Author |
Message |
Crusty
| Posted on Saturday, October 23, 2004 - 08:57 am: |
|
I want to preface this by saying that as far as being Computer Literate, I'm not quite up to "Hooked On Phonics". My computer is infected with Spyware. Wild Tangent Web Driver, to be specific. I can't get rid if it. I've got Norton Internet Security, and Anti Virus installed, I tried the free versions of Spybot and AdAware. I tried to remove the program using Add/Remove Programs in my Control Panel, and it won't go away. This board is loaded with people who have a lot of expertise in this area. Can someone tell me what to do, in simple baby steps, so I can regain control of my computer? I'm running Windows XP. |
Fdl3
| Posted on Saturday, October 23, 2004 - 09:24 am: |
|
Your best bet made be to ride it out until AdAware and/or SpyBot recognizes your strain of spyware. Spyware can be manually eradicated, but it involves registry edits, and that is way beyond the scope of "simple baby steps". If you insist on using Internet Explorer, at least install SP2. I would recommend an alternative to Internet Explorer. There are other very good, free web browsers available, like Opera (the one I use) or Foxfire. |
Phillyblast
| Posted on Saturday, October 23, 2004 - 10:13 am: |
|
Also try pressing the F8 key when you first boot up (start the computer), choose "Safe Mode" and run Spybot from there. The Web Tangent software can also be removed from the control panel in "Add /Remove Programs" and if needed delete the directory "C:\Windows\wt" afterwards. |
Josh_
| Posted on Saturday, October 23, 2004 - 10:24 am: |
|
Well, it's a little advanced, but here you go: The reasons spyware (and virui) are hard to remove is a) they hide b) they run in memory and can't be removed until the running process is stopped. Skills needed: screen shots (so you can email me or post here what you find) download files from the internet (hijack this from majorgeeks) Zip file extraction search on google for things you are suspicious of. downloadhijack this extract the .exe in the .zip file to it's own directory Run hijack this and make the window as large as possible (the middle button on the top right will maximize it). Hit Scan now. Do a screen shot of this and eithe post it here (if you know how to compress it down and convert to a jpg) or just email me. You may need to paste it in a wordpad file to email it. Look at each line in hijack this. Anything that doesn't include a known vendor (symantec, microsoft) can be considered suspicious. Search google.com for the name of the file (leave off the extension) and see what other people are writing about it. If you don't find anything, search for the file on your hard drive. Where is it? look at the properties of the file, especially the version tab if it's a dll. See any names you recognize? if it's a .dll and the version info is blank it's probably a bad guy. Once you have a list of suspicious programs, launch task manager (right-click the tool bar at the bottom of the screen and hit task manager). Go to the Process tab and look for the same files that are in your suspicous list. when you find them, highlight and end the process. Then highlight these entries in hijack this and select "fix" (also highlight anything from the first few lines you do not recognize that refere to websites you do not use as your home or search pages) then find the files on your local hard drive and delete. reboot. repeat. (seriously, if you miss one you'll have to do this all again). I just did a presentation yesterday showing a clients high-priced computer consultant's how to do this. It's not easy, but if you're careful it works great. |
Josh_
| Posted on Saturday, October 23, 2004 - 10:57 am: |
|
Adding what Phillyblast said, if you can't stop a process or delete a file, restart in safemode and try again. |
Tank_bueller
| Posted on Saturday, October 23, 2004 - 09:33 pm: |
|
I had wildtangent, but I think it was part of a gaming program that I downloaded, and it also had a purpose for running the program. I got rid of the program and the "wild thing" got unruly and out of control. I'm not sure it's considered a virus, but is definitely a pain in the ..! when it gets bored. I have Mcafee and SpySweeper on now and I still get glitches from time to time, but the security catches most of the problem children right away. tank |
Firemanjim
| Posted on Friday, October 29, 2004 - 02:47 am: |
|
Josh,in simpler terms,what does "extract the .exe in the .zip file to it's own directory " mean.I sorta understand what the rest means.I need to eradicate some files also.The add/remove doesn't work for them keeps giving me error messages about finding some file.And some just keep reinstalling themselves.I have a Spybot and Norton,but stuff creeps in.I would really like someone to go over each file on my computer and tell me what it is/does. |
Reepicheep
| Posted on Friday, October 29, 2004 - 08:43 am: |
|
