Spyware Problem I Suspect

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by toaster, Sep 28, 2004.

  1. toaster

    toaster Private E-2

    I read the FAQ on Spyware Removal-did the recommended procedures.

    Symptom: Cannot access most websites. Only site I can access is a secure site for work (https://). I can dial in w/ my provider (earthlink.net) and can get email via msoutlook. Have WindowsXP with 4 accounts set up for other family members.

    Prior to reading this site I had run Spy-bot and Ad-aware.

    Did all that recommended (in Spyware, Trojan and Virus Removal Tutorial) with following exceptions:
    -----------------------
    Spyware Blaster - couldn't connect to the "update server" (can't access anything on the web); did enable everything but w/out latest update

    When started in SAfe mode the Earthlink Dialer Dialogue Box didn't have the access number in normal place; I opted to enter it manually; when I did so I received the message - "Unable to create a connectoid. To try to solve this, uninstall and reinstall your modem using the Windowns Control Panel". I did not uninstall/reinstall modem.

    So, while in Safe mode (and true also in regular mode) I couldn't accss the recommended online scans.

    AD-AWARE scan - no problems found; however, there are 121 objects quarantined from when I ran this previously (9/15)

    Spy-Bot - found 5 items under "DSO Exploit" heading. I had them fixed.

    I then rebooted in Normal mode.
    I couldn't do the online scans but I do have Norton AV software. I did a live update and scanned my hard disk. No viruses found.

    I ran HIjackthis just to have the file.

    Still cannot access any websites. Thoughts on what to do next.

    Thanks,
    Tony
     
    toaster, Sep 28, 2004
    #1
  2. 44039

    44039 Private First Class

    44039, Sep 28, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Please attach your log file and I will actually help ;)
     
    Major Attitude, Sep 28, 2004
    #3
  4. toaster

    toaster Private E-2

    I took it to heart when I read to upload hijack files "only" when asked. Attached is the file I created yesterday. There was one other response to my post which suggested I try Firfox browser. I did and can indeed access the internet with that browser. Know nothing about this browser as far as long term solution. Regardless, I'd like to figure out what's going on with my computer. Insight appreciated in advance.

    Tony
     

    Attached Files:

    toaster, Sep 28, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Please get the latest Hijack This from us next time :) Not sure where everyone is downloading 197.7 but it is very old.

    If this isnt your home page remove it:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.usaa.net

    Im guessing this killed your net connection:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
     
    Major Attitude, Sep 28, 2004
    #5
  6. toaster

    toaster Private E-2

    So for those items you suspect am I to have Hijackthis fix/remove them? Since new to all this I don't want to assume anything. Thanks.
     
    toaster, Sep 29, 2004
    #6
  7. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    You are correct, I should have been clear on that, sorry.
     
    Major Attitude, Sep 29, 2004
    #7
  8. toaster

    toaster Private E-2

    I removed (had HJT fix) the files as suggested. In the mean time I also installed Firefox and it seems to work for all the websites tested thusfar. After doing the "fix" I restarted the computer and still could not access any web sites via MSIE. I then re-ran HJT moments ago and the file is attached. I do see that the "R1 ... localhost:8080" line is present again, though I did fix it previously.

    Any other thoughts on the attached file?

    Thanks in advance.
     

    Attached Files:

    toaster, Oct 5, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you using this SurfMonkey stuff? Perhaps the proxy is for it?

    And read this:
    About Surfmonkey

    Surfmonkey is an adware claimed to make the browser "for kids only". It will remind you to subscribe to their service every now and then. And displays a bunch of sponsor's logos in a sidebar.


    It is also likely to slow performance of Internet Explorer. Maybe it is even your problem for IE not working. If you don't need it, use Add/Remove programs to uninstall it.
     
    chaslang, Oct 5, 2004
    #9
  10. toaster

    toaster Private E-2

    I had Hijackthis fix the surfmonkey. Couldn't find it to add/remove via control panel. Do recall having it (offered as part of earthlink I seem to recall) at one time. It's now gone when I run Hijackthis. The localhost 8080 line is still present.

    Any additional thoughts on how to proceed?

    Thanks.
     
    toaster, Oct 6, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay use HJT to fix the below line:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

    Do a new scan with HJT and see if it is actually gone.

    Post a new HJT log when you come back.

    No click Start, Run, and enter the below in the box and click OK:
    notepad c:\windows\system32\drivers\etc\hosts

    If it has anything different then below, paste it back here (unless there are lots of lines. If there are a lot of lines, save it to a new file call c:\hostlog.txt and then upload it here.)

    Here is a Windows default hosts file:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host
    127.0.0.1 localhost
     
    chaslang, Oct 7, 2004
    #11
  12. toaster

    toaster Private E-2

    1) I ran HJT and noticed the "localhost:8080" still there so fixed it.

    2) Ran HJT a second time and "localhost:8080" gone. (attached file hijackthis12Oct2004A.txt is this second run of HJT.

    3) I then shut down my computer and restarted. Ran HJT and "localhost:8080" NOT present.

    4) I then started MSIE to try to access the web. Could not access any of the few random sites I tried. I then ran HJT a fourth time and see that "localhost:8080" is indeed present again (attached file hijackthis12Oct2004B.txt is this fourth run of HJT).

    I also looked at the hosts file as suggested and found it to contain the very same text posted in the previous message ... "127.0.0.1 localhost" the only line outside the coments.
     

    Attached Files:

    toaster, Oct 12, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Perhaps that localhost:8080 line is required by your ISP (Earthlink). You should check you documentation of call them.

    Also, they have a lot of stuff that attached to your browser:
    C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink TotalAccess\Accelerator\PropelAC.exe"
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html

    I wonder why you need all this and could there be a problem with any of these items. Again you may need to check with Earthlink.

    Do you get any error messages or possible a red minus sign icon at the bottom of your IE window? This is a privacy report. You can double click on it to get more info. Maybe you have something restricting sites. You could try going to IE, Tools, Internet Options, Advanced tab and select restore defaults (you may want to note what is selected first so you can see if anything changes)
     
    chaslang, Oct 12, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds