Virus Alert!

[Moonlapse]

I know this doesn't really belong in this section of the forum, but since this place gets the most views/posts, I thought it would be best to bring this to everybody's attention.

Well last night, after being fed up that IE would always reset the homepage to some search site, IE crashing all the time, Kazaa-lite and WM9 unable to open, and Windows taking 2 minutes longer to load up than it should - I decided to see what the issue was. Adaware and Housecall traced nothing, so I decided to uninstall programs. To my surprise, I saw 3 new programs running in Add/Remove Programs. If you have these, deal with them immediately.

Home Search Assistent
Search Extender
Shopping Wizard

You CAN NOT uninstall them, since it redirects you to a site, asking you to DL a program to do so (I hope none of you are stupid enough to fall for that..). So, how do you deal with this nasty ah heck? Read on..

Had no idea what to do at first, but I googled a search on one of the programs, and got alot of help from this forum. Now - if you do have this hijack, I recommened reading atomicdog40's post, as well as sprengstof's. I'll summarize what I did anyways..

1) Install Adaware6 and update it (they just released a definition for this a day or two ago)
2) Also install "Hijackthis" - it's a program that shows all your processes that are running.
3) Reboot in SAFEMODE
4) Run Adaware6 - quarantine and delete
5) Run Hijackthis - check any program that looks suspicious (it usually is in the form of a 4-5 letters of jibberish, usually ending with the string of either ,exe, .dll, .dat
6) Rerun them again in SAFE MODE
7) Go to Run>>regedit, and delete the following

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA (do for SE, and SW as well)


8) Reboot normally and run Adaware and Hijackthis again - hopefully you have rid yourself clean.

I believe I still have traces of the dummy files in my Windows and System32 folders, but I don't see the programs running, nor does Adaware detect them. I'll make sure to delete those soon.. a pain in the arse, to be sure. Oh, if you were wondering - it seems most people have transmitted this hijack from pr0n sites, but i'm sure it's not limited to that. So to the people who DONT have it, keep both hands on the keyboard.

 

[Bucksnort]

"Well last night, after being fed up that IE would always reset the homepage to some search site, IE crashing all the time, Kazaa-lite and WM9 unable to open",

listen, you have kaaza installed and you want to come here and try to give advise? Go away and enjoy your viruses.

 

[robcy]

Originally posted by: Bucksnort
"Well last night, after being fed up that IE would always reset the homepage to some search site, IE crashing all the time, Kazaa-lite and WM9 unable to open",

listen, you have kaaza installed and you want to come here and try to give advise? Go away and enjoy your viruses.

I actually have use for this. My little brother has this same thing, and I had no idea what was happening. I was was just about ready to leave work, and reprogram his computer. This just saved me alot of time, THX.

 

[dennisjai215]

Originally posted by: Bucksnort
"Well last night, after being fed up that IE would always reset the homepage to some search site, IE crashing all the time, Kazaa-lite and WM9 unable to open",

listen, you have kaaza installed and you want to come here and try to give advise? Go away and enjoy your viruses.

kazaa lite = spyware free

and i know he can dl stuff that has spyware but that isnt the ONLY way u get it..
so dont be an ass for someone trying to inform/help others

 

[Moonlapse]

Whether or not if I have kazaa or not, it makes no matter. I try everything to ensure that I stay virus free - sh*t happens. I have to use it from time to time - so keep your comment to yourself - the whole point of the virus and trying to fix it is still valid, no matter what I have on my computer.

 

[Bucksnort]

dont be a fgt flaming homo

kazaa lite = spyware free
You talk like you know alot. If you or anyone else is dumb enough to use a program like lite or any other peer to peer program you deserve what you get.

 

[Moonlapse]

Perhaps we do - but this virus didn't originate from that, so if you want to validate your assessment, then go to another thread. Not all people who get viruses are "asking for it".

 

[Bucksnort]

Right, heaven forbid a ILLEGAL file sharing program had anything to do with your virus infested computer. A law suit is coming to a town near you.

 

[Moonlapse]

:roll: Whatever. I know the risks involved - I'm not f'n stupid. In all actuallity, I don't have one download from kazaa, NOT ONE. I know where the damn hijack came from - not kazaa or any other p2p program. I know some stuff I have on the comp is technically illigal - but that's straying away from the reason I posted this. And for your info - I don't have a "virus infested computer".

 

[Budmantom]

Originally posted by: Bucksnort
Right, heaven forbid a ILLEGAL file sharing program had anything to do with your virus infested computer. A law suit is coming to a town near you.

Perhaps you should find another thread to carp in.


Tom

 

[SgtZulu]

Stop using IE n00bs and get something like Mozilla Firefox you wouldn't have these problems

 

[Moonlapse]

I know. :\ Just reinstalled Windows last week, and i've been so busy tweaking other things that I forgot about mozilla. I should do that now..

 

[MercenaryForHire]

Originally posted by: Moonlapse
I know this doesn't really belong in this section of the forum, but since this place gets the most views/posts

Since you're new here, I'll excuse you from badmouthing Off-Topic like that.

Even though I know I don't have it, I ran AdAware for the hell of it.

OMGZ, TEH BROWSER HIJACK0R

- M4H

 

[Moonlapse]

:looks at OT::

Whoops. I figure I would post it here though since this is a more computer related area - but yeah, getting rid of it was no fun. I f'n hate people who create viruses like these. Scum of the earth..

 

[SneakyStuff]

P2P programs aren't illegal buck, only the copyrighted files swapped on them, thats when they become illegal, please stop patronizing people, you do what you do, they do what they do, you are in charge of your own computer. And in regards to the internet explorer, yes I agree, people need to learn there are other alternatives, i've been using MYIE2 for some time now, and am very happy.

 

[Bovinicus]

Between Adaware and Avast AV I have successfully rid my system of a recent infestation of some browser hijacker. Avast is free if you register at their website. I highly recommend it. It finds some adware and spyware and certain things that even Norton AV doesn't find.

 

[SickBeast]

Originally posted by: dennisjai215
dont be a fgt flaming homo

kazaa lite = spyware free

and i know he can dl stuff that has spyware but that isnt the ONLY way u get it..
so dont be an ass for someone trying to inform/help others

First of all, you can be banned for flaming homophobic epithets, so be careful. I'm not gay and I found that pretty out there.

Second, Kazaa Lite DOES have spyware in the form of Alexa. Kazaa or Kazaa Lite will ruin any computer if left running long enough. It's garbage and is not worth the money you'll save by stealing intellectual property. If you like P2P, I suggest DC++. There's no spyware in it AFAIK.

 

[xylem]

Thanks for the info. I know that, being responsible for maintaining the general health of quite a few computers in different locations, there has been a real upsurgence of *nasty* spyware/hijacker junk recently. I just experienced two different ones that create a .dll in the Windows\System32 directory, and if you successfully delete it, they create a new one with a different name... so anyone that happens to catch and clean something with their favorite spyware-cleaner, and notices that the same one pops up every time, even though it was "successfully fixed," may want to take the necessary time to do some manual cleaning.

 

[Jeff7]

Originally posted by: xylem
Thanks for the info. I know that, being responsible for maintaining the general health of quite a few computers in different locations, there has been a real upsurgence of *nasty* spyware/hijacker junk recently. I just experienced two different ones that create a .dll in the Windows\System32 directory, and if you successfully delete it, they create a new one with a different name... so anyone that happens to catch and clean something with their favorite spyware-cleaner, and notices that the same one pops up every time, even though it was "successfully fixed," may want to take the necessary time to do some manual cleaning.

See my new sig.
I got an infection of CoolWebSearch from who-knows-where. And I don't know how long I've had it either. The dll files it generates keep assuming new created-on dates. It is a doozy too - it creates a registry entry, and is able to mask the file in Explorer. The file in my case was ms.dll - well, there was a hidden registry entry (you can't see it using regedit, you need another program), and you need to rename the parent folder that it's in. Otherwise, just trying to edit the entry itself is fruitless - CWS just re-edits the needed startup info right back in.
So, rename the folder in the registry, delete the bad entry, then name the folder back to the default. Then you might have a chance of deleting the offending file. I had to reset the permissions on the file to give myself access, then I could change the read-only attribute, and delete the damn thing. I think I'm finally rid of CoolWebSearch.
BTW, the registry entry was here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

I used Registrar Lite to do the registry editing. The value (C:\windows\system32\ms.dll) was not visible in regedit, but it was in Registrar Lite. This CWS variant was rather well-done; fortunately, it had flaws.

 

[SneakyStuff]

You need to unplug your NIC, and reboot your comp in safe mode to take care of those pesks.

 

[earthling30]

Originally posted by: Moonlapse
I know this doesn't really belong in this section of the forum, but since this place gets the most views/posts, I thought it would be best to bring this to everybody's attention.

