (no file)
O4 - HKLM\..\Run: [StatusClient 2.5] C:\Program Files\Hewlett-Packard\Toolbox\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Spam Enc] C:\PROGRA~1\Drive Surf\itch exit.exe
O4 - HKLM\..\Run: [GRAMLONGSITEFIRST] C:\Documents and Settings\All Users\Application Data\up does gram long\HTM BLUE.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Startup: Shortcut to dialer.lnk = C:\Program Files\Windows NT\dialer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE** (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C** (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094544632234
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7** (DmiReader Class) - http://support.euro.dell.com/global/...r/PROFILER.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000** (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
I've also got spywareguard and spywareblaster up and running, along with adaware which keeps detecting 'DSO exploits' - always 5 of them, which I'm unable to remove.

Can someone help out?

Last edited by Mr Flibble; 29-09-2004 at 08:51.
Mr Flibble is offline   Reply With Quote
Old 29-09-2004, 13:41   #117
Guest
 
Posts: n/a
i get the 5 DSO exploits aswell,when i run spybot.i did read somewhere that its not a problem as long as youre windows is patched up with the latest security patches
sorry cant help u with the hijack this log.

Last edited by locust64; 29-09-2004 at 13:42.
  Reply With Quote
Old 29-09-2004, 14:25   #118
Mr Flibble
Trusted User
 
Join Date: Jun 2000
Location: Kelso
Posts: 5,809
Thanks: 78
Thanked 37 Times in 22 Posts
cheers for the reply mate a few hunts on google says the same as you do about that DSO thing
Mr Flibble is offline   Reply With Quote
Old 29-09-2004, 18:46   #119
Guest
 
Posts: n/a
Quote:
Originally Posted by Jay Sherman
Ok I've run Hijack This. Now what? Here's my log:-
Register and post your log here. You should get a fairly quick response.
  Reply With Quote
Old 29-09-2004, 23:43   #120
Guest 30486
Where Me Posts Gone?
 
Join Date: Apr 2003
Location: Birmingham
Posts: 513
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by Alan. b
Register and post your log here. You should get a fairly quick response.
Just posted thanx. Read a few other logs and it seems like a good Forum. Hopefully this will be the end of me tearing my hair out.
Guest 30486 is offline   Reply With Quote
Reply

Bookmarks

Tags
Browsing, Email, Windows Update, windows.xp, Zonealarm

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

All times are GMT. The time now is 17:47.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Copyright ©2000 - 2018 Poisonous Monkey Ltd. Part of The Digital Fix Network