Can anyone suggest anything?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Athran8, May 24, 2005.

  1. Athran8

    Athran8 Guest

    Hello,

    My mother is having problems with her computer and I am trying to fix it. I believe it is malware/spyware related.

    She has a dial up connection. Everytime we dial up not only does the Covad home page pop-up, which is normal, but two other windows pop-up as well. One is from buydomains.com (or net) and the other varies from seeq.com to fastclick.com to some variation of fastclick.com (I think).

    Also, upon terminating my connection with the internet a message comes up that asks if we would like to change our home page to such and such home page. Also a new Windows Explorer window pops up. If you click out of the message an error message pops up, which must be clicked out of, as well as the afore mentioned window.

    I did all of the steps in the "Read Me First Asking For Support..." link. I've used Ad-Aware SE, CCleaner, Spybot, SpywareBlaster, Avert Stinger, CWShredder, Kill2me, about:Buster, ASquared, and AntiVir Personal Edition. I also ran Trend Micro and Symantec Security Check. All those listed in the steps I did as specified. Nothing has worked.

    I did this all about a week ago.

    I am perplexed.

    Any suggestions would be appreciated.

    The computer is running Windows 98se with all updates, the most current Windows explorer, and DirectX 9.0c

    thanks
     
  2. Athran8

    Athran8 Guest

    Ok, some more info:

    Some of the pages that pop up at the time a connection is made are: media50.fastclick.net, seeq.com, and buydomains.com.

    When I disconnect the message asks if I would like to make my homepage "www.business1.com/home" - I think I copied it correctly.

    Well, once again, any help would be appreciated.

    Should I run hijackthis or the one that searches the ADS? and post logs from those?

    thanks
    mike
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please provide exactly what you expect your home page to be and then run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  4. Athran8

    Athran8 Guest

    Ok, here's my hijack this log file

    Hello,

    Ok, I updated all of my programs and ran them one more time before running Hijack this. When I disconnected from the internet, the one window did not pop up, but I still got the message asking to change my home page. While connecting to the internet one of the windows failed to pop up while the other, from Buy Domains.com popped up again.

    Here's my log file.

    Any suggestions from this would be appreciated.

    One thing I noticed on the log file are programs that I thought I got rid of. For example, mcafee and AVG virus scanner. I currently use only the programs that are listed in my first forum message.

    thanks
    mike
     

    Attached Files:

  5. Athran8

    Athran8 Guest

    I forgot,

    The home page was set to google.com, but, upon connection it always goes to the Covad manager page first. If I hit the home button on internet explorer it does go to google however.

    thanks,
    mike
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    or the below process(es) and if found, End them:


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [cgdedl] C:\WINDOWS\vcdmf.exe
    O16 - DPF: {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - http://404.x-share.com/vvv/Pribi.exe
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\vcdmf.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  7. Athran8

    Athran8 Guest

    Ok,

    Did what you prescribed and still had the windows pop up upon connection. Here's the new log file, pre internet connection.

    I downloaded a couple more anti-spyware programs that I'm going to try and a fire wall. I'm also going to upgrade my mom's e-mail program, Outlook Express. Not sure if this will change anything. I'm also going to try unistalling my mothers dial up program from Covad. I downloaded their latest dialer. I noticed that when I searched my computer for some of the web pages I listed a few weeks earlier, some of the files I was directed to were in the Covad file on my computer. I was afraid to delete anything because I did not know what it would do. Finally, I e-mailed Covad to see if they have any advice or are anyway connected with the websites in question.

    If any of this sounds good or bad let me know. I'll let you know if it changes anything.

    Here's my log file and thanks for the help thus far.

    mike
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not look like you did the Reset of Web Settings as requested because I did not see Majorgeeks show up as you home page. Are you sure you did the reset?

    Also do the following:

    Now please download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program.
    Now tell me how things are working.


    Do not download spyware tools unless you get them from MG's. There are loads of bad one out there. Try SpySweeper. Also see this thread (which has a link to SpySweeper):

    How to Protect yourself from malware!
     
  9. Athran8

    Athran8 Guest

    Thanks for your help thus far Chaslang

    This is what I've done.
    Unistalled the old dialer (v 2.2).
    Manually went in and deleted the old Covad folder to get rid of anything else.
    Downloaded and installed latest dialer (v 3.0)
    Upgraded Outlook Express.
    Ran good.
    Ran CCleaner in safe mode and "fixed" almost all things in the "issues" tab.
    Downloaded following programs from MajorGeeks:
    Disspy Lite
    Zone Labs Firewall
    Nail...Remover Beta (can't rmember full name)
    Ran and updated Disspy Lite. Deleted some things.
    Ran Nail...Remover Beta and it did something scary and i won't run it again.
    Downloaded Zone Labs Firewall.
    Works great on the internet.
    For some reason, whether the fire wall or everything else I've done, the pop-ups have stopped. This is great and is ultimately what I wanted.
    Unfortunately, outlook express is not working right now. Everytime I try to use it, a message pop-ups saying I am currently off-line and asks if I would like to connect. Odd thing is, I'm already connected. If I hit yes, to connect, it disconnects. I believe that this is due to the firewall because it worked before I installed the firewall, but after I did all the other stuff. Not sure what to do. Any suggestions from anyone would be great.

    Again, thanks for everything you have done thus far.

    later,
    mike
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The nail removal tool should do something that looks scary. It unloads explorer (which can cause your Desktop to blank out). It needs to do this to fix some of the problems.

    Problems with Outlook Express should be discussed in the Software Forum. But note you must allow programs to work thru the firewall. That is programs that you want and need to have access to the internet.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds