Help! Nasty Spyware Problem

GEC: Discuss gaming, computers and electronics and venture into the bizarre world of STGODs.

Moderator: Thanas

User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Help! Nasty Spyware Problem

Post by salm »

Hi
I´ve got a really bad problem with a browser hijacking POS spyware.

the start page of my MS IE 6.0 is permanently changed back to:

(DONT VISIT THIS URL!!!)
+http://enucks.t.muxa.cc/%68%2E%70%68%70?%61%69%64=420

i tried to get rid of it with spybot and ad aware but as soon as i reboot my computer the hijacking continues.

i changed the registry keys:

HOMEOldSP
Search Bar
Search Page

from
(DONT VISIT THIS URL!!!)
+http://%65%6E%75%63%6B%73%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420

to about:blank
but when i reboot my computer the the hijacking continues and the keys are set back to the malicious site again.

what can i do? :cry:
User avatar
wautd
Emperor's Hand
Posts: 7593
Joined: 2004-02-11 10:11am
Location: Intensive care

Post by wautd »

did you already tried ad-aware or something? (proggy that finds and deletes spyware)
User avatar
General Zod
Never Shuts Up
Posts: 29211
Joined: 2003-11-18 03:08pm
Location: The Clearance Rack
Contact:

Post by General Zod »

try getting rid of all the cookies in your browser's cache and clearing your history? that might help some if ad-aware and spybot can't get it.
"It's you Americans. There's something about nipples you hate. If this were Germany, we'd be romping around naked on the stage here."
User avatar
Xon
Sith Acolyte
Posts: 6206
Joined: 2002-07-16 06:12am
Location: Western Australia

Post by Xon »

Grab spywareblaster, install that, update and apply all the imunizations (this will prevent known activeX spyware from being loaded by IE)

Grab adaware, update and do a search (there are some options which you will need to tweek). Will need to reboot after this.

Grab Spybot Search and Destroy here, update and do a search.

This should clean up almost all spyware infestations. Step 1 is often enough to stop the infestation, but steps 2 & 3 are needed to actually remove the crap.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

wautd wrote:did you already tried ad-aware or something? (proggy that finds and deletes spyware)
i did ad aware and spybot. none of them were effective.
Darth_Zod wrote:try getting rid of all the cookies in your browser's cache and clearing your history? that might help some if ad-aware and spybot can't get it.
nope. allready did that.

ggs wrote:Grab spywareblaster, install that, update and apply all the imunizations (this will prevent known activeX spyware from being loaded by IE)

grab adaware, update and do a search (there are some options which you will need to tweek). Will need to reboot after this.

Grab Spybot Search and Destroy here, update and do a search.

This should clean up almost all spyware infestations. Step 1 is often enough to stop the infestation, but steps 2 & 3 are needed to actually remove the crap.
ok, i haven´t got spywareblaster. thanks for that one. i´ll get it. the other two don´t work for that problem.

but in the meantime i found out how to get rid of the problem.
i got CWSHREDDER and since then the problem is gone.
dis CWShredder apparantly get´s rid of all the "cool web search" spyware crap of which this muxa.cc thing is part of. you can stop "cool web search" stuff from installing on your computer by deleting Java Virtual Machine (JVM).
User avatar
General Zod
Never Shuts Up
Posts: 29211
Joined: 2003-11-18 03:08pm
Location: The Clearance Rack
Contact:

Post by General Zod »

or get a firewall maybe. unfortunately for some of us JVM is an essential component to have.
"It's you Americans. There's something about nipples you hate. If this were Germany, we'd be romping around naked on the stage here."
User avatar
Faram
Bastard Operator from Hell
Posts: 5271
Joined: 2002-07-04 07:39am
Location: Fighting Polarbears

Post by Faram »

Darth_Zod wrote:or get a firewall maybe. unfortunately for some of us JVM is an essential component to have.
A firewall will do nada against this, and JVM is a POS that is better of purged.

MS purge the shit out of java tool here

Note if you remove JVm with this you CANNOT reinstall it.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img]

"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus


Fear is the mother of all gods.

Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
User avatar
phongn
Rebel Leader
Posts: 18487
Joined: 2002-07-03 11:11pm

Post by phongn »

I assume you meant the Microsoft JVM versus Sun's JRE?
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this:
A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.
source

and i don´t know how to get rid of it.

that´s it. i´m getting mozilla now.
User avatar
Faram
Bastard Operator from Hell
Posts: 5271
Joined: 2002-07-04 07:39am
Location: Fighting Polarbears

Post by Faram »

Get TDS-3 it sure sounds like you have a trojan or two on your computer.

http://tds.diamondcs.com.au/

And phongn I meant MS JVM.
[img=right]http://hem.bredband.net/b217293/warsaban.gif[/img]

"Either God wants to abolish evil, and cannot; or he can, but does not want to. ... If he wants to, but cannot, he is impotent. If he can, but does not want to, he is wicked. ... If, as they say, God can abolish evil, and God really wants to do it, why is there evil in the world?" -Epicurus


Fear is the mother of all gods.

Nature does all things spontaneously, by herself, without the meddling of the gods. -Lucretius
User avatar
phongn
Rebel Leader
Posts: 18487
Joined: 2002-07-03 11:11pm

Post by phongn »

Run HijackThis! and post the log here.
User avatar
Einhander Sn0m4n
Insane Railgunner
Posts: 18630
Joined: 2002-10-01 05:51am
Location: Louisiana... or Dagobah. You know, where Yoda lives.

Post by Einhander Sn0m4n »

http://www.spywareinfo.com/articles/hij ... revent.php

Read this. Then get Mozilla and KILL THE M$ JVM POS!
Image Image
User avatar
Xon
Sith Acolyte
Posts: 6206
Joined: 2002-07-16 06:12am
Location: Western Australia

Post by Xon »

salm wrote:now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this.
Thats why you use Spywareblaster! It stops the common drive by installations in the 1st place.
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
User avatar
Crayz9000
Sith Apprentice
Posts: 7329
Joined: 2002-07-03 06:39pm
Location: Improbably superpositioned
Contact:

Post by Crayz9000 »

Or just stop using that train-wreck of a browser called Internet Explorer.
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
User avatar
wautd
Emperor's Hand
Posts: 7593
Joined: 2004-02-11 10:11am
Location: Intensive care

Post by wautd »

User avatar
Vertigo1
Defender of the Night
Posts: 4720
Joined: 2002-08-12 12:47am
Location: Tennessee, USA
Contact:

Post by Vertigo1 »

salm wrote:now i´ve got something even worse. something that uses the MSHTA.EXE to install crap on my computer and send me popups. apparantly it´s this:
A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into "hot standby", ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.
source

and i don´t know how to get rid of it.

that´s it. i´m getting mozilla now.
Well, you can actually delete the activex control located in %systemroot%\Downloaded Program Files (where %systemroot% = Where you installed Windows, such as C:\Windows or C:\WinNT). Then kill MSHTA.exe via task manager and re-name it to something else....like MSHTA2.exe or something like that.

Mozilla is the solution. Be sure to get the regular Mozilla package if you want to use Mozilla Mail (which is FAR more secure against Outlook (any version). Its got a little more bloat than FireFox (which is just the browser component), but its a smaller download to just get Mozilla than FireFox and Thunderbird seperately. (oh the irony) On my XP2800, I don't even notice the loading time as it loads instantly. :) (no, I don't have quicklaunch enabled)
"I once asked Rebecca to sing Happy Birthday to me during sex. That was funny, especially since I timed my thrusts to sync up with the words. And yes, it was my birthday." - Darth Wong

Leader of the SD.Net Gargoyle Clan | Spacebattles Firstone | Twitter
User avatar
Praxis
Sith Acolyte
Posts: 6012
Joined: 2002-12-22 04:02pm
Contact:

Post by Praxis »

*Praxis looks at the web page he's not supposed to*
*Nothing happens*
*Praxis hits the back button*
*Praxis smiles at his Mac w/Safari and popup blocking built in...*
:lol:

Since (if I remember right) Safari has the same engine as Mozilla, I would recommend that- web pages load FAST.
I use Mozilla Firebird on my Winblows computer, personally. Firebird (known now as FireFox) is handy for its IE like interface so you don't have to change much.
User avatar
phongn
Rebel Leader
Posts: 18487
Joined: 2002-07-03 11:11pm

Post by phongn »