Well last night, after being fed up that IE would always reset the homepage to some search site, IE crashing all the time, Kazaa-lite and WM9 unable to open, and Windows taking 2 minutes longer to load up than it should - I decided to see what the issue was. Adaware and Housecall traced nothing, so I decided to uninstall programs. To my surprise, I saw 3 new programs running in Add/Remove Programs. If you have these, deal with them immediately.

Home Search Assistent
Search Extender
Shopping Wizard

You CAN NOT uninstall them, since it redirects you to a site, asking you to DL a program to do so (I hope none of you are stupid enough to fall for that..). So, how do you deal with this nasty ah heck? Read on..

Had no idea what to do at first, but I googled a search on one of the programs, and got alot of help from this forum. Now - if you do have this hijack, I recommened reading atomicdog40's post, as well as sprengstof's. I'll summarize what I did anyways..

1) Install Adaware6 and update it (they just released a definition for this a day or two ago)
2) Also install "Hijackthis" - it's a program that shows all your processes that are running.
3) Reboot in SAFEMODE
4) Run Adaware6 - quarantine and delete
5) Run Hijackthis - check any program that looks suspicious (it usually is in the form of a 4-5 letters of jibberish, usually ending with the string of either ,exe, .dll, .dat
6) Rerun them again in SAFE MODE
7) Go to Run>>regedit, and delete the following

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA (do for SE, and SW as well)


8) Reboot normally and run Adaware and Hijackthis again - hopefully you have rid yourself clean.

I believe I still have traces of the dummy files in my Windows and System32 folders, but I don't see the programs running, nor does Adaware detect them. I'll make sure to delete those soon.. a pain in the arse, to be sure. Oh, if you were wondering - it seems most people have transmitted this hijack from pr0n sites, but i'm sure it's not limited to that. So to the people who DONT have it, keep both hands on the keyboard.

Thanks for the info. However, my family doesn't use any P2P programs because I've taken care of that, that is some good info to have just in case I have to fix anyone's else PC with this problem.

 

[Buz2b]

In case this thread gets locked soon I figured I'd better let you know that this problem is a lot like the one I described in This Thread. I thought you might benefit from a link to it. This may just be a "look-alike", or the same type of thing. Either way, it is truely difficult to get rid of. The key is to work in Safe Mode at all times to do the removal. I'm not sure if you would need to remove your NIC while doing so (as mentioned earlier) but at least do the Safe Mode removal. Good Luck to you all and I suggest you tone down the rhetoric before this is locked.

 

[mechBgon]

I think the subtitle might need to be changed to "good chance you do not have it," but whatever People who are interested in keeping this stuff at bay may wish to set themselves up with a Restricted User account as their "daily driver" account, which puts spyware installers and other software installers on a very short leash. If you have kids, they should definitely not be going around on your computer wielding Administrator powers either. If you don't want your Porsche stolen, it helps if you don't leave the keys in the ignition, people. :evil: We see all these fixes and removers and stuff, how about some prevention?

I thought I'd add that while logged in as a Restricted User, you can still do Admin tasks. Hold down the Shift key while right-clicking on something that requires Admin powers, such as Defragmenter, and you can Run As the system's Administrator. Also, use a reasonably strong password for all Administrator-class accounts to defy the efforts of share-hopping worms.

 

[earthling30]

Originally posted by: mechBgonI thought I'd add that while logged in as a Restricted User, you can still do Admin tasks. Hold down the Shift key while right-clicking on something that requires Admin powers, such as Defragmenter, and you can Run As the system's Administrator. Also, use a reasonably strong password for all Administrator-class accounts to defy the efforts of share-hopping worms.

Cool, I never knew that. If it works it will sure beat changing the account to an admin. just to get things done then resetting the account to a restricted account. Thanks for the FYI.

 

[Snoop]

Originally posted by: SickBeast

Originally posted by: dennisjai215
dont be a fgt flaming homo

kazaa lite = spyware free

and i know he can dl stuff that has spyware but that isnt the ONLY way u get it..
so dont be an ass for someone trying to inform/help others

First of all, you can be banned for flaming homophobic epithets, so be careful. I'm not gay and I found that pretty out there.

Second, Kazaa Lite DOES have spyware in the form of Alexa. Kazaa or Kazaa Lite will ruin any computer if left running long enough. It's garbage and is not worth the money you'll save by stealing intellectual property. If you like P2P, I suggest DC++. There's no spyware in it AFAIK.

I have Kazaa Lite and do not have alexa? Also, I have been using KL for some time and have never had a virus nor have I had any spyware which has come from using Kazaa Lite. Maybe I am just lucky