Clusterheadaches.com Message Board


    
      
        Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> 2004 Posts >> SPYWARE (Help needed)
        
(Message started by: don on Oct 19^th, 2004, 11:39am)

Title: SPYWARE (Help needed)
Post by don on Oct 19^th, 2004, 11:39am

Anybody know how to get rid of the "coolwww" browser hijacker?

Spyware scan picks it up, disables it, then it comes right back.

Is it a cookie in memory?

Title: Re: SPYWARE (Help needed)
Post by Racer1_NC on Oct 19^th, 2004, 11:43am

I use a combo of Spybot Search and Distroy and Adaware. The really tough ones require manually deleting files.....for this I use Hijack This. Word of caution.....Hijack This can lead you to delete files that are not spyware. Use with caution.

Try the first 2.......they should get it.

Bill

Title: Re: SPYWARE (Help needed)
Post by don on Oct 19^th, 2004, 11:46am

I have used Spybot and the Earthlink program. Both get it but it comes right back.

I'll try hijack this. Got a link?

Title: Re: SPYWARE (Help needed)
Post by vig on Oct 19^th, 2004, 11:47am

Here's one way I found:
http://forums.spywareinfo.com/lofiversion/index.php/t13722.html

Title: Re: SPYWARE (Help needed)
Post by Racer1_NC on Oct 19^th, 2004, 12:12pm

Boy that's a nasty biotch.........Hope you have some time Don.....

Title: Re: SPYWARE (Help needed)
Post by alleyoop on Oct 19^th, 2004, 12:21pm

on 10/19/04 at 11:43:15, Racer1_NC wrote:

Word of caution.....Hijack This can lead you to delete files that are not spyware. Use with caution.

Be very careful with HijackThis and don't delete anything you aren't sure about.

.................alley

Title: Re: SPYWARE (Help needed)
Post by Ree on Oct 19^th, 2004, 12:27pm

go to your ctl alt delete.... then to processes... its in there remove it also go to regit... and get it out of there too... doesnt this suck that we have become computer geeks just to be part of this wonderful world.........kills me.........love ya donny even though you didnt invite me to your looney party either................hehehehehehe ree

Title: Re: SPYWARE (Help needed)
Post by nani on Oct 19^th, 2004, 1:35pm

I'm having a helluva time with "Grandstreetinteractive" and "shopnav" I HATE SPYWARE!!! This has totally messed with my ability to surf...it even shows up here. I'll hit a link to reply for example and get a "we couldn't find...but here are some related sites..." >:( >:( >:(

Title: Re: SPYWARE (Help needed)
Post by ExplodingEyeBall on Oct 19^th, 2004, 1:41pm

I found a very informative article at www.experts-exchange.com. http://www.experts-exchange.com/Security/Win_Security/Q_21007953.html

Incase you can't get to this article, here is the accepted answer from this link.

I have never had to deal with this one so, I don't know how effective this procedure is.

IF YOU ARE NOT FAMILIAR WITH USING THE SYSTEM REGISTRY, HAVE SOMEONE WHO KNOWS HOW DO THIS FOR YOU!!!

That was my disclaimer.
If you whack your system, don't blame me. Please!!!! Have someone help you if you havn't messed with the registry yourself.
-----------------------------------------------------------------------
Turn off "System Restore" and clear your restore points.

Reboot your computer into "Safe" mode - press the F8 key repeatedly as soon as the computer begins to start -
choose "Safe Mode" from the menu.
Start registry editor and navigate to the following keys:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
and, in the right pane, look for the value: "MSStartOptimizer" - delete it if it exists.
do the same for the value: "RegCompres"
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices'
Look for the same two values, in the right pane, and delete them if they exist.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
in the right pane, look for the values - wintime and/or wintime.exe and delete them.
Search the registry for any values named udpmod.dll - delete any value in the right pane that you find.

Search your computer for any instances of sachost.exe, SVCHOSD.EXE, WINUPD.EXE, and REGCPM32.EXE -
and delete any that you find.

Clean out all of your temp files:
# C:\Windows\Temp - delete the ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all
your cached internet content including cookies. This is recommended and strongly suggested.
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".

Title: Re: SPYWARE (Help needed)
Post by don on Oct 19^th, 2004, 1:43pm

How about this?

I download Opera Browser and completely delete IE 6.

Then download IE 6 again. Will the spyware be gone?

Title: Re: SPYWARE (Help needed)
Post by Ree on Oct 19^th, 2004, 2:02pm

I downloaded Netscape, uninstalled IE... and came back love Netscape but it has some explorer thing attatched to it too... life in spy ware sucks.........ree

Title: Re: SPYWARE (Help needed)
Post by don on Oct 19^th, 2004, 2:04pm

Appreciate the replys but I am a lunkhead and dont understand 95% of the suggestions.

I did get a log file back with Hijack This but dont know what to do next.

Title: Re: SPYWARE (Help needed)
Post by forgetfulnot on Oct 19^th, 2004, 2:06pm

Title: Re: SPYWARE (Help needed)
Post by Mark C on Oct 19^th, 2004, 2:27pm

My pleasure...first run Cool Web Shredder which is here. (http://www.mushys.com/Mark/CWShredder.exe) Then run AdAwareSE which can be found here. (http://majorgeeks.com/downloadget.php?id=506&file=12&evp=8dbaff7daca8f4b55bf695220993fc0f) After the AdAware download be sure to hit the update button. You do not mention the operating system you have but I would recommend you run Adaware in "safe-mode". Instructions for how to get to safe mode here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam). It includes instructions for all OS

After you get it cleaned up I suggest SpyWare Blaster which does a pretty good job of preventing spyware from being downloaded in the first place. It can be found here (http://majorgeeks.com/downloadget.php?id=2859&file=12&evp=61b0e8ad41924a03c37615f4682b4cef)

I also contribute to SpyWare Forums and would be glad to look at your HiJackThis logs if you want me to. Hi Jack This can be found here (http://209.133.47.12/~merijn/files/HijackThis.exe).

It creates a notepad file which you can post, pm me or email me with.....I will be glad to help.

This is the beginning of my arsenal and this rids most PC's of the malware. If not, PM me and we will get a little more deep. [smiley=damncomputer.gif]

All of the above programs are free and I use them all on many different computers without trouble....so far. ;;D

Don, if you still have problems after my suggestions check you pm's....call me. I aint found one of the bastards yet I can't kill....and I like it!

Spyware is becoming more a problem than Viri or Trojans are. I do not see how a "newbie" stands a chance. There are variants of this crap coming out almost daily and anybody who connects to the internet is at risk no matter what your OS or browser. This is something I do for fun...and it keeps everything at work clean....and it has started to actually pay. I have about 2 dozen computers I keep up and it seems I am working on them almost weekly. There is not a cure all yet but I will be glad to help if anyone needs it....I am getting pretty good at killing these bastards.. ;;D The shame is this crap is making the internet hell for almost everyone. Most PC's have spyware on them too. I suggest everyone run the programs, I bet they find something.

Safe Surfing,
Mark

Title: Re: SPYWARE (Help needed)
Post by Prense on Oct 19^th, 2004, 2:40pm

on 10/19/04 at 11:39:13, don wrote:

Anybody know how to get rid of the "coolwww" browser hijacker?

Spyware scan picks it up, disables it, then it comes right back.

Is it a cookie in memory?

As Mark suggested, CWShredder will fix this. There are manual ways of getting rid of it through hijackthis, but that can be tedious.

Personally, I do not use Internet Explorer at all. One of the main reasons is because it is such a targeted piece of software (due to being so common). There are many browsers available these days (virtually free and better than explorer). Scout them out, and pick one that looks like it will meet your needs/wants. I have been using Opera for quite a while now, and it does pretty good. Tailoring it to work on some sites can be tricky and annoying, but overall, I like it.

There is a big difference between spyware and hijacks. It is worth it to research how to protect your system before you have problems. In the end, it is a huge investment in time.

Chris

Title: Re: SPYWARE (Help needed)
Post by alleyoop on Oct 19^th, 2004, 3:10pm

Just wanted to say, Mark and Prense- damn good posts! Don, either one of those guys can get your puter straightened out. And once you do that, follow their preventative maintenance advice. Take it from someone who's been there, it'll pay off!

................alley

Title: Re: SPYWARE (Help needed)
Post by don on Oct 19^th, 2004, 4:21pm

You guys are the best. This thing is wreaking havoc.

Forunately it's not in my home computer but in the one at work. You know. The one I only use for searching for grant opportunities. (Ahem) Anyway I'll try this stuff tommorow at work.

Thanks for all the help.

(You still suck )

Title: Re: SPYWARE (Help needed)
Post by Jonny on Oct 19^th, 2004, 6:06pm

on 10/19/04 at 14:40:06, Prense wrote:

I have been using Opera for quite a while now, and it does pretty good.

Ive been using Opera for about two years, ever since Ueli told me it was better....and it is by far.

..............................jonny

Title: Re: SPYWARE (Help needed)
Post by don on Oct 20^th, 2004, 11:30am

Holy Christ.

It took numerous attempts and reboots just to get to the download sites.

I think CW shredder got it.

Whos responsible for this shit anyway?

Title: Re: SPYWARE (Help needed)
Post by Rock_Lobster on Oct 20^th, 2004, 12:27pm

CWS is a pay-per-click affiliate web search.

Say I 'install' CWS on your PC. Every time you search through CWS, I get a penny.

Thus, the old hackers/back door writers have turned their attention toward profit. Every system they can get CWS onto (with their referral ID attached), they get money. It does not matter how they get it onto your PC... exploits, viruses, backdoors are all fair game.

Title: Re: SPYWARE (Help needed)
Post by Mark C on Oct 20^th, 2004, 7:41pm

The CoolWebSearch Chronicles (http://www.spywareinfo.com/~merijn/cwschronicles.html)

This is an article which details the variants of the browser hijacker known as CoolWebSearch (CWS). In the last few months, the people behind this name have succeeded in becoming (IMHO) an even bigger nuisance than the now infamous Lop.

The difficulty of removing CWS from a user's system has grown from slightly tricky in the first variant to virtually impossible for the latest few. Some of the variants even used methods of hiding and running themselves that had never been used before in any other spyware strains.

The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online. However, since the evil programmers of CWS have released over two dozen versions of their hijacker on the advertising market in such a short time, and are crunching out new ones steadily practically every week, this document might be out of date at times.

http://www.endure.nl/images/bastards.gif

Title: Re: SPYWARE (Help needed)
Post by Rock_Lobster on Oct 21^st, 2004, 8:21am

Nice site Mark.
That is the guy who wrote (writes) CWShredder. He notes:
Note that CWShredder is update very often. If you have a copy that's more than a week old, check for an update first before emailing me it's not working well.