Praxis wrote:Since (if I remember right) Safari has the same engine as Mozilla, I would recommend that- web pages load FAST.
I use Mozilla Firebird on my Winblows computer, personally. Firebird (known now as FireFox) is handy for its IE like interface so you don't have to change much.
Safari uses the KHTML rendering engine (also seen in Konqueror), not Gecko (Firefox, Mozilla, et. al)
User avatar
Alyeska
Federation Ambassador
Posts: 17496
Joined: 2002-08-11 07:28pm
Location: Montana, USA

Post by Alyeska »

Crayz9000 wrote:Or just stop using that train-wreck of a browser called Internet Explorer.
There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.
"If the facts are on your side, pound on the facts. If the law is on your side, pound on the law. If neither is on your side, pound on the table."

"The captain claimed our people violated a 4,000 year old treaty forbidding us to develop hyperspace technology. Extermination of our planet was the consequence. The subject did not survive interrogation."
darthdavid
Pathetic Attention Whore
Posts: 5470
Joined: 2003-02-17 12:04pm
Location: Bat Country!

Post by darthdavid »

He'd already said he was using mozzie so what's j00r problem ? That would be like if someone in a carforum asked for help with their reno le car, realized it wasn't worth it and then someone else came in and started getting angry at the "le car bashers".
User avatar
Crayz9000
Sith Apprentice
Posts: 7329
Joined: 2002-07-03 06:39pm
Location: Improbably superpositioned
Contact:

Post by Crayz9000 »

Alyeska wrote:There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.
Oh, so there's a new rule in the SDN rulebook: Don't talk shit about IE.

Wonderful.

Look, when almost every goddamned browser exploit on the Internet (there are a few stale Mozilla exploits as I recall) is tailored for one single browser, on one single operating system, there is a serious problem with that browser.

It has a horrid security model by default, which must be changed if you want to use it regularly. (Why should you have to fix that? It should be secure by default!) It uses a wonderfully buggy implementation of Java by default, although that is fortunately going out the door soon. (Won't help the millions of already existing installs.) It has more HTML parsing bugs than you can shake a fist at, and some have taken months to get fixed. (Again, why?) And finally, to fix some of these issues, you need to get and run third-party software (Spybot S&D, SpywareBlaster, et al) regularly. That simply should not be necessary.

I'm just calling a spade a spade; I'm not trying to insult you. If you want to use it, fine, but don't say you haven't been warned.

(Personally, I only use IE now when A) running Windows Update, or B) developing Web pages.)
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
User avatar
phongn
Rebel Leader
Posts: 18487
Joined: 2002-07-03 11:11pm

Post by phongn »

Alyeska wrote:
Crayz9000 wrote:Or just stop using that train-wreck of a browser called Internet Explorer.
There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.
I was not aware that there were rules against making such a statement.
User avatar
Pu-239
Sith Marauder
Posts: 4727
Joined: 2002-10-21 08:44am
Location: Fake Virginia

Post by Pu-239 »

KHTML blows when it comes to compatibility and progressive rendering for those of us over dialup.

ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer


George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
User avatar
Alyeska
Federation Ambassador
Posts: 17496
Joined: 2002-08-11 07:28pm
Location: Montana, USA

Post by Alyeska »

phongn wrote:
Alyeska wrote:
Crayz9000 wrote:Or just stop using that train-wreck of a browser called Internet Explorer.
There is standing rules for people to not make this very statement. Those of us who use IE use it and be damned if other people will trash talk our choice.
I was not aware that there were rules against making such a statement.
I've seen two threads closed because of people started bad mouthing IE when the thread creator stated they wanted to keep it.
"If the facts are on your side, pound on the facts. If the law is on your side, pound on the law. If neither is on your side, pound on the table."

"The captain claimed our people violated a 4,000 year old treaty forbidding us to develop hyperspace technology. Extermination of our planet was the consequence. The subject did not survive interrogation."
User avatar
salm
Rabid Monkey
Posts: 10296
Joined: 2002-09-09 08:25pm

Post by salm »

Faram wrote:Get TDS-3 it sure sounds like you have a trojan or two on your computer.

http://tds.diamondcs.com.au/

And phongn I meant MS JVM.
i did that. it found several suspicious files which i deleted and something called bb.exe which was one of these "buddies" (i forgot the whole name). thanks for that program.
Post Reply