I had to fight one of these infestations on a PC my kids were using. Several different pieces of spyware. I know... well... more then you can imagine about computers, and it took me probably 4 days and 4 hours of work to finally kill all those SOB's and clean up the infection. Ultimately, it was a waste of my time. Try the simple stuff first (boot to safe mode, run addaware and spybot search and destroy, uninstall everything you don't recognize), but if that fails to clean it up after an hour or so work, strongly consider backing up all your data and reinstalling from scratch. It is a big job and a PITA, but like cleaning out the garage, has many side benefits and is ultimately in your best interest. The story ends well though. I hit the spyware company back more effectively then I thought possible. After some *serious* digging to find out who they were, and finding out their revenue stream, I was able to track down the web site where they were advertising their "services". They had a list of people they claimed use them, including many big fortune 500 companies. I knew better, and also noted that the page showing these "referrals" were all created in such a way that they would be difficult to spot by companies looking for people misuing their trademarks. So I spent another hour carefully crafting some letters to the legal departments of the most litigiously aggressive of the companies advertised, asking them if they were aware of the misuse of their logo's. I spent 4 hours cleaning up this crap, but the spyware company now has to deal with the legal departments of Dell, IBM, Motorola, GE, Pepsi, and about a half dozen other fortune 500 companies. It was a good day I prefer thinkpads for my laptops, but Dells are a close second, and I have to give them credit, based on the correspondence I got back from them, they were the ones that were going to REALLY go gunning for these bozos. |
Hootowl
| Posted on Friday, October 29, 2004 - 09:45 am: |
|
I like the IBM laptops too, but their hard drives suck. Very high failure rates. |
Josh_
| Posted on Friday, October 29, 2004 - 10:31 am: |
|
A .zip file is a "package" of several files squeezed together. Prior to Windows XP, you needed a separate package to use/open zip files (pkzip/winzip). With Windows XP, if you double click on a .zip file it will open it in a windows explorer window just like a directory. But to properly use the files you need to pull them out of the .zip archive and put them on your PC. When you are in XP you can either double-click the .zip file and then look for "extract files" which will be an option on the left side of the window, or you can right click on the .zip file and choose "extract all" from the pop-up menu. From the "extract" window you can simply choose all the defaults to create a directory named the same as the .zip file in the same location as the zip file. ie if the file "hijackthis.zip" is on the desktop, it will create a directory names "hijackthis" on the desktop. |
Signguyxb12
| Posted on Friday, October 29, 2004 - 12:31 pm: |
|
crusty.. i got some time..if you need i can come over and hook it up for ya |
M2me
| Posted on Friday, October 29, 2004 - 05:44 pm: |
|
Yep, HijackThis is the way to go. I have found that it gets the job done where other tools have failed. It's pretty powerful so you do have to be careful while using it. |
M2me
| Posted on Friday, October 29, 2004 - 05:51 pm: |
|
Have you looked at this page? It describes uninstalling the Wild Tangent Web Driver. http://support.wildgames.com/uninstall.html |
Signguyxb12
| Posted on Friday, October 29, 2004 - 05:56 pm: |
|
> never trust you enemy to watch your house |
Raraf
| Posted on Friday, October 29, 2004 - 06:37 pm: |
|
WildTangent usually installs from the AOL online game stuff. |
Firemanjim
| Posted on Tuesday, November 02, 2004 - 12:27 am: |
|
Josh,a couple of questions,what is a dll file?How do I do a screen shot?I show more processes in task manager than I do in hijack this?Here is a copy of hijack screen log. Logfile of HijackThis v1.98.2 Scan saved at 9:05:37 PM, on 11/1/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\GEARSEC.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\taskmgr.exe C:\DOCUME~1\Jim\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab |
Josh_
| Posted on Tuesday, November 02, 2004 - 02:01 am: |
|
>what is a dll file? Dynamic linked library. Basically a collection of different pieces of code. If you want to popup a message box in a program you don't write the whole thing from scratch, you just call a procedure in an existing .dll >How do I do a screen shot? Hit the print screen key on the keyboard (you may need to hold print at the same time) then open either a graphics program (irfanview.com, Photoshop) and hit paste. then save the file. Or open Wordpad or Word and "paste" in there. I show more processes in task manager than I do in hijack this? I don't know. Maybe hijack this only shows one instance of any given process where task manager will show each instance. Bad things off the top of my head R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022 O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - C:\WINDOWS\System32\P2P Networking\P2P Networking.exe Maybe: C:\WINDOWS\System32\GEARSEC.EXE Wild tangent has been popping up quite a lot recently. See if WildTangent is listed in your Add/Remove programs in Control panel, if so remove it there then rescan. If it's not gone, check off the boxes listed above and hit "fix" Rescan If the entries reappear use task manager to stop "p2p networking" , check off the boxes listed above and hit "fix" rescan If the entries reappear use task manager to stop "gearsec" , check off the boxes listed above and hit "fix" if the entries don't reappear after one of both of the last two entries, make sure you use: add/remove programs if they are listed in there or: Windows Explorer (or My Computer) to delete the file ("p2p networking.exe" or "Gearsec.exe" in the directory listed. re: p2p networking. if you want to download "free" music you will need to learn to live with spam/viruses/trojans/malware. I suggest an older slower machine that runs just that. Use a USB key or CD burner to move the music to the main machine. Always use an anti-virus program on both. |
|