Help! Nasty Spyware Problem

[salm]

Hi
I´ve got a really bad problem with a browser hijacking POS spyware.

the start page of my MS IE 6.0 is permanently changed back to:

(DONT VISIT THIS URL!!!)
+http://enucks.t.muxa.cc/%68%2E%70%68%70?%61%69%64=420

i tried to get rid of it with spybot and ad aware but as soon as i reboot my computer the hijacking continues.

i changed the registry keys:

HOMEOldSP
Search Bar
Search Page

from
(DONT VISIT THIS URL!!!)
+http://%65%6E%75%63%6B%73%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420

to about:blank
but when i reboot my computer the the hijacking continues and the keys are set back to the malicious site again.

what can i do?

[wautd]

did you already tried ad-aware or something? (proggy that finds and deletes spyware)

[General Zod]

try getting rid of all the cookies in your browser's cache and clearing your history? that might help some if ad-aware and spybot can't get it.

[Xon]

Grab spywareblaster, install that, update and apply all the imunizations (this will prevent known activeX spyware from being loaded by IE)

Grab adaware, update and do a search (there are some options which you will need to tweek). Will need to reboot after this.

Grab Spybot Search and Destroy here, update and do a search.

This should clean up almost all spyware infestations. Step 1 is often enough to stop the infestation, but steps 2 & 3 are needed to actually remove the crap.

[salm]

did you already tried ad-aware or something? (proggy that finds and deletes spyware)

i did ad aware and spybot. none of them were effective.

try getting rid of all the cookies in your browser's cache and clearing your history? that might help some if ad-aware and spybot can't get it.

nope. allready did that.

Grab spywareblaster, install that, update and apply all the imunizations (this will prevent known activeX spyware from being loaded by IE)

grab adaware, update and do a search (there are some options which you will need to tweek). Will need to reboot after this.

Grab Spybot Search and Destroy here, update and do a search.

This should clean up almost all spyware infestations. Step 1 is often enough to stop the infestation, but steps 2 & 3 are needed to actually remove the crap.

ok, i haven´t got spywareblaster. thanks for that one. i´ll get it. the other two don´t work for that problem.

but in the meantime i found out how to get rid of the problem.
i got CWSHREDDER and since then the problem is gone.
dis CWShredder apparantly get´s rid of all the "cool web search" spyware crap of which this muxa.cc thing is part of. you can stop "cool web search" stuff from installing on your computer by deleting Java Virtual Machine (JVM).

[General Zod]

or get a firewall maybe. unfortunately for some of us JVM is an essential component to have.

[Faram]

or get a firewall maybe. unfortunately for some of us JVM is an essential component to have.

A firewall will do nada against this, and JVM is a POS that is better of purged.

MS purge the shit out of java tool here

Note if you remove JVm with this you CANNOT reinstall it.

[phongn]

I assume you meant the Microsoft JVM versus Sun's JRE?

[salm]

now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this:

A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.

source

and i don´t know how to get rid of it.

that´s it. i´m getting mozilla now.

[Faram]

Get TDS-3 it sure sounds like you have a trojan or two on your computer.

http://tds.diamondcs.com.au/

And phongn I meant MS JVM.

[phongn]

Run HijackThis! and post the log here.

[Einhander Sn0m4n]

http://www.spywareinfo.com/articles/hij ... revent.php

Read this. Then get Mozilla and KILL THE M$ JVM POS!

[Xon]

now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this.

Thats why you use Spywareblaster! It stops the common drive by installations in the 1st place.

[Crayz9000]

Or just stop using that train-wreck of a browser called Internet Explorer.

[wautd]

When everything else fails

[Vertigo1]

now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this:

A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.

source

and i don´t know how to get rid of it.

that´s it. i´m getting mozilla now.

Well, you can actually delete the activex control located in %systemroot%\Downloaded Program Files (where %systemroot% = Where you installed Windows, such as C:\Windows or C:\WinNT). Then kill MSHTA.exe via task manager and re-name it to something else....like MSHTA2.exe or something like that.

Mozilla is the solution. Be sure to get the regular Mozilla package if you want to use Mozilla Mail (which is FAR more secure against Outlook (any version). Its got a little more bloat than FireFox (which is just the browser component), but its a smaller download to just get Mozilla than FireFox and Thunderbird seperately. (oh the irony) On my XP2800, I don't even notice the loading time as it loads instantly. (no, I don't have quicklaunch enabled)

[Praxis]

*Praxis looks at the web page he's not supposed to*
*Nothing happens*
*Praxis hits the back button*
*Praxis smiles at his Mac w/Safari and popup blocking built in...*


Since (if I remember right) Safari has the same engine as Mozilla, I would recommend that- web pages load FAST.
I use Mozilla Firebird on my Winblows computer, personally. Firebird (known now as FireFox) is handy for its IE like interface so you don't have to change much.

[phongn]

Since (if I remember right) Safari has the same engine as Mozilla, I would recommend that- web pages load FAST.
I use Mozilla Firebird on my Winblows computer, personally. Firebird (known now as FireFox) is handy for its IE like interface so you don't have to change much.

Safari uses the KHTML rendering engine (also seen in Konqueror), not Gecko (Firefox, Mozilla, et. al)

[Alyeska]

Or just stop using that train-wreck of a browser called Internet Explorer.

There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.

[darthdavid]

He'd already said he was using mozzie so what's j00r problem ? That would be like if someone in a carforum asked for help with their reno le car, realized it wasn't worth it and then someone else came in and started getting angry at the "le car bashers".

[Crayz9000]

There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.

Oh, so there's a new rule in the SDN rulebook: Don't talk shit about IE.

Wonderful.

Look, when almost every goddamned browser exploit on the Internet (there are a few stale Mozilla exploits as I recall) is tailored for one single browser, on one single operating system, there is a serious problem with that browser.

It has a horrid security model by default, which must be changed if you want to use it regularly. (Why should you have to fix that? It should be secure by default!) It uses a wonderfully buggy implementation of Java by default, although that is fortunately going out the door soon. (Won't help the millions of already existing installs.) It has more HTML parsing bugs than you can shake a fist at, and some have taken months to get fixed. (Again, why?) And finally, to fix some of these issues, you need to get and run third-party software (Spybot S&D, SpywareBlaster, et al) regularly. That simply should not be necessary.

I'm just calling a spade a spade; I'm not trying to insult you. If you want to use it, fine, but don't say you haven't been warned.

(Personally, I only use IE now when A) running Windows Update, or B) developing Web pages.)

[phongn]

Or just stop using that train-wreck of a browser called Internet Explorer.

There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.

I was not aware that there were rules against making such a statement.

[Pu-239]

KHTML blows when it comes to compatibility and progressive rendering for those of us over dialup.

[Alyeska]

Or just stop using that train-wreck of a browser called Internet Explorer.

There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.

I was not aware that there were rules against making such a statement.

I've seen two threads closed because of people started bad mouthing IE when the thread creator stated they wanted to keep it.

[salm]

Get TDS-3 it sure sounds like you have a trojan or two on your computer.

http://tds.diamondcs.com.au/

And phongn I meant MS JVM.

i did that. it found several suspicious files which i deleted and something called bb.exe which was one of these "buddies" (i forgot the whole name). thanks for that program.