PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Computer/Internet Issues & Troubleshooting (https://www.pprune.org/computer-internet-issues-troubleshooting-46/)
-   -   Have I got a spyware problem (https://www.pprune.org/computer-internet-issues-troubleshooting/400621-have-i-got-spyware-problem.html)

topdog1 2nd Jan 2010 09:06

Have I got a spyware problem
 
Hi All

I think we managed to download virus/spyware or something. We ended up with pc live guard which disabled my antivir, I managed to get it back up and running.
When I run a scan on adaware I keep getting 12 entries referring to hijacking. redirect/../le entry, everytime I try to get rid of it on adaware it tells me to reboot but after rebooting and running another scan its still there and cant be removed.

Does anyone have any idea what it could be or how I can get rid of it, I am worried that my computer is not safe to use

Logfile created: 30/12/2009 18:05:04
Lavasoft Ad-Aware version: 8.1.3
Extended engine: 49820800
Extended engine version:
User performing scan: Administrator

*********************** Definitions database information ***********************
Lavasoft definition file: 149.124
Genotype definition file version: 2009/12/28 15:05:15

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 186866
Objects detected: 12


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 12
Files...........: 0
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0


Thanks in advance.
topdog1

green granite 2nd Jan 2010 09:44

Try downloading the free version of superantispyware and see what that tells you:

SUPERAntiSpyware.com - Downloads

Saab Dastard 2nd Jan 2010 09:50

The "type detected" is 12 Hostfile entries.

That is 12 static IP address to domain name mappings in your hosts file.

It's a simple text file in Windows\system32\drivers\etc.

You can open it with notepad - just be aware that it has no file extension, and should be Read-only, so you will need to change the properties if you want to edit it.

Why not copy the contents and paste them in here so we can see what the entries are, and if they are something to be concerned about.

It might be worth doing a full search of your system to see if there are any other copies of the file tucked away somewhere that are being copied back at startup.

SD

call100 2nd Jan 2010 09:55

Run Malwarebytes.....Malwarebytes.org
and install...Spyware Terminator. Free spyware removal and spyware protection - Spyware Terminator
This has kept me totally free from any adware etc. for a long time now...Can't recommend it enough....It acts like an antivirus programme and runs in the background to protect you.:ok:

topdog1 2nd Jan 2010 10:04

Hi saab and everyone

thanks for the info. Sorry I am a novice when it comes to computers.

When you say for me to copy the contents and paste them in here, do you mean from the adaware scan?

Step by step instructions would be most helpful.

thank you

Tarq57 2nd Jan 2010 10:06

Courtesy "my bleeping computer", here is a removal guide for this pest.

Must say I'm not a huge fan of SpywareTerminator. If you do elect to install it, I'd suggest opting out of the "WSG" (web security guard, which installs the Crawler toolbar) and also the Clam AV. Think twice before activating the HIPS, also, it can produce popups that the average user may not know how to correctly deal with.

MBAM and SAS are the current "rock stars" of the antispyware world. AdAware (BTW, your defs are pretty old) is, in my opinion, not worth the disk space nor resources it uses.

Checkboard 2nd Jan 2010 10:13

Junk your pc and buy an apple. ;)

Tarq57 2nd Jan 2010 10:14


Hi saab and everyone

thanks for the info. Sorry I am a novice when it comes to computers.

When you say for me to copy the contents and paste them in here, do you mean from the adaware scan?

Step by step instructions would be most helpful.

thank you
Go to folder options in the control panel, and enable the viewing of hidden and system files.
Navigate to the folder Windows\system32\drivers\etc and double click the file simply named "Hosts". Use notepad if it doesn't automatically open. Copy and paste the entire text within (use "select all", then "Ctrl C" keys together, then when pasting it here, select the posting area and press "Ctrl" and "V" to paste it. You'll end up with something that looks a bit like this (part hosts file only posted) but different, mine is a custom hosts file.:

127.0.0.1 localhost
# This MVPS HOSTS file is a free download from: #
# A Troubleshooting Guide to Windows XP #
#
# Notes: the browser does not read this "#" symbol #
# You can create your own notes, after the # symbol #
# This *must* be the first line: 127.0.0.1 localhost #
# *********************************************************#
# ---------------- Updated: Dec-22-2009 -------------------#
# *********************************************************#
#
# Entries with comments are all searchable via Google. #
#
# Disclaimer: this file is free to use for personal use #
# only. Furthermore it is NOT permitted to copy any of the #
# contents or host on any other site without permission or #
# meeting the full criteria of the below license terms. #
#
# This work is licensed under the Creative Commons #
# Attribution-NonCommercial-ShareAlike License. #
# Creative Commons — Attribution-Noncommercial-Share Alike 3.0 Unported #
#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 [url=http://www.accuserveadsystem.com]Accuserve Online Ad Delivery Systemurl] a

and so on.
[edit] malicious link castrated.

call100 2nd Jan 2010 12:19


Originally Posted by Tarq57 (Post 5415833)
Courtesy "my bleeping computer", here is a removal guide for this pest.

Must say I'm not a huge fan of SpywareTerminator. If you do elect to install it, I'd suggest opting out of the "WSG" (web security guard, which installs the Crawler toolbar) and also the Clam AV. Think twice before activating the HIPS, also, it can produce popups that the average user may not know how to correctly deal with.

MBAM and SAS are the current "rock stars" of the antispyware world. AdAware (BTW, your defs are pretty old) is, in my opinion, not worth the disk space nor resources it uses.

Sorry forgot to mention not enabling WSG, The AV and Hips....I don't have those running, only the antispyware....As I said, it's kept me free from problems and I admit to surfing occasionally in some pretty murky places....:O:suspect: Also using a good dose of Common sense helps!!;)

topdog1 2nd Jan 2010 15:14

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 008k.com
127.0.0.1 00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 132.com
127.0.0.1 132.com
127.0.0.1 toyota owners manual landcruiser tundra at 136136.net
127.0.0.1 136136.net
127.0.0.1 Öйú»¥Áª--ÓòÃûÉêÇë|ÓòÃû×¢²á|¿Õ¼äÉêÇë|ÐéÄâÖ÷»ú|Ö÷Ò³¿Õ¼ä,ÉϺ£¶¥¼¶ÍøÂç·þÎ ñÉÌ
127.0.0.1 163ns.com
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 Directsearchzone.com

There are hundreds of others that I cannot cut and paste onto here as too large, the list just goes on and on

Saab Dastard 2nd Jan 2010 15:49


Start of entries inserted by Spybot - Search & Destroy
That is a good sign - the entries have been added by S&D to point to the local loopback address (127.0.0.1) to prevent your browser ever going to the real sites.

So far so good.

It then lools like AdAware is choking on something that Spybot has done to the hosts file - but since Spybot is benign, I would suspect that AdAware is just flagging a false positive.

It does look like the 12 entries might be like the


Öйú»¥Áª--ÓòÃûÉêÇë|ÓòÃû×¢²á|¿Õ¼äÉêÇë|ÐéÄâÖ÷»ú|Ö÷Ò³¿Õ¼ä,ÉϺ£¶ ¥¼¶ÍøÂç·þÎñÉÌ
entry in your hosts file - I too have 163.com in the hosts file, but not with that character string.

I suggest you edit the file to remove any such corrupted? entries - especially if there are 12.

SD

SD

obgraham 2nd Jan 2010 16:56

"System Restore" as soon as one of these things becomes evident.

Capot 2nd Jan 2010 18:03

I hope that this is on thread....

I just got the following, and deleted it. I wouldn't be interested anyway, but I'm assuming that acting as requested will give me a nasty case of spyware, which Avast may or may not stop. (BTW I have corrupted the link by changing a few characters.)

Any experts to comment out there? Is it harmful?

info,

Антон StiXy Козлов has added you as a friend on the website VK.com

You can log in and view your friends` pages using your email and automatically created password: OAbVoEmv

VK.com is a website that helps dozens of millions of people find their old friends, share photos and events and always stay in touch.

To log in, please follow this link:
[URL="http://vkontakte.ru/login.php?#OAbVoEmv[/URL]

You can change your password in Settings.

Attention: If you ignore this invitation, your registration will not be activated.

Good luck!Best regards,
VK Administration

Saab Dastard 2nd Jan 2010 18:29

I took out some of the URL above to avoid disclosure of the actual email address to which it was sent, the business being presumably one with which Capot is associated in some way.

SD

Tarq57 2nd Jan 2010 21:05

Capot,
Try doing a Google search for the name

Антон StiXy Козлов
and you will see it is a simple spam message. And no, it would be a good idea to not go to the site. I can't comment as to whether the site is likely to harbour malware, but there is probably a good chance it does.It would be a good idea to delete the message unopened.
As it stands you probably don't have a problem, just that your address has made it onto a spammers list somehow.


All times are GMT. The time now is 19:20.


Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.