Spyware, Viruses, & Security forum

General discussion

Hi, me again, theres a new problem.

by RedRobMol / February 9, 2005 8:56 AM PST

Hi, the problem with the trojan has gone but there is a sex orientated folder appeared in my internet favourites and when i remove it and reboot it reappears. Ihave run both the trojan guard, the virus check and spybot but nothing appears to be found, do you have any idea where it could be hiding or a program that could be used to remove it. There are others that will use this pc and I dont want anyone getting the wrong idea!!

The folder is called 'FILE SHARING' and has links to a porn site and to a music download site, neither of which i have visited incase they had viruses etc hidden in them. Also word on other sites are becomming highlighted and treated as links such as the word 'documents' has the letters 'c u m' in green underlined and are a link which just shows as 'sponsored link' when i hover the mouse over them.

any ideas?

thanks, Rob.

Discussion is locked
You are posting a reply to: Hi, me again, theres a new problem.
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Hi, me again, theres a new problem.
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
You can do several "things"
by Marianna Schmudlach / February 9, 2005 9:10 AM PST

Download the stand-alone CWShredder V2.13.0.0:
http://cwshredder.net/bin/CWShredder.exe

Close all other programs and run CWShredder.exe.

Click Fix, OK, let it fix anything it finds, click Next, then exit

Download the latest version of Ad-Aware (Ad-Aware SE Build 1.05) from Major Geeks.

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.

Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Once the definitions have been updated:

Reconfigure Ad-Aware for Full Scan as per the following instructions:

-Launch the program, and click on the Gear at the top of the start screen.

-Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)

- Automatically save logfile"
- Automatically quarantine objects prior to removal"
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation) - Change to 7 days.
- Click the "Scanning" button (On the left side).
- Under Drives & Folders, select "Scan within Archives"
- Click "Click here to select Drives + folders" and select your installed hard drives.
- Under Memory & Registry, select all options.
- Click the "Advanced" button (On the left hand side).
- Under "Shell Integration", select "Move deleted files to Recycle Bin".
- Under "Log-file detail", select all options.
- Click on the "Defaults" button on the left.
- Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
- Click the "Tweak" button (Again, on the left hand side).
- Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
- "Unload recognized processes during scanning."
- "Obtain command line of scanned processes"
- "Scan registry for all users instead of current user only"
- Under "Cleaning Engine", select the following:
-"Automatically try to unregister objects prior to deletion."
-"During removal, unload explorer and IE if necessary"
-"Let Windows remove files in use at next reboot."
- "Delete quarrantined objects after restoring"
- Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
- Click on "Proceed" to save these Preferences.
- Click on the "Scan Now" button on the left.
- Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

- Close all programs except ad-aware.
- Click on "Next" in the bottom right corner to start the scan.
- Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
- After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Plug-Ins for Ad-Aware (VX2 Cleaner)
Download the free VX2 Cleaner here

Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to ?Plug-ins?
Select the VX2 Cleaner plug-in and click ?Run Plugin?
If your computer isn?t infected, click ?Close?.

If your computer is infected:

Select ?Clean System?
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

Virus warnings while performing a scan with Ad-Aware

While performing a scan with Ad-Aware, a background antivirus monitor may issue an alert, stating that a virus has been found in the temporary directory (%temp%) for the current user. This does not necessarily mean your computer has been infected with an active virus. Most antivirus resident scanners will not scan compressed files and only monitor your memory for the sign of an active viral process.

During a scan, Ad-Aware will temporarily decompress files to scan their contents without activating the content, but in doing so, the file is noticed by the antivirus' resident scanner.

Also, some antivirus applications include an option to quarantine infected files, and when Ad-Aware decompresses these quarantined files, the antivirus background scanner detects the virus moving outside the quarantine area. To avoid this you can either remove the quarantined files via your antivirus application, or have Ad-Aware ignore the antivirus program's quarantine folders/files during a scan.
Then,

Download SPYBOT Search and Destroy here if it is not already installed on your computer.

Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then empty the recycle bin.

Then Disable system restore: Instructions here.

Reboot

Finally, do an online scan using Trend Micro Housecall. It is available here.

Enable system restore.

Problem gone?

Collapse -
link to VX2 cleaner not working
by RedRobMol / February 9, 2005 9:19 AM PST

thanks, im in the process of doing all that but the link to VX2 cleaner does not work, do you have another link?

Collapse -
hmm... this link works for me......
by Marianna Schmudlach / February 9, 2005 9:37 AM PST
Collapse -
Marianna, this link does not work...
by glenn30 / February 9, 2005 10:15 AM PST

I think there is a forum malfunction where the end of the link is changed and eliminated. I suppose it could be copied and pasted in the browser and eliminate the space that is added. Sad

Just being helpful. Wink

Glenn

Collapse -
You are correct Glenn and thanks. Lee Koo
by roddy32 / February 9, 2005 10:22 AM PST

has been told about the problem and he has reported it to the appropriate people. For some reason, the forum software started splitting the links and adding a space after the first 54 characters. (I didn't count them somebody else did LOL). Until the problem is fixed, we will have to copy and paste the links into the address bar and then take the space out and then hit the "go" button or the enter key. This is a new problem so very few people know about it yet.

Collapse -
I wonder if it was done on purpose as a .....
by tobeach / February 9, 2005 2:28 PM PST

security feature to prevent buffer over run or posssibly HTA type attacks where malware can be in an extended address stream? Just seemed a likely thought. Happy

Collapse -
Roddy, my effort to paste and correct
by glenn30 / February 9, 2005 10:16 PM PST

the space are unsuccessful... my browsers Firefox and IE will not cooperate and leaves a blank space in the address section. SadSad I thought that was a temporary fix too but didn't work for me.

Glenn

Collapse -
The whole issue
by roddy32 / February 9, 2005 10:22 PM PST
Collapse -
(NT) (NT) Yes Roddy, I saw that after my reply to you. Thanks :)
by glenn30 / February 9, 2005 10:30 PM PST
In reply to: The whole issue
Collapse -
(NT) (NT) You're welcome Glenn.
by roddy32 / February 9, 2005 10:41 PM PST
Collapse -
Try this
by KevMo2 / February 9, 2005 10:22 AM PST

RedRob, the link didn't work for me either. You can go to the Lavasoft site, http://www.lavasoftusa.com/ and look in the software list at the top left for "add ons". The VX2 cleaner can be downloaded from there.

Collapse -
thanks,
by RedRobMol / February 9, 2005 10:27 AM PST
In reply to: Try this

but i just added the last bit of the link and got it to work.

Collapse -
Sorry Rob, I already thought it was MY fault.....
by Marianna Schmudlach / February 9, 2005 10:38 AM PST
In reply to: thanks,

roddy32 just informed me, that the CNet-software is acting "funny" - glad to know you got the link working Happy

Collapse -
its worked to a point
by RedRobMol / February 9, 2005 10:51 AM PST

A lot has gone, and the folder in the favourites is no longer there, but the links are still there for certain words.
I have found out that the links are for 'hotsearchbar' is that something you have heard of?

I might just accept the links if all the potentially harmful things have gone.

Collapse -
scrap that, it hasnt worked
by RedRobMol / February 9, 2005 10:58 AM PST
In reply to: its worked to a point

Scrap that, it hasnt worked at all, there is a file called fsg_4203.exe that keeps coming back into my .../local settings/temp/ directory

Collapse -
HotSearchBar
by Marianna Schmudlach / February 9, 2005 2:06 PM PST
In reply to: its worked to a point

I found this on another site, problem solved

--------------------------------------------------------------------------------

1. Start Command Prompt in the Accessories menu of your Start Menu.
2. Type in: (c:/windows/system32/regsvr32.exe /u winhot32.dll) EXACTLY as it's seen inside the parenthesis
3. You should get a system message saying that winhot32.dll has be unregistered
4. Open Internet Explorer to find HotSearchBar no longer there. You're done!

......

Collapse -
sorry to be a pain but...
by RedRobMol / February 10, 2005 5:38 AM PST
In reply to: HotSearchBar

i typed that into the command promt as you said and got the message 'the system cannot find the specified directory'

Any ideas?

Collapse -
Hot-searches.com
by Marianna Schmudlach / February 9, 2005 2:29 PM PST
In reply to: its worked to a point

do you have that one too??

If you have had your Internet Explorer's clicks hijacked by an invisible toolbar that installs itself and keeps changing your homepage to hot-searches.com and steals ph34r.gif your clicks to lender-search.com, then do the following to remove it. It worked for me. Follow these steps only if you feel comfortable working with regedit. It's easy enough.

First copy this and close out IE. Delete in \system32\ the files xplugin.dll, tmksrvu.exe and tksrv98.exe (IE being closed, if you can't delete xplugin.dll, cut and paste somewhere else and then delete)

Open registry, do find and delete all "hot-searches.com" and "lender-search.com" keys (that I found were in folders located UNDER Explorer Bars or a similar name for toolbars), delete the folders there.

Also using "hot-searches.com" and "lender-search.com", find, open and rename strings under Internet Explorer (rename these to your favoite hompage, search page, etc).

Do the same with finding and deleting all "81.211.105.69" and "81.211.105.68" (last one not found for me) keys.

You should be rid of it now

Collapse -
It has finally worked and seems to have gone, but
by RedRobMol / February 10, 2005 5:48 AM PST
In reply to: Hot-searches.com

about this one, I dont have hot-searches.com, but 'searchanything.com' does keep popping up, i assume i could do the same thing for that one as you mentioned above, only I dont know how to open the registry, im using windows XP, could you explain it for me plaese, I promise this is my last question!!

Collapse -
'searchanything.com' - can NOT find anything :(
by Marianna Schmudlach / February 10, 2005 9:46 AM PST

try running cwshredder:

Download the stand-alone CWShredder V2.13.0.0:
http://cwshredder.net/bin/CWShredder.exe

Close all other programs and run CWShredder.exe.

Click Fix, OK, let it fix anything it finds, click Next, then exit

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!