Re: Getting rid of residual adware/spyware elements
From: Mike Burgess (winhelp2002_at_spamthis.com)
Date: 02/09/04
- Next message: Marvin: "virus?"
- Previous message: David H. Lipman: "Re: Is it virus attack ??"
- In reply to: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Next in thread: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Reply: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 Feb 2004 09:18:27 -0500
Hi Jeff,
I had a look at your log:
http://forums.spywareinfo.com/index.php?showtopic=31596&hl
I see you had the Coolwebsearch trojan ......
aka: TROJ_IEFEATS.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_IEFEATS.A&VSect=T
You also have a problem with your winsock. (TargetSoft.inetadpt)
http://www.kephyr.com/spywarescanner/library/targetsoft.inetadpt/index.phtml
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
Firstly, download, unzip and run LSPFix.exe from here:
http://www.cexx.org/lspfix.htm
Remove inetadpt.dll from your winsock layers.
In order to do this, click the "I know what I'm doing"
checkbox and check all instances of inetadpt.dll (and nothing else)
Then move all checked files to the "Remove" pane and click Finish.
Reboot your PC.
-- As for your (infected) HOSTS file = delete it and download a new one below ____________________________________________________________ Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/ Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04] Please post replies to this Newsgroup, email address is invalid -- "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message news:O7uazwn7DHA.3432@TK2MSFTNGP11.phx.gbl... > Hi Mike, > > Thank you very much for sticking with me. > Your patience is most kind. > > I posted a messsage in the forum here: > http://www.spywareinfo.com/forums/ > > I did that on Friday, but I have not received any responses yet. > I did not post the HT log in the intial post, but I will now knowing that > you'll take a look. > I'm way down the list on Page 11 I think. > This link may get you right there: > http://forums.spywareinfo.com/index.php?showforum=30&prune_day=30&sort_by=Z- > A&sort_key=last_post&st=300 > > (Watch out for possible line wrapping) > > It's under Guest_Jeff with a title of : Getting rid of residual Look2Me > I repeated a lot of what I said in the newsgroup post along with some > additional information. > > I accessed that PC through PcAywhere and did a search for Hosts. Here is the > list: > Hosts.sam > LMHosts.sam > Hosts (dated 1/28/04) > Hosts.(bunch of numbers).Backup (dated 1/28/04) 4 of these actually > Update_Host.Dll (this one sounds like a red flag to me!) > Hosts.sbs.sig (In Spybot directory) > Hosts.sbs (In Spybot directory) > > The Hosts file has a TON of entries starting with 66.159.20.52. > All of which are pornographic sites. > Can I just delete the file and replace it with my Win 98 Hosts file? > My file looks just like the standard Windows one. > > Thanks again for the help. > I will post the HT file now. > > Jeff > > > "Mike Burgess" <winhelp2002@spamthis.com> wrote in message > news:uuIrMQk7DHA.1768@tk2msftngp13.phx.gbl... > > Jeff, > > Do you have a link to where you posted your HT log? > > I'll have a look ..... as for the HOSTS file, when you see that > > message like that, it means it's been hijacked (altered) by one > > or more parasites that are now redirecting or preventing you > > from accessing some sites. > > > > You can either rename the file, or as suggested you can delete > > it and obtain another (see below) > > ____________________________________________________________ > > Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/ > > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file > > http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04] > > Please post replies to this Newsgroup, email address is invalid > > -- > > > > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message > > news:eMESneO7DHA.488@TK2MSFTNGP12.phx.gbl... > > > Hi Mike, > > > > > > Apologies for the delay and oversight in noticing the link also > mentioned > > > deleting the Temp folder. My bad. > > > > > > Ok, I did the deltree option and deleted the History, Temp, and TIF > > folders. > > > Restarted the machine and immediately went to the TIF folder before > doing > > > anything else. > > > There were two files in it: > > > > > > SelectorV2[1].htm > > > skin[1].htm > > > > > > I deleted them immediately. > > > The vupd folder in the Temp directory also was back. > > > Frustrating! > > > > > > I downloaded the HijackThis.exe and scanned. > > > There definitely appears to be still some problems. > > > It said I should probably delete the Hosts file. > > > What would happen if I do that? > > > I think there are some other Hosts files as well. > > > Should I delete them all?? > > > > > > I saved the scan log from HijackThis and posted a question on the forum > > > mentioned elsethread. > > > > > > I've very hesitant about proceeding further without expert advice; I > don't > > > want to make a mistake on their computer and blow it up! > > > > > > Thanks for any guidance, > > > Jeff > > > > > > > > > "Mike Burgess" <winhelp2002@spamthis.com> wrote in message > > > news:#U6fLIT6DHA.2712@tk2msftngp13.phx.gbl... > > > > Jeff, > > > > > The link you pointed me to discusses emptying the Temporary Internet > > > File > > > > Folder" > > > > If you look again ........ it does include the "Temp" folder. > > > > http://mvps.org/winhelp2002/delcache.htm#Win98 > > > > -- > > > > Restart in Ms-Dos Mode > > > > From C:\> (type and press Enter after each command) > > > > > > > > cd\windows > > > > smartdrv > > > > deltree tempor~1 > > > > deltree history > > > > deltree temp > > > > > > > > Restart (Ctrl-Alt-Del) > > > > ____________________________________________________________ > > > > Mike Burgess [MVP Windows Shell\User] > http://www.mvps.org/winhelp2002/ > > > > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS > > file > > > > http://www.mvps.org/winhelp2002/hosts.htm [updated 01-31-04] > > > > Please post replies to this Newsgroup, email address is invalid > > > > -- > > > > > > > > > > > > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message > > > > news:uS7xtCP6DHA.3548@TK2MSFTNGP11.phx.gbl... > > > > > Hi Mike, > > > > > > > > > > Your expertise is most welcome. > > > > > I'm a little confused by your response though. > > > > > The link you pointed me to discusses emptying the Temporary Internet > > > File > > > > > Folder. > > > > > I have used the deltree thing before on computers in the past so I > do > > > have > > > > > experience with that. > > > > > > > > > > However, this folder is appearing in the Windows Temp folder, not > the > > > TIF > > > > > folder. > > > > > If I delete the folder in Explorer it comes back after the next > > restart. > > > > > I have already cleared EVERYTHING out of the TIF and Cookies > folders. > > > > > Are you saying I should still do the deltree option on this 98 > > machine? > > > > > > > > > > I do appreciate the links. > > > > > I won't be able to run the test and post the results until later in > > the > > > > > week. > > > > > > > > > > Thanks again for the help and support, > > > > > Jeff > > > > > > > > > > > > > > > "Mike Burgess" <winhelp2002@spamthis.com> wrote in message > > > > > news:OoZyROE6DHA.3548@TK2MSFTNGP11.phx.gbl... > > > > > > Jeff, > > > > > > >"Or do I even need to worry at all about them?" > > > > > > Yes you need to worry about them! > > > > > > > > > > > > >"C:\Windows\Temp\vupd" > > > > > > That's the first clue ..... empty the "Temp" folder > > > > > > http://mvps.org/winhelp2002/delcache.htm#Win98 > > > > > > > > > > > > As Russell suggested, run HijackThis and post your log here: > > > > > > [SpyBot Support Forum] > > > > > > http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi > > > > > > ____________________________________________________________ > > > > > > Mike Burgess [MVP Windows Shell\User] > > > http://www.mvps.org/winhelp2002/ > > > > > > Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a > > HOSTS > > > > file > > > > > > http://www.mvps.org/winhelp2002/hosts.htm [updated 01-25-04] > > > > > > Please post replies to this Newsgroup, email address is invalid > > > > > > -- > > > > > > > > > > > > "Jeff Conrad" <jeffc@ernstbrothers.com> wrote in message > > > > > > news:OjTfNc15DHA.360@TK2MSFTNGP12.phx.gbl... > > > > > > > Hi, > > > > > > > > > > > > > > I hope this is an appropriate place to post this question. > > > > > > > I've spent MANY hours cleaning up a computer in the office here > > that > > > > was > > > > > > > proliferated with adware/spyware and a couple of viruses. And > yes, > > I > > > > > > slapped > > > > > > > the person silly! > > > > > > > It is Windows 98 SE. > > > > > > > > > > > > > > I updated their McAfee virus DAT files and cleaned the viruses. > > > > > > > I installed Spybot Search And Destroy, updated the program, and > > then > > > > > > > scanned. > > > > > > > Good golly they had a ton of stuff! > > > > > > > The scanner even said, "Whew, hang on a minute I need a > > breather.." > > > > <g> > > > > > > > > > > > > > > Their home page was always being hijacked which was obviously a > > > > > tell-tale > > > > > > > sign of adware/spyware. They had several kinds. Symantec's > removal > > > > > > > instructions for one of them was pretty poor. It listed all the > > > > registry > > > > > > > entries, but it gave no clue as to what they should be changed > > back > > > > to. > > > > > So > > > > > > I > > > > > > > took some screen shots of my registry and manually made the > > changes > > > > > back. > > > > > > > All seems to be OK now. > > > > > > > > > > > > > > Several passes of the virus scanner all come clean now. > > > > > > > Several passes of Spybot come clean EXCEPT for 2 things every > > time. > > > > > > > > > > > > > > 1. First Issue: > > > > > > > It says "NewtonKnows" and lists a folder called: > > > > > > > C:\Windows\Temp\vupd > > > > > > > I check to fix the problem and it goes away. > > > > > > > But, when I restart the machine it is back! > > > > > > > If I manually delete it in Explorer it returns again on the next > > > > > restart! > > > > > > > What's going on?! > > > > > > > > > > > > > > 2. Second Issue: > > > > > > > They had the Look2Me spyware. > > > > > > > The removal instructions say to delete a few registry entries, > but > > > > they > > > > > > > return! > > > > > > > Specifically: > > > > > > > HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FDO631E726} > > > > > > > If I delete the key it goes away. > > > > > > > Then I close the registry. > > > > > > > Open registry back up and IT'S THERE AGAIN! > > > > > > > Also sometimes, one of the other registry entries comes back as > > > well! > > > > > > > > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell > > > > > > > Extensions{same number above} > > > > > > > I delete it and it comes back! > > > > > > > > > > > > > > Why do these keep re-appearing?!! > > > > > > > And how do I get rid of them? > > > > > > > Or do I even need to worry at all about them? > > > > > > > > > > > > > > Any help would be most appreciated. > > > > > > > Jeff > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Marvin: "virus?"
- Previous message: David H. Lipman: "Re: Is it virus attack ??"
- In reply to: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Next in thread: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Reply: Jeff Conrad: "Re: Getting rid of residual adware/spyware elements"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
