So I think spyware has totally infected my computer. The other night I think I accidentally clicked on a pop-up and since then I can not get on anything. If I click on AOL it starts up and then goes to password and an error message comes up and it closes. The same thing for Internet explorer, and MS Word. I have Spybot installed and ran it and one item keeps coming up on the spyware search every time I do it, so it makes me think this thing is not being deleted. Anyone had this problem and know how to fix it or have any suggestions??? I am pissed!!!!!

Make sure Spybot is updated, run it.. then run Hijack this and PM me with the log if you cant get through it.

you could try another spyware program. I use Adaware, you can get it at www.download.com. Sometimes if i run one program it will find nothing but when i run a second program it will find stuff. Otherwise just type in format C:

I would get Ad-Aware and CWshredder(sp). I run those with Spybot and Hijackthis and it's a real bitch for Spyware to get in.

See my problem is I can't even get on the internet to download another program! Is Hijacking a program Cornfed?

Ok, Ad-aware is pretty much pointless these days if you use Spybot. CWshredder should only be run when it needs to be, there's no need to be paranoidly running it. And Hijack-this you only need to use when Spybot doesn't work.. however if you don't have a good idea of what you're doing it can be dangerous, not to mention tough to figure out.

Moral of the story, keep spybot updated and turn on its download blockers. I cannot fathom why so many people don't use the blockers.. it will keep 90% of the spy-ware out of your system.

I forgot to mention that this one item that always comes up when I run spybot, the description of the problem takes me to a zone or something like that. There are like values and all kinds of numbers. I have no knowledge when it comes to this stuff so I don't know how to fix it?

Hi-jack this is a program yes, you can get it at ]url]http://www.lurkhere.com/~nicefiles/[/url].

If you have no html access I dont know how you're posting here..... but I can email it to you if need be, its only 150Kb or so.

Fortunately posting at work right now. Is this a dangerous program to run though?

It's not dangerous to run.. but don't try to fix anything yourself if you don't have a very good idea what you're doing. Just run it (after running an updated Spybot), click on save log, open the saved log, and cut and paste the log in a pm to me and I'll show you what to fix.

You know what would be ironic? If the OP was one of the people who posted on the browser thread that they're using internet explorer because they don't know about any problems with it.

Kids, just don't run MSIE.

I am really ignorant to this stuff. Could you tell me some of the damage that IE can do to your comp? What is a better browser to use?

I personally use Mozilla and love it. However, other people swear by Opera or Mozilla Firefox. Frankly, I'm just waiting for Firefox to be in a non-beta stage before I switch over to that. Either of the three will be fine, though.

I am really ignorant to this stuff. Could you tell me some of the damage that IE can do to your comp? What is a better browser to use?

Basically, it's full of security holes, so it's very easy for a site to take control of your machine and start using it for whatever they want (examples: checking your keyboard for 16-digit numbers, and sending spam).

_ANY_ browser that's not really a skin for IE is better. I use Opera but it's not free (there's an ad-supported version which you don't have to pay for) ( http://www.opera.com/ ) but some people swear by mozilla or firefox ( http://www.mozilla.org/ ). A few people even use Lynx, a text-only browse, but that's really not for everyone.

Real men just telnet to port 80 and read the raw HTML.

Wait I forgot another detail that may help explain my problem and this is when I realized that something was wrong. Before it completely went down, IE had my homepage as "about:blank"? I figured maybe something wasnt working so I changed it and then "about blank" kept coming back as my homepage even though I changed it to google.

somebody doesn't want you on google since you might use it to search for a fix.

I've never seen one that just blocks a webpage and doesn't redirect.. but you can try opening up /~Windir~/System32/hosts file.. and see if there's something redirecting google.

From what I have told you all so far, does this seem like something that is fixable?

post this topic at techguy.org , there very informative and will help you out. Ive had troulbe with a couple of trogans and spyware and they helped me get rid of it.

My kid was runnin' wild on the internet and installed all sorts of Spyware crap. Basically, he ran into the same problem... could not surf the internet. I could ping yahoo.com and such... but it would do all sorts of funky stuff in IE to prevent the ability to surf.

I swear by Spybot, the thing kicked ass and took names. The machine was back on it's feet within 10-15 minutes. I thought, for a moment, that it was going to require a full re-install.

My kid was runnin' wild on the internet and installed all sorts of Spyware crap. Basically, he ran into the same problem... could not surf the internet. I could ping yahoo.com and such... but it would do all sorts of funky stuff in IE to prevent the ability to surf.

Why does your kid have software installation privileges?

Or does the operating system not allow to limit certain users this way?

Or try Spywareinfo.com they helped me with my hijackthis log and suggested a few programs to help protect my computer.

If you can find a way to get this somehow, download Bazooka Spyware Scanner...it catches EVERYTHING! Only problem is, you have to manually uninstall them yourself. Its not hard, just time consuming...

Ok so I went home last night and obviously this still isnt working but I have some more info. First of all when I click on explorer not only does that about:blank come up for my homepage but also a pop-up comes up to buy some thing for spyware, so obviously i am infected. I ran spybot a few more times and the same two items keep coming up. One is Cydoor which it says has to do with ads and the other is called DSO Exploit. The location it says it is at is HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre nt Version\Internet Settings\Zones\0
It says I can go to get more info at http://security.greymagic.com/adv/gm001-ie/
I surprisingly can get on this website and it suggests to change the value of "1004" (DWORD) in Zone 0 to the number 3. I tried doing this and still nothing works. Suggestions anyone????

Regedit should be alot harder to find...

First of all DSO Exploit is not the name of spyware, its a particular type of exploitation they use. Spybot should be able to fix them if you're using it correctly, same as Cydoor. Try running spybot in safe mode and see if that'll catch em.

What is Regedit? How do I change spybot over to safe mode? Thanks for all your help on this Cornfed!

Ignore the regedit comment..

Here's what to do:
1. Reboot the computer
2. While computer is rebooting alternately hit F6 & F8 (can't remember which one it is) until a menu comes up.
3. Pick Safe Mode
4. Once Windows Safe Mode boots up, run spybot again.
5. Reboot as normal and test.

Great Ill give that a shot when I get home. Why would safe mode make a difference though?

because it only boots essentiali programs, and therefore will not be running any spyware programs in the background that are set to boot when you start your computer in normal mode. Hence, Spybot can delete the program because it isn't running at the time.

Great. Let's hope this works. How will I get my comp back out of safe mode? the next time I boot it up?

2. While computer is rebooting alternately hit F6 & F8 (can't remember which one it is) until a menu comes up.

It's F8.

By the way, I fuckin hate spyware. I work at a University helpdesk and like 25% of my calls are about 'pop up ads when they are working in word' or 'spam email that tells me to click on such and such a link'. And download Mozilla Firefox, for a browser, it's pretty good.

Ok here is the log, for some reason my internet is working right now. Any thoughts would be appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 12:53:38 AM, on 7/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {7BB3E22C-14D4-4EA4-9450-4A877BB10530} - C:\WINDOWS\SYSTEM\JKDJE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH. EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://smbusiness.dellnet.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://212.105.78.59/cult.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Talk City EZTalk 3.0 - http://bizchat.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37602.5975925926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab