PDA

View Full Version : spyware / malware problem



schmosef
22nd July 2004, 13:02
Hi Guys,

A friend of mine is having a problem with IE (yeah, yeah, IE bad) in that his home page is redirected to ssearch.biz.

I've run spybot and a bunch of other similar programs but they don't detect anything.

Has anyone heard of this or can anyone maybe suggest a strategy to fix this?

Thanks.

J1NG
22nd July 2004, 13:09
Have a look in the hosts file and see if that has got his home page to redirect to ssearch.biz instead. If it is, just delete and scan once more to check for anything.

J1NG

Tjalfe
22nd July 2004, 13:39
sounds like what I had a few months ago.. ran all sorts of cleaners + NAV2004, which all found the culprit, but it returned after a reboot.. I ended up reinstalling

Paddy
22nd July 2004, 13:40
If you've ran SPYBOT, have you ran ADAWARE?

schmosef
22nd July 2004, 13:45
Originally posted by Paddy
If you've ran SPYBOT, have you ran ADAWARE?

He says he's run AdAware.

As for it being I hosts file issue. I'll check.

Something I forgot to mention is that it also disables the forward and back buttons in IE.

Paddy
22nd July 2004, 14:24
It definatley sounds dodgy :)

DirtFarmer
22nd July 2004, 16:59
make sure he is running the latest versions of sypbot search and destroy and Adaware. Make sure reference files are up to date. Another good cleaner for Cool Web Search type Hijacks is CWShredder. If all else fails download and run Hijackthis and post the log files from the scan to see what all is going on.

<edit typo>

TransformX
22nd July 2004, 17:13
It's a DLL (don't remember which) in the system directory that can't be deleted unless you:
1. run command line
2. kill the Explorer process
3. use the command line to delete the DLL
4. Use task manager to relaunch Explorer

I had something like that a few weeks ago at work.

TransformX
22nd July 2004, 17:17
Do a search on the windows directory for files that had been changed/created during the last x days (since he caught the 'virus').
You'll probably find the DLL that way.
Cut and paste the DLL name in Google before deleting. If it's part of windows, google will tell you.

schmosef
23rd July 2004, 05:09
Thanks, I'll try all your suggestions and get back to you.

Byock
23rd July 2004, 07:28
That can be a real pain. Had that problem, that my default page always changed to about::blank but would bring up a ton of popups.

I searched for a day or so, then just reinstalled windows, and Firefox. :rolleyes:

UtwigMU
23rd July 2004, 07:54
Download Process Explorer from systeminternals.com and google for processes and which .dlls they use.

Google for processes and you should get to removal instructions.

Recently Coolwebsearch has grown to the point that it cannot be automatically remowed and removal is similar to what TransformX suggested.

G400SG16mb
24th July 2004, 00:41
schmosef, after you've got rid of the spyware, tell him to use Firefox ( http://www.mozilla.org ), it is far more secure & very unlikely to let through more spyware :)

TransformX
25th July 2004, 02:45
Any updates ?

schmosef
25th July 2004, 12:09
not yet, I left the PC at my office and didn't get a chance to go back this weekend. I'll be toying with it tomorrow morning. Tx, your suggestion sounds very promising. Thanks.

High_Jumbllama
25th July 2004, 13:01
Check the "Downloaded Program Files" directory inside your windows or winnt directory. Delete anthing there except for maybe flash or things you know what they are. If that doesn't work, delete everything in there. That's a favorite hiding spot for these things.

windigo
26th July 2004, 13:23
you might try looking for mybar.dll or in the registry for MasterParadise this is trojan and installs itself in several places in case you uninstall mybar search tool. Norton finds it sometimes Kapersky to but not always and maynot be able to delete log in safe mode Administrator to do this search. Hope this helps :p

UtwigMU
26th July 2004, 15:49
Also compare time to reinstall Windows/reimage a drive to fix problems.

Sometimes a reformat may take less time.

schmosef
14th August 2004, 16:16
Well...

I've been too busy with programming work to look into this until today. I think the delay was a bit of a blessing because, unlike before, a google search provided plenty of hits of people complaining about this specific problem. Not many people had solutions though. After reading what must have been dozens of threads of people painstakingly going through all the motions to identify and eliminate this hijack, I found the solution.

There's a new program called "AdwareAway" and it has a specific remover for the hijack in question. Man was I happy.

He had a ton of viruses (trojans, backdoor worms, etc.) that I removed for him too.

I'm glad I could help this guy. He was my English teacher in grades 10 and 12 and I learned a lot from him. I ran into him recently at Hillcrest mall and gave him my card. I'm glad he thought to call me when he had this problem and I'm glad I was able to resolve it, with everyone's help here too.

Thank you very much everybody for all your advice and suggestions. I've learned a lot about malware through this process.