Solved

Spyware or virus problems?

Posted on 2004-09-26
17
601 Views
Last Modified: 2013-12-04
Hi, I'am running WinXP Pro and I'am having some issues with my computer. I believe I have some kind of Spyware or virus on my computer because when I access web sites or just about anything on my computer and there is anything with sexual slangs in words (i.e.- assets, updating, etc.) Parts of the words are underlined and have links attatched to them like "ass" in assests and "dating" in updating. You can click on the link and it will just go to a dirty site. I've run adaware and deleted all the bad stuff there and I've ran Nortons in safe and regular mode but I'am not getting any viruses found. I'm not sure what else I can do at this point. I cant even get the WinXp SP2 downloaded because it just keeps looking and looking for updates. If anyone can help me out here that would be great. It's really frustrating when you cant even get on the internet at safe sites and everything is pointing to sex stuff.

TIA,

JFAZ
0
Comment
Question by:JFAZ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12156559
Hi JFAZ

It does sound like Spyware or a virus. Have you tried only one spyware program? It is good to try at least 2 as different spyware software programs pick up different things. The ones I usually use are: Adaware, Spysweeper, and Spybot search & Destroy. Also, make sure that your virus program and the spyware programs have the latest updates installed on them. And try not to have anything else running while you do this...
0
 

Author Comment

by:JFAZ
ID: 12156914
I downloaded those programs that you suggested and tried them out and although it did find numerous things on my computer the problem still exists with the undelining of certain words and parts of words that are links. Any other suggestions I could try besides a reformat?

JFAZ
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12156997
I'm sorry but I've never actually come across any information relating to your exact problem - the sexual web links (virus?) - and I do deal a bit in fixing viruses, and general computer problems. It sounds like you've already tried everything I can think of doing apart from the... 'reformat'.

The web sites that the links go to... Is is always the same web site? Are they always different? Is it like 'hotbar' where it links to anything that a search finds relating to the selected words...?

And you've definitely tried running the spyware programs in safe mode?
Made sure no applications are running while scanning?
Closed other little programs that run in the background - e.g. anything in the Notification area (i.e. where the clock is in Windows)?
Go to regedit, under My Computer, HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run: See if there is anything suspicious looking that looks like spyware? (By the way they are the instructions for WIN. XP Pro.)
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 2

Expert Comment

by:Ke11ie
ID: 12157096
Have you restarted the computer since running the spy removal programs?
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12157891
JFAZ,,,, try this, my sister's system had this type pf problem once, and i fixed it with hijackthis :)

So Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:JFAZ
ID: 12166855
Ok I tried everything that I you all had put up here for me to try. I fixed everything with Hijack This, that I felt comfortable fixing. Here is my saved log file and some of these questionable ones I know what they are like Incredimail and others I dont. Any help would be greatly appreciated. The web links that are are refereing to sexual slangs are all pointing to http://searchmiracle.com/ and I had deleted all of those type of "NASTY" entries that it found already. Please help if you can!

JFAZ
0
 

Author Comment

by:JFAZ
ID: 12166863
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12166961
Hi JFAZ

So after you ran HijackThis, does your computer work normal now?

If it doesn't I would suggest fixing the last four 'possibly nasties' on your list.
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167021
Have you tried Hijack this?

It seems to pick up extra things. You can download it at:

http://tools.radiosplace.com/HijackThis.exe

Save the LOG file then copy and paste it into the box at:

http://www.hijackthis.de/index.php?langselect=english

This site automatically analyses it for you. Fix everything which it labels as Nasty!

To fix, check the lines and click on Fix Checked!

If it still doesn't work, can you save the site after it analyses it and give us a look at it so we can see if it has missed something.
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167027
Sorry!
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167031
Trying to fix another problem - and the HijackThis thing really worked!
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167302
Actually, I've just fixed a couple of my own problems and then I took another look at your log - and I would definitely get rid of your 'O2's and 'O3's and hopefully that should work! (And if you haven't already done what I said to try above - I would ignore those!)

They seemed to solve my stupid spyware problems!
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 500 total points
ID: 12167407
JFAZ these are the entries in ur LOG which u still need to fix :)

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O4 - HKLM\..\Run: [7DbH] C:\documents and settings\jennifer\local settings\temp\7DbH.exe
O4 - HKLM\..\Run: [uP4HSh] C:\documents and settings\jennifer\local settings\temp\uP4HSh.exe
O4 - HKLM\..\Run: [4A9E3745DCKMAP] C:\WINDOWS\System32\Vtz7.exe
O4 - HKLM\..\Run: [osmf3qU] nvcdm.exe
O4 - HKCU\..\Run: [Litd] C:\Documents and Settings\Jennifer\Application Data\tata.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
=====================================================

then can u see this line >> F2 - REG:system.ini: UserInit=userinit.exe,
the entry is wrong, but u cannot fix this line coz it will harm ur windows, so u have to manually edit ur registry to correct it,,,, so BACKUP ur registry fisrt and then follow the below step !!

goto Start>Run>regedit and navigate to the following key,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> userinit.exe,

change it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine !!
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)
0
 

Author Comment

by:JFAZ
ID: 12169945
Hi, Ok it now seems as if I'm all fixed over here I'm not seeing anymore sexual links and I'm finally able to get the WinXP SP2 on this computer. The only other question that I have for anyone is, should I always be running my virus scans and spyware scans in safemode? Also, does clearing out all of the temp stuff have to be done at the same time as well when I'm having problems?

Thank you all for your in depth help. I always know that I can get on here and you guys always seem to help me out a lot and above all else. I'm learning! I'll award the points here shortly.

Thanks,

JFAZ
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12170104
gooooood news JFAZ :)

and Yes u shud always run ur spwyare removal tools and av scan in safemode, coz in safemode there are no background running proceses that can interrupt with them,,,,, and clearing out temp internet files and local settings\temp files is also recommneded in once a week :)

anything else =)
0
 

Author Comment

by:JFAZ
ID: 12170174
One more qeustion that I had forgot to previously answer. From looking at my logs,etc. Do you have any idea what might have infected my computer with that searchmiracle link problem?

JFAZ
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12170303
i saw some junk files running from ur Local Settings\TEMP folder !!
those were totally unknown files,,,,, u know random nasty files...... and i think those were resposible for that problem :)
and that was the reason i asked to delete all ur Temp internet files alongwith the Temp folder files !!  =)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to implement SSO? 22 89
Login to computer through Admin Priviligies 9 115
Windows Password recovery 7 76
Scan Mac for security breach? 5 99
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question