Spyware Warrior

jchristian_14

Ok,
The Summary of how I got it goes something like this:
My mom was online while i was watching TV and she got a pornographic pop-up and she knew what spyware was so somehow she saw a link to d/l this "SpyDeleter". Well, she downloaded it and now we have it up and running. It doens't seem to be doing any harm and it is too soon to tell if it has done good. Can somone PLEASE tell me everything you know about this "SpyDeleter". I have done some research and found some good and some bad. PLEASE....anything you know would be helpfull.... heck, she paid $30 for it so I'm hoping someone will have something to say!
Again..... ANYTHING you know... please share!!!!!!
thanks......... Josh

suzi · Posted: Tue Jun 29, 2004 9:06 pm Post subject:

Hi Josh,

Please read and follow the directions in this thread for using Ad-aware, Spybot Search & Destroy and HijackThis.

http://www.spywarewarrior.com/viewtopic.php?t=10

After you run HijackThis, post your reply in this thread with the log.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile

jchristian_14 · Posted: Wed Jun 30, 2004 11:28 am Post subject:

ok.... i got it and im not exactly sure what to put, but i think this is my log... oh and i have ran both spybot AND ad-aware before running HiJackthis if that helps....

Logfile of HijackThis v1.98.0
Scan saved at 2:26:01 PM, on 6/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HFP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\TEMP\Y1LIGXKQ.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\81XGHLPI.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\CS4P028.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE
C:\WINDOWS\TEMP\MSBB.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.csweb.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.csweb.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CSWEB.NET
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\4HTIGLEF0B.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\CLEARS~1\CSIE.DLL
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM218.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH13218.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [booeaz] C:\WINDOWS\APPLIC~1\thtssglg.exe -QuieT
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [Detect] C:\Josh's Stuff\Miscelaneous Downloaded Software\idetect.exe /auto
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [Y1LIGXKQ] C:\WINDOWS\TEMP\Y1LIGXKQ.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [zqijuiw] C:\WINDOWS\SYSTEM\zpfujj.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [cbwau] C:\WINDOWS\cbwau.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [81xghlpi] C:\WINDOWS\SYSTEM\81xghlpi.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [hfprog] hfp.exe
O4 - HKLM\..\RunServices: [Detect] C:\Josh's Stuff\Miscelaneous Downloaded Software\idetect.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Search.vbs
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurokazaa\local.htm (file missing)
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\PROGRAM FILES\WHISTLESOFTWARE\WSELSERVICES\WEBBAND.DLL (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH13218.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.csweb.net/
O19 - User stylesheet: (file missing)
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

jchristian_14 · Posted: Wed Jun 30, 2004 11:30 am Post subject:

Ok, so that was my log I think.... and please act like you're talking to a 5 yearold because i have absolutely NO IDEA what to do.... lol, thanks in advance..... I'm soo glad i found this forum.

Myung · Posted: Wed Jun 30, 2004 2:34 pm Post subject:

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy please.
Read this page if you need help http://www.netstar.me.uk/hjt/hjt.html

You have a varient of the coolwebsearch trojan. Please download CWShredder by Merijin from here:

http://spywarewarrior.com/files/CWShredder.exe

After downloading it, run the program by clicking the "Fix" button and let it fix all varients.

Then post a new log after doing that.

jchristian_14 · Posted: Wed Jun 30, 2004 3:40 pm Post subject:

Ok, my computer got sooo screwed up that i got really frustrated and just ran HiJackthis and deleted everything. My comp doesn't seem to be negatively affected. Ok... so after running the CWShredder and HiJack this...... here is my log.....:

Logfile of HijackThis v1.98.0
Scan saved at 6:38:22 PM, on 6/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HFP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\CARPSERV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\Y1LIGXKQ.EXE
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\SYSTEM\ZPFUJJ.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\IDIS400O.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

jchristian_14 · Posted: Wed Jun 30, 2004 4:25 pm Post subject:

ok, after all this that i went through my computer seems to be ALOT better.... it is fast and everything. But i didn't delete SpyDeleter, i was waiting on someone to point me in the direction of what to do about it. Anyways..... im still looking forward to your advice, but thanks soooooooooo much for what youve already done. You're doing like what my local computer shop charges $50 for and this way is getting better results so far! Thanks! but please.... keep analyzing. Very Happy

jchristian_14 · Posted: Thu Jul 01, 2004 9:27 am Post subject:

ok so no one has answered me yet so im just gonna ask again to bump this topic up.
Ok, my computer is running very smoothly still.... possibly better than ever, but i still have SpyDeleter on here and i really don't know what to do with it. What would you guys do?

eburger68 · Posted: Thu Jul 01, 2004 7:12 pm Post subject:

jchristian_14:

Uninstall the SpyDeleter. If your mother wants an anti-spyware program, there are two free, reputable programs that are highly recommended:

Ad-aware
http://www.lavasoft.de/

Spybot Search & Destroy
http://spybot.safer-networking.de/

Best,

Eric L. Howes

yoyoma · Posted: Fri Jul 02, 2004 6:28 am Post subject:

Spydeleter is a scam, delete it and then dispute it with your credit card company - they're trying to screw up your computer so you might as well file a fraud report with you CC company on them. BTW - they are based out of Atlanta - so you may want to file a report with the atlanta better business bureau as well at

www.atlanta.bbb.org

jchristian_14 · Posted: Fri Jul 02, 2004 9:04 am Post subject:

Ok...
Thank you sooo much, that info was VERY helpful! And I just deleted it off my computer... or at least I thought I did, I heard it was hard to fully delete or something. But I'm not gonna question a good thing; My computer is running great! So yea... thanks sooooo much, you were all very helpful!

TeMerc · Posted: Fri Jul 16, 2004 10:32 pm Post subject:

This topic has been resolved, and locked, if need be, PM me to reopen for continued support, thanks.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog