Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

spyware ad has taken over my computer?

(New)
(!)

starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
25-Nov-2003, 06:08 PM #1
spyware ad has taken over my computer?
The past two times I've gone online today, my usual homepage hasn't come up.

The first time a spyware (it claims) ad page was there, and said it had replaced my homepage- and was showing me how easily spyware could get into my computer and take over.

It gave a link to download an anti spyware program. But, I am wary of these, I once saw a similar ad which said it took out spyware programs like Spybot and Adaware- making out like they are something I don't want.

The only way I could get it closed was by clicking the desktop icon (thanks to someone asked a question about this shortcut here, a few days ago, I knew I could do this. I'd never paid attention to the desktop icon before and didn't know what it did)

This time I came back on, there were several windows open, one saying:

If your NOTEPAD launched and is displaying this message...

Then "Spyware" programmers can control applications on
YOUR computer and it is URGENT that you download SPY WIPER
immediately. Do not allow spyware programs to damage your
insecure computer!!

(See other window)

Under it was a window that said the same thing about "your CD ROM drive is open" (mine wasn't but my cd burner (E drive) was.

Under that was the browser page, with the download again, replacing my home page.

I haven't yet run Spybot and Adaware (which I have), decided to come here first and get the real info about this, and how to make it stop doing whatever it's doing. Has something taken over my computer and putting these ads on it? Is what it offers (Spy Wiper) something I WANT or another spyware program?

I really don't want anything that puts ads for itself on my computer like this.

(later): this is the url of the home page that comes up http://default-homepage-network.com/index2.html)

As I was writing this, a huge pop came up over the screen that said something about link for very "naughty" people.

I saw something (here) someone had written that porn had taken over his computer. Maybe this is the same thing?

Where did it come from and how do I get it to go away!!!!!!

Oh, I forgot to say I have WIN 98 SE (and IE 6)


Thanks,

Carrie

Last edited by starchild; 25-Nov-2003 at 07:17 PM..
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
25-Nov-2003, 08:53 PM #2
I think it's fixed.

I ran the IE 6 repair option, and the spy program seems to be gone.

I'm still curious about it, like how did it get in, and was it a legit spyware remover?

It's like the reg keys/flags that trial software puts in so it runs out in a specific time and you can't put it in again. Someone told me it's almost impossible to find this.

What's to stop spyware from doing this same thing?

Nothing should be put in my computer it's almost impossible to find and take out!

~ Carrie
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
25-Nov-2003, 08:53 PM #3
Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

The log may reveal the source of the problem.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
25-Nov-2003, 10:58 PM #4
It actually works fine now. Since it said WINDOWS Internet Explorer up top when it came on, I used the IE 6 repair tool, (and ran Adaware and Spybot) and haven't seen it since.

btw, I saw the link about your birthday and mine is the same day. I turned 60! Don't know how that or when that happened

~ Carrie
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
25-Nov-2003, 11:13 PM #5
Happy Birthday!
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
26-Nov-2003, 07:04 PM #6
Happy Birthday back at you flrman (just figured out what your screen name means

Just to keep this on topic (us Sagittarians have a way of wandering off), and not to be paranoid, but I did get and run Hijack This.

This afternoon when I came online, I got a message from AOL saying (just to let me know) my AOL IM screen name was open elsewhere. Said this could happen if I had an AOL IM open and a "downloaded" (AIM) box open at the same time. But I don't have AOL for an ISP, just the AIM box downloaded. It said that any messages would go to both.

I went and changed the password, and closed AIM and restarted it a few times and kept getting the message. I know, this could be a glitch, but have never seen it before and have had AIM for 5 years.

I finally closed down my computer and later restarted it, and when AIM came on the message wasn't there.

I've recently wondered if someone (so inclined, who's on a newsgroup I'm on) had gotten into my angelfire website. She's made remarks about what anyone who did this could have seen in pictures I have uploaded there (I would put them on webpages and send them to family). She has said "someone sent me pictures (of my house, family, etc) in email... Either that, of course, or she's making it up. But she's mentioned things about my home (she's never seen) she could have seen in family pictures.

I had a blank page named "index.html" in each photo directory, so nobody could take out the name of a picture I might have posted somewhere online and gotten into the directory with all the pictures.

But, I never thought about someone guessing or hacking the password (which was simple and I never changed it...) But, anytime I posted a picture or html page from the angelfire site (that I WANTED to be seen- like I had a download of a screensaver I made, for one) anyone could have easily gotten my username, which is in the url.

No proof of course. I'm just started to notice things, like the other day when ad popups came on in place of my home page (which I know could happen without someone putting them there)_
I ran Adaware and Spybot, but what fixed that was using the IE 6 repair tool. Probably why there's not as much in the log as other times I've gotten and run HT (on the advice of someone here)

I have AVG Anti Virus scan. The Quicktime I just put in today, to open something. I don't know what the shockwave swf flash is (the screensaver?) Actually, I don't know what any of it really is, just recognizing some words.

Anyway... this is what I got: Is this the main way to tell if someone has hacked into a computer in some way? I imagine it's not hard to get into a passworded program (like AOL IM) if you know how. I don't know anyone who would sign in to it (elsewhere) using my name. IF it really happened.

Logfile of HijackThis v1.97.7
Scan saved at 5:45:29 PM, on 11/26/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

(edited- to add) It just did it again, with the new password

AOL System Msg: Your screen name (starchild1124) is now signed into AOL(R) Instant Messenger (TM) in 2 locations. Click here for more information.

Of course, it could be an AOL glitch. I could write and ask them, but have never gotten a response from them about anything yet.

LOL

~ Carrie

Last edited by starchild; 26-Nov-2003 at 07:11 PM..
rahlove's Avatar
rahlove rahlove is offline
Junior Member with 23 posts.
 
Join Date: Aug 2002
26-Nov-2003, 07:48 PM #7
My computer was hijack by the same spyware. I think I get rid of it.
foolio's Avatar
foolio foolio is offline
Member with 52 posts.
 
Join Date: Nov 2003
26-Nov-2003, 07:49 PM #8
I don't see anything wrong with your log.

my recconmendation is delete all your privite aol e-mails and info.

Run spy bot again and adaware

Use the immunize feature to prevent future attacks.

could be a hacker, other than that you should install a firewall and use housecall
scanner. Post another HJT Log and we'll get rid of whats left.


Cheers,
Foolio
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
26-Nov-2003, 08:01 PM #9
I don't have AOL for an ISP so don't have any private AOL email or messages.

I did sign in as another username I had a few years ago.

----------------------------
Run spy bot again and adaware

Use the immunize feature to prevent future attacks.
-----------------------------------

I don't know what this means? On AOL IM?

I never understood firewalls, it seemed like people who have them have problems, like getting onto some discussion boards, etc.

Okay I'll do the housecall scanner.

Is there a sure way to tell if someone's hacking in some way?

I once saw (in passing) a program that was supposed to find AOL IM passwords. I've heard there are programs that someone (who knows how) can run, that go through every letter/number combination and stop when the correct password is found.

Is this true? If so, what good are passwords?

I know, nothing is really private on the internet...

~ Carrie
rahlove's Avatar
rahlove rahlove is offline
Junior Member with 23 posts.
 
Join Date: Aug 2002
26-Nov-2003, 08:39 PM #10
Quote:
Originally posted by foolio:
I don't see anything wrong with your log.

my recconmendation is delete all your privite aol e-mails and info.

Run spy bot again and adaware

Use the immunize feature to prevent future attacks.

could be a hacker, other than that you should install a firewall and use housecall
scanner. Post another HJT Log and we'll get rid of whats left.


Cheers,
Foolio
Foolio,

Can you check my log.
Here is the link to my thread on this board. PEACE

http://forums.techguy.org/t182296/s.html
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
26-Nov-2003, 10:02 PM #11
I looked at the page with Housecall, not sure what it is?

Virus scan? Firewall? Similar to Hijack this?

It's a download, then I run it to scan?

Should I disable the AVG before I do this?

Not sure what it is, and their home page seemed confusing. It gives "housecall" for coperate/offices.

Though, of course, they won't know I'm not that

Figured I'd find out a little more about it before I start doing it.

~ Carrie
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
27-Nov-2003, 12:52 PM #12
The next day...

Today when I came online I got a message from AOL saying my screen name (the new one I put in yesterday after this happened with my original one) is signed in elsewhere.

Something is wrong. I don't think AOL glitches would last two days and involve two screen names....

I downloaded Housecall... now can't figure out how to use it.

I went back to the webpage and clicked on SCAN and the download box came up again- is this how it works?

I can't find an icon or anything to click on to scan. It shows a picture of the box to check the options, but I don't know where it is. I'll have to search through my computer for it.

I'm going to ask more questions about this (security, and getting hacked) but think I'll make it a new post. Since it's more overall.

I will probably end up reinstalling WINDOWS again, which I need to do anyway, just waiting to finish up and save some stuff first. And, if this happens once, it can again.

If it's really been hacked, I know who did it. No proof though...

~ Carrie
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
27-Nov-2003, 08:28 PM #13
LATER... I used Housecall and no virus.

I used a trojan scan someone suggested, and no trojans.

Now I'm going to attempt a firewall.

And read a tutorial on Hijack this.

I'll be back...

~ Carrie
foolio's Avatar
foolio foolio is offline
Member with 52 posts.
 
Join Date: Nov 2003
28-Nov-2003, 05:36 PM #14
okay.... u can post another hijackthis log and we will look at it again
starchild's Avatar
Member with 2,064 posts.
THREAD STARTER
 
Join Date: Sep 2002
28-Nov-2003, 06:07 PM #15
Logfile of HijackThis v1.97.7
Scan saved at 4:51:16 PM, on 11/28/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/b...ll/xscan53.cab


I have a firewall since the last one. One good thing that came out of security issues, I was pointed to one that's free and easy to use (so far). Before this I'd heard of them but didn't realize this (free and easy to use).

Ones I notice in the log (just for the learning)

C:\WINDOWS\SYSTEM\DDHELP.EXE - can't figure out what DD HELP is.

I see my FTP (though don't know why it's in the log, is this what loads everytime I put on the computer?)

Shockwave Flash object? And Quicktime installer? was on the last one, too. I had downloaded Quicktime but had taken the icon off the taskbar, startup menu.

Housecall is something I downloaded and ran to scan yesterday, from a link given here. Do I need this, if I have AVG anti virus?

If I can take anything out, so it won't show on another scan, I'm not sure I know how to do this.

It's sort of like trying to read a foreign language, but once we know how, it's clear. It can't be any harder than figuring out how to put up webpages

Okay, I know one thing that seems to be, trying to figure out how to set up cgi-perl scripts.

But, that's another topic. I periodically try it and then give up.

~ Carrie
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