Re: spy ware

From: MowGreen [MVP] (mowgreen_at_nowandzen.com)
Date: 07/06/04

• Next message: Susan: "Error # 0X800CCC7C"
• Previous message: Mike Bright MSP: "RE: spy ware"
• In reply to: mike ghobadi: "RE: spy ware"
• Next in thread: Mike Bright MSP: "Re: spy ware"
• Reply: Mike Bright MSP: "Re: spy ware"
• Reply: anonymous_at_discussions.microsoft.com: "Re: spy ware"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 06 Jul 2004 07:00:56 -0700

mike,

Hate to inform you that this is a Cool Web Search variant of :
http://forum.aumha.org/viewtopic.php?t=6207&start=0&postdays=0&postorder=asc&highlight=

Unfortunately, it's evolved and the removal method laid out in the
above link may not resolve the issue. The .dll file will keep
renaming itself but these entries will repeatedly appear in the
Hijack This Log :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://<randomname>.dll/index.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= res://<randomname>.dll/index.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\<randomname>.dll/sp.html#<randomnumber>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://<randomname>.dll/index.html#<randomnumber>

You have to stop the process and edit the registry to remove it.
The problem is identifying the specific process. To do so one must
boot to Safe Mode, enable "Show hidden files and folders", run an AV
scan, and then run CWShredder, AdAware, and Spybot
( links to programs can be found here --
http://www.siena.edu/antivirus/Spyware/default.html ).

Then scan with HJT and look for entries such as these :

O4 - HKLM\..\RunOnce: [netyh32.exe] C:\WINDOWS\netyh32.exe
or
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} -
C:\WINDOWS\msopt.dll

The O4 entry may/will have a different named .exe file .
The O18 entry may/will have a different CLSID
( B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D is another known one ) but
the msopt.dll entry is common in this CWS variant.
You can then edit the registry and remove the keys as laid out here:
http://www.kephyr.com/spywarescanner/library/msopt/index.phtml
Reboot to Safe Mode, run HJT, and remove the CWS entries.

OR, skip all of the above and try this untested tool here :
http://www.hsremove.com/
------------------------------------------
WARNING : THIS TOOL HAS NOT BEEN TESTED. No recommendation nor
endorsement of it is acknowledged. Not responsible for any damage
to your system or nerves.
DO NOT USE IT unless you first make a manual restore point and
know : How to start the System Restore tool at a command prompt
in Windows XP http://support.microsoft.com/?kbid=304449
---------------------------------------------

MowGreen [MVP]
===============
  *-343-* FDNY
Never Forgotten
===============

mike ghobadi wrote:

> Thank you for your reply.I purchased something called xoft spy
> and d0own loaded it off the net. I already had ad aware but that
> did not help me. it does not allow me to change my home page and
> even whaen I downloaded something called hijack this and deleted
> the files it still comes back under a different name in the url
> but the same web page keeps poping up.thank you
>
> "Mike Bright MSP" wrote:
>
>
>> Which SpyWare package did you buy??
>>
>> Can you detail a little more about what is actually
>> happening???
>>
>> Also, as your purchased Spyware didnt work, give Ad-Aware a try
>> (www.lavasoftusa.com), it's free and it's normally very very
>> good.
>>
>> Try it and post back if you still have the spyware issue and
>> well walk through removing it :D
>>
>> Regards
>>
>> Mike Bright MCP, MSP
>>

---

• Next message: Susan: "Error # 0X800CCC7C"
• Previous message: Mike Bright MSP: "RE: spy ware"
• In reply to: mike ghobadi: "RE: spy ware"
• Next in thread: Mike Bright MSP: "Re: spy ware"
• Reply: Mike Bright MSP: "Re: spy ware"
• Reply: anonymous_at_discussions.microsoft.com: "Re: spy ware"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: equipment list? ... I am just hoping I have not operated against the regulations. ... book entries and an updated W&B would satisfy those regs. ... The following loading information must be furnished: ... Mike explains that the equipment list in his POH was an exhaustive list of all of the possible pieces of equipment at manufacture but that there was no indication of what had actually been installed. ... (rec.aviation.owning) Re: Wheres the list of ALL POSSIBLE registry entries??? ... > List of ALL POSSIBLE entries? ... Windows XP is is stable for at least a few ... > mike wrote: ... >> My immediate desire is to put a much longer delay in the popup ... (microsoft.public.win2000.registry) RE: Countif Question ... Excellent just what I needed many thanks Mike H. ... criteria of between two dates. ... Eg Count Awaiting Inspection entries if date in column B is between 1st feb ... "Ajay" wrote: ... (microsoft.public.excel.misc) Re: Date Only from D&T field ... Mike wrote: ... it is used for selecting all entries from that particular day. ... in the Row source, i'm looking for just distinct dates, not dates and ... (microsoft.public.access.modulesdaovba) Re: plotting cells that contain "" ... with the chart working, noone but me has to see the ... Mike ... >> entries in another table. ... (microsoft.public.excel.charting)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)