Need Rescuing from Super-Spider

Discussion in 'Computer Science & Culture' started by 1119, Aug 14, 2004.

Thread Status:
Not open for further replies.
  1. 1119 Registered Senior Member

    Messages:
    243
    I'm not sure if this subject has already been discussed. If it has, I'd appreciate it if someone can direct me to the thread.

    My browser keeps getting hijacked by this super-spider or something that keeps re-directing me to CoolWebserver homepage everytime I try opening up Yahoo!Mail.

    I've tried spyware removal like HijackThis and CWShredder but to no avail. They keep coming back the next time I go on-line. I've even tried regedit them damn things from the registry but they still come back.

    I'm desperate. Can anyone help?
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. spuriousmonkey Banned Banned

    Messages:
    24,066
    are you using IE?

    have you tried adaware?
     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
  5. 1119 Registered Senior Member

    Messages:
    243
    Yes, I've tried adaware 6.0. It came back the next couple of times I logged on. I think whoever came up with this super-spider already found a way to disarm these anti-spywares. I tried preventive measures as recommended by CWShredder and I got hijacked while trying download to those measures.

    If only i can delete them permanently from my registry....
     
  6. Google AdSense Guest Advertisement



    to hide all adverts.
  7. Gifted World Wanderer Registered Senior Member

    Messages:
    2,113
    Find a different computer, download them there, and then copy them onto your computer?
     
  8. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    If you were to output a log from HijackThis it would aid in Identifying where you hae gone wrong.

    Also make sure that the hijack is not running a program in the background that will reinsert Regkeys if they are removed.
     
  9. 1119 Registered Senior Member

    Messages:
    243
    stryder, how can i make sure the hijacker is not running a program in the background?
     
  10. 1119 Registered Senior Member

    Messages:
    243
    I've just tried a combination of CWShredder, Adaware 6.0 and HijackThis. It's my second attempt. Following is the log after scanning and fixing. Hopefully someone can tell me where I've missed out:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:22:52 AM, on 8/15/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\SthVCD\Vcdmotor.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\cpptt8c01ubsh.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VCD AudoPlay Monitor.lnk = C:\SthVCD\VCDMOTOR.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
     
  11. Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    It seems your problem is backWeb-7288971.exe

    It seems that backWeb is a program that has been generated to autoupdate software, however it seems it's exploitable. So I would suggest removing all the Kodak entries.

    If you have Kodak software, you can always reinstall it, but make sure you remove backWeb.

    http://www.liutilities.com/products/wintaskspro/processlibrary/backweb-8876480/
    Although it says it's "safe" check the little grey process box for "backWeb"
     
  12. dmcm01 Guest

    i find the google toolbar hold its own security weaknesses, you better off switching to firefox its far better and nearly idendical, i did and i havnt had any issues since!
    (dont be so non-micro$oftaphonic)
     
  13. Naomi [oxiglycodextrosium] Registered Senior Member

    Messages:
    186
    Buy a new computer. Problem solved.

    Please Register or Log in to view the hidden image!

     
  14. 1119 Registered Senior Member

    Messages:
    243
    Thanks for the analysis, Stryder.

    dmcm01, I've just installed firefox and you're right. These guys takes security much more seriously. I'm dumping IE.

    Naomi, how old are you?
     
  15. rGEMINI Fallen Entity Registered Senior Member

    Messages:
    339
    If the problem continues. Because you still have the crap on your comp. You can re-inishalize (not sure on the spelling sry). And also if your work/go to porn try to stick to a linux and mozilla computer so you don't have these problems. ^^ For your first linux i suggest Fedora 2 it's the closest to other type of OS (mac and pc) that i have found. also incase you don't know linux is free wOOt =P www.redhat.com is the site
     
  16. dmcm01 Guest

    good, iv never had a problem with it, ever.
    1119, congrats, your the first person iv ever managed to convert!!
    im guessing she's 6 years old and doesnt understand the value of money?
    i use firefox on a fedora core 1 distro, even less problems then! with linux you can also save in .doc formant and transfere it accross to your windows partition if you realy realy must use windows!
     
  17. rGEMINI Fallen Entity Registered Senior Member

    Messages:
    339
    dmcmo1 u know there is fedora 2 right???
     
  18. dmcm01 Guest

    yes, i do, and fedora 3 test 1. but its a case of updateing with a 56k modem

    Please Register or Log in to view the hidden image!

     
  19. rGEMINI Fallen Entity Registered Senior Member

    Messages:
    339
    oh LOL that sux, but hey atleast you have fedora 1. you might leave it going over a few day. =_ ^^
     
  20. Aborted_Fetus Bored Registered Senior Member

    Messages:
    277
    CWS is impossible to cure as of now....u must reformat to get rid of it. period.
     
Thread Status:
Not open for further replies.

Share This Page