1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyware ad has taken over my computer?

Discussion in 'Virus & Other Malware Removal' started by starchild, Nov 25, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    The past two times I've gone online today, my usual homepage hasn't come up.

    The first time a spyware (it claims) ad page was there, and said it had replaced my homepage- and was showing me how easily spyware could get into my computer and take over.

    It gave a link to download an anti spyware program. But, I am wary of these, I once saw a similar ad which said it took out spyware programs like Spybot and Adaware- making out like they are something I don't want.

    The only way I could get it closed was by clicking the desktop icon (thanks to someone asked a question about this shortcut here, a few days ago, I knew I could do this. I'd never paid attention to the desktop icon before and didn't know what it did)

    This time I came back on, there were several windows open, one saying:

    If your NOTEPAD launched and is displaying this message...

    Then "Spyware" programmers can control applications on
    YOUR computer and it is URGENT that you download SPY WIPER
    immediately. Do not allow spyware programs to damage your
    insecure computer!!

    (See other window)

    Under it was a window that said the same thing about "your CD ROM drive is open" (mine wasn't but my cd burner (E drive) was.

    Under that was the browser page, with the download again, replacing my home page.

    I haven't yet run Spybot and Adaware (which I have), decided to come here first and get the real info about this, and how to make it stop doing whatever it's doing. Has something taken over my computer and putting these ads on it? Is what it offers (Spy Wiper) something I WANT or another spyware program?

    I really don't want anything that puts ads for itself on my computer like this.

    (later): this is the url of the home page that comes up http://default-homepage-network.com/index2.html)

    As I was writing this, a huge pop came up over the screen that said something about link for very "naughty" people.

    I saw something (here) someone had written that porn had taken over his computer. Maybe this is the same thing?

    Where did it come from and how do I get it to go away!!!!!!

    Oh, I forgot to say I have WIN 98 SE (and IE 6)


    Thanks,

    Carrie
     
  2. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    I think it's fixed.

    I ran the IE 6 repair option, and the spy program seems to be gone.

    I'm still curious about it, like how did it get in, and was it a legit spyware remover?

    It's like the reg keys/flags that trial software puts in so it runs out in a specific time and you can't put it in again. Someone told me it's almost impossible to find this.

    What's to stop spyware from doing this same thing?

    Nothing should be put in my computer it's almost impossible to find and take out!

    ~ Carrie
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    The log may reveal the source of the problem.
     
  4. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    It actually works fine now. Since it said WINDOWS Internet Explorer up top when it came on, I used the IE 6 repair tool, (and ran Adaware and Spybot) and haven't seen it since.

    btw, I saw the link about your birthday and mine is the same day. I turned 60! Don't know how that or when that happened :)

    ~ Carrie
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Happy Birthday!
     
  6. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    Happy Birthday back at you flrman (just figured out what your screen name means :)

    Just to keep this on topic (us Sagittarians have a way of wandering off), and not to be paranoid, but I did get and run Hijack This.

    This afternoon when I came online, I got a message from AOL saying (just to let me know) my AOL IM screen name was open elsewhere. Said this could happen if I had an AOL IM open and a "downloaded" (AIM) box open at the same time. But I don't have AOL for an ISP, just the AIM box downloaded. It said that any messages would go to both.

    I went and changed the password, and closed AIM and restarted it a few times and kept getting the message. I know, this could be a glitch, but have never seen it before and have had AIM for 5 years.

    I finally closed down my computer and later restarted it, and when AIM came on the message wasn't there.

    I've recently wondered if someone (so inclined, who's on a newsgroup I'm on) had gotten into my angelfire website. She's made remarks about what anyone who did this could have seen in pictures I have uploaded there (I would put them on webpages and send them to family). She has said "someone sent me pictures (of my house, family, etc) in email... Either that, of course, or she's making it up. But she's mentioned things about my home (she's never seen) she could have seen in family pictures.

    I had a blank page named "index.html" in each photo directory, so nobody could take out the name of a picture I might have posted somewhere online and gotten into the directory with all the pictures.

    But, I never thought about someone guessing or hacking the password (which was simple and I never changed it...) But, anytime I posted a picture or html page from the angelfire site (that I WANTED to be seen- like I had a download of a screensaver I made, for one) anyone could have easily gotten my username, which is in the url.

    No proof of course. I'm just started to notice things, like the other day when ad popups came on in place of my home page (which I know could happen without someone putting them there)_
    I ran Adaware and Spybot, but what fixed that was using the IE 6 repair tool. Probably why there's not as much in the log as other times I've gotten and run HT (on the advice of someone here)

    I have AVG Anti Virus scan. The Quicktime I just put in today, to open something. I don't know what the shockwave swf flash is (the screensaver?) Actually, I don't know what any of it really is, just recognizing some words.

    Anyway... this is what I got: Is this the main way to tell if someone has hacked into a computer in some way? I imagine it's not hard to get into a passworded program (like AOL IM) if you know how. I don't know anyone who would sign in to it (elsewhere) using my name. IF it really happened.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:45:29 PM, on 11/26/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe

    (edited- to add) It just did it again, with the new password

    AOL System Msg: Your screen name (starchild1124) is now signed into AOL(R) Instant Messenger (TM) in 2 locations. Click here for more information.

    Of course, it could be an AOL glitch. I could write and ask them, but have never gotten a response from them about anything yet.

    LOL

    ~ Carrie
     
  7. rahlove

    rahlove

    Joined:
    Aug 24, 2002
    Messages:
    23
    My computer was hijack by the same spyware. I think I get rid of it.
     
  8. foolio

    foolio

    Joined:
    Nov 15, 2003
    Messages:
    52
    I don't see anything wrong with your log.

    my recconmendation is delete all your privite aol e-mails and info.

    Run spy bot again and adaware

    Use the immunize feature to prevent future attacks.

    could be a hacker, other than that you should install a firewall and use housecall
    scanner. Post another HJT Log and we'll get rid of whats left.


    Cheers,
    Foolio:D
     
  9. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    I don't have AOL for an ISP so don't have any private AOL email or messages.

    I did sign in as another username I had a few years ago.

    ----------------------------
    Run spy bot again and adaware

    Use the immunize feature to prevent future attacks.
    -----------------------------------

    I don't know what this means? On AOL IM?

    I never understood firewalls, it seemed like people who have them have problems, like getting onto some discussion boards, etc.

    Okay I'll do the housecall scanner.

    Is there a sure way to tell if someone's hacking in some way?

    I once saw (in passing) a program that was supposed to find AOL IM passwords. I've heard there are programs that someone (who knows how) can run, that go through every letter/number combination and stop when the correct password is found.

    Is this true? If so, what good are passwords?

    I know, nothing is really private on the internet...

    ~ Carrie
     
  10. rahlove

    rahlove

    Joined:
    Aug 24, 2002
    Messages:
    23
    Foolio,

    Can you check my log.
    Here is the link to my thread on this board. PEACE

    http://forums.techguy.org/t182296/s.html
     
  11. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    I looked at the page with Housecall, not sure what it is?

    Virus scan? Firewall? Similar to Hijack this?

    It's a download, then I run it to scan?

    Should I disable the AVG before I do this?

    Not sure what it is, and their home page seemed confusing. It gives "housecall" for coperate/offices.

    Though, of course, they won't know I'm not that :)

    Figured I'd find out a little more about it before I start doing it.

    ~ Carrie
     
  12. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    The next day...

    Today when I came online I got a message from AOL saying my screen name (the new one I put in yesterday after this happened with my original one) is signed in elsewhere.

    Something is wrong. I don't think AOL glitches would last two days and involve two screen names....

    I downloaded Housecall... now can't figure out how to use it.

    I went back to the webpage and clicked on SCAN and the download box came up again- is this how it works?

    I can't find an icon or anything to click on to scan. It shows a picture of the box to check the options, but I don't know where it is. I'll have to search through my computer for it.

    I'm going to ask more questions about this (security, and getting hacked) but think I'll make it a new post. Since it's more overall.

    I will probably end up reinstalling WINDOWS again, which I need to do anyway, just waiting to finish up and save some stuff first. And, if this happens once, it can again.

    If it's really been hacked, I know who did it. No proof though...

    ~ Carrie
     
  13. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    LATER... I used Housecall and no virus.

    I used a trojan scan someone suggested, and no trojans.

    Now I'm going to attempt a firewall.

    And read a tutorial on Hijack this.

    I'll be back...

    ~ Carrie
     
  14. foolio

    foolio

    Joined:
    Nov 15, 2003
    Messages:
    52
    okay.... u can post another hijackthis log and we will look at it again
     
  15. starchild

    starchild Thread Starter

    Joined:
    Sep 17, 2002
    Messages:
    2,099
    Logfile of HijackThis v1.97.7
    Scan saved at 4:51:16 PM, on 11/28/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bff3af7d050da5/housecall.antivirus.com/housecall/xscan53.cab


    I have a firewall since the last one. One good thing that came out of security issues, I was pointed to one that's free and easy to use (so far). Before this I'd heard of them but didn't realize this (free and easy to use).

    Ones I notice in the log (just for the learning)

    C:\WINDOWS\SYSTEM\DDHELP.EXE - can't figure out what DD HELP is.

    I see my FTP (though don't know why it's in the log, is this what loads everytime I put on the computer?)

    Shockwave Flash object? And Quicktime installer? was on the last one, too. I had downloaded Quicktime but had taken the icon off the taskbar, startup menu.

    Housecall is something I downloaded and ran to scan yesterday, from a link given here. Do I need this, if I have AVG anti virus?

    If I can take anything out, so it won't show on another scan, I'm not sure I know how to do this.

    It's sort of like trying to read a foreign language, but once we know how, it's clear. It can't be any harder than figuring out how to put up webpages :)

    Okay, I know one thing that seems to be, trying to figure out how to set up cgi-perl scripts.

    But, that's another topic. I periodically try it and then give up.

    ~ Carrie
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/182429