Solved

Spyware or virus problems?

Posted on 2004-09-26
17
600 Views
Last Modified: 2013-12-04
Hi, I'am running WinXP Pro and I'am having some issues with my computer. I believe I have some kind of Spyware or virus on my computer because when I access web sites or just about anything on my computer and there is anything with sexual slangs in words (i.e.- assets, updating, etc.) Parts of the words are underlined and have links attatched to them like "ass" in assests and "dating" in updating. You can click on the link and it will just go to a dirty site. I've run adaware and deleted all the bad stuff there and I've ran Nortons in safe and regular mode but I'am not getting any viruses found. I'm not sure what else I can do at this point. I cant even get the WinXp SP2 downloaded because it just keeps looking and looking for updates. If anyone can help me out here that would be great. It's really frustrating when you cant even get on the internet at safe sites and everything is pointing to sex stuff.

TIA,

JFAZ
0
Comment
Question by:JFAZ
  • 8
  • 5
  • 4
17 Comments
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12156559
Hi JFAZ

It does sound like Spyware or a virus. Have you tried only one spyware program? It is good to try at least 2 as different spyware software programs pick up different things. The ones I usually use are: Adaware, Spysweeper, and Spybot search & Destroy. Also, make sure that your virus program and the spyware programs have the latest updates installed on them. And try not to have anything else running while you do this...
0
 

Author Comment

by:JFAZ
ID: 12156914
I downloaded those programs that you suggested and tried them out and although it did find numerous things on my computer the problem still exists with the undelining of certain words and parts of words that are links. Any other suggestions I could try besides a reformat?

JFAZ
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12156997
I'm sorry but I've never actually come across any information relating to your exact problem - the sexual web links (virus?) - and I do deal a bit in fixing viruses, and general computer problems. It sounds like you've already tried everything I can think of doing apart from the... 'reformat'.

The web sites that the links go to... Is is always the same web site? Are they always different? Is it like 'hotbar' where it links to anything that a search finds relating to the selected words...?

And you've definitely tried running the spyware programs in safe mode?
Made sure no applications are running while scanning?
Closed other little programs that run in the background - e.g. anything in the Notification area (i.e. where the clock is in Windows)?
Go to regedit, under My Computer, HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Run: See if there is anything suspicious looking that looks like spyware? (By the way they are the instructions for WIN. XP Pro.)
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Expert Comment

by:Ke11ie
ID: 12157096
Have you restarted the computer since running the spy removal programs?
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12157891
JFAZ,,,, try this, my sister's system had this type pf problem once, and i fixed it with hijackthis :)

So Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix everything which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0
 

Author Comment

by:JFAZ
ID: 12166855
Ok I tried everything that I you all had put up here for me to try. I fixed everything with Hijack This, that I felt comfortable fixing. Here is my saved log file and some of these questionable ones I know what they are like Incredimail and others I dont. Any help would be greatly appreciated. The web links that are are refereing to sexual slangs are all pointing to http://searchmiracle.com/ and I had deleted all of those type of "NASTY" entries that it found already. Please help if you can!

JFAZ
0
 

Author Comment

by:JFAZ
ID: 12166863
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12166961
Hi JFAZ

So after you ran HijackThis, does your computer work normal now?

If it doesn't I would suggest fixing the last four 'possibly nasties' on your list.
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167021
Have you tried Hijack this?

It seems to pick up extra things. You can download it at:

http://tools.radiosplace.com/HijackThis.exe

Save the LOG file then copy and paste it into the box at:

http://www.hijackthis.de/index.php?langselect=english

This site automatically analyses it for you. Fix everything which it labels as Nasty!

To fix, check the lines and click on Fix Checked!

If it still doesn't work, can you save the site after it analyses it and give us a look at it so we can see if it has missed something.
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167027
Sorry!
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167031
Trying to fix another problem - and the HijackThis thing really worked!
0
 
LVL 2

Expert Comment

by:Ke11ie
ID: 12167302
Actually, I've just fixed a couple of my own problems and then I took another look at your log - and I would definitely get rid of your 'O2's and 'O3's and hopefully that should work! (And if you haven't already done what I said to try above - I would ignore those!)

They seemed to solve my stupid spyware problems!
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 500 total points
ID: 12167407
JFAZ these are the entries in ur LOG which u still need to fix :)

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 46.dll
O4 - HKLM\..\Run: [7DbH] C:\documents and settings\jennifer\local settings\temp\7DbH.exe
O4 - HKLM\..\Run: [uP4HSh] C:\documents and settings\jennifer\local settings\temp\uP4HSh.exe
O4 - HKLM\..\Run: [4A9E3745DCKMAP] C:\WINDOWS\System32\Vtz7.exe
O4 - HKLM\..\Run: [osmf3qU] nvcdm.exe
O4 - HKCU\..\Run: [Litd] C:\Documents and Settings\Jennifer\Application Data\tata.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CheckIt\86\CheckIt86.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
=====================================================

then can u see this line >> F2 - REG:system.ini: UserInit=userinit.exe,
the entry is wrong, but u cannot fix this line coz it will harm ur windows, so u have to manually edit ur registry to correct it,,,, so BACKUP ur registry fisrt and then follow the below step !!

goto Start>Run>regedit and navigate to the following key,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> userinit.exe,

change it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine !!
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that Follow these Instructions:

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Goto C:\Windows\Temp and delete all files present here
9. Reboot back in Normal Mode and check if problems are gone or not
10.Post Back and Good Luck :)
0
 

Author Comment

by:JFAZ
ID: 12169945
Hi, Ok it now seems as if I'm all fixed over here I'm not seeing anymore sexual links and I'm finally able to get the WinXP SP2 on this computer. The only other question that I have for anyone is, should I always be running my virus scans and spyware scans in safemode? Also, does clearing out all of the temp stuff have to be done at the same time as well when I'm having problems?

Thank you all for your in depth help. I always know that I can get on here and you guys always seem to help me out a lot and above all else. I'm learning! I'll award the points here shortly.

Thanks,

JFAZ
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12170104
gooooood news JFAZ :)

and Yes u shud always run ur spwyare removal tools and av scan in safemode, coz in safemode there are no background running proceses that can interrupt with them,,,,, and clearing out temp internet files and local settings\temp files is also recommneded in once a week :)

anything else =)
0
 

Author Comment

by:JFAZ
ID: 12170174
One more qeustion that I had forgot to previously answer. From looking at my logs,etc. Do you have any idea what might have infected my computer with that searchmiracle link problem?

JFAZ
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12170303
i saw some junk files running from ur Local Settings\TEMP folder !!
those were totally unknown files,,,,, u know random nasty files...... and i think those were resposible for that problem :)
and that was the reason i asked to delete all ur Temp internet files alongwith the Temp folder files !!  =)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question