Ali 0 Posted June 23, 2004 Last night I installed Windows XP SP2 (Beta) and Windows Media Player 10 just to see how they work. Guess what, as soon as i finish checking things out (the firewall settings, etc.) the internet explorer ended up with two spyware. One i could remove (MySearchBar) and the other one i'm stock with and i can't figure out how to remove it. I have uninstalled SP2 since I kept getting spywares from any site i visited!!! or it seemed like it. got rid of SP2 and it's all back to normal. it changes my homepage to about:blank, but there is "Search for..." page as my hompage, few suspecious items are added in favorites, and NOTHING PICKS THE DAMN THING UP! ;( I used Adaware and spybot, and "Spyware Nuker"(??) which picked it up as Slotch XXX Toolbar, but it is not correct because my computer does not contain non of the components they mention in the removal instructions for that "thing". (there is no actual TOOLBAR, Nothing in add/remove programs, and the reg. keys they mention don't match, and there is no tinybar.exe anywhere on any of my HDDs). If i get my hands on the basturds who make such pains i'll choke them to death!!! they dont even dare to put a contact link or company name, or copyright, or anything in there. Basturds. ;( Please somebody help!!!!!!! Share this post Link to post
Sampson 0 Posted June 23, 2004 A browser helper object (BHO) does not always appear as a toolbar but does get invoked whenever you bring up IE or those browsers that use IE components. Download BHODemon2.0 (it's free) and it will tell you what BHO's exist (and you can disable them). It will also tell you if something is changing your homepage or writing a value in your registry. Spywareguard (also free) also protects your homepage. SpywareBlaster (also free) will load dozens of sites known to infect systems and keep them from running. Finally, PestPatrol (not free but reasonable) will do a better job than most in finding pests, spyware, and the like. It runs in memory after installed and will alert you if something is being installed. Spyware Stopper is "free" until you need to update virus definitions. You get one free update, then you will have to pay a yearly subscription. Share this post Link to post
Ali 0 Posted June 24, 2004 WOW, it picked it up!!! it worked!!! Thank you very much for your help. I had disabled system restore, BHODemon 2.0 found gfmhaab.dll, which I deleted in safe mode and the program also gave me the registery location (deleted that too) and it's gone!!!!! everything is working so far!!! Thank you very much for your reply, I was so close to giving up and reformatting the hard drive. got to find out who wrote that annoying piece BHO that gave me tons of headaches!!!! If i get my hand on the producer of that thing i'll break my foot kicking him so hard in his.... nevermind. Share this post Link to post
Sampson 0 Posted June 24, 2004 There used to be a BHO page with all of the info on these things. Apparently there is now a program: http://www.spywareinfo.com/~merijn/files/bholist.zip Share this post Link to post
sp4rk911 0 Posted June 24, 2004 is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad. Share this post Link to post
Ali 0 Posted June 24, 2004 Hi guys. me again!!!! I have removed this BHO crap and the system works good for about 4~5 hrs and then the same thing happens again. now, the dll file name and the registery value keep changing, but the same site comes up!!!! how the hell do they do that? this all started happening after i installed SP2 (of course i have removed it now!!!), but this is the only computer i have this problem with. now the name of the file is phanaa.dll and in the registery: Clsid {3019DB0B-E808-45A0-9D2E-F44A4586EF4F} I'm thinking there might be a flaw in the security for IE that has happened after installing SP2. Or there might be other things on the computer that make this happen again and again? any suggestions? Thank you Share this post Link to post
Ali 0 Posted June 24, 2004 Originally posted by Sampson: Quote: There used to be a BHO page with all of the info on these things. Apparently there is now a program: http://www.spywareinfo.com/~merijn/files/bholist.zip This download contains a torjan called Torjan.StartPage. be careful with this file!!!! ;( Share this post Link to post
Sampson 0 Posted June 24, 2004 Program BHOList.exe comes from Merijn Bellekom, the developer of Startuplist and Hijack This! It downloads and displays the BHO Collection in a searchable & sortable list. It will contain the name of some nasties which may have set off your virus scan, ali, but I doubt that it actually contains any trojans. I use both AVG 7.0 and EZTrust and neither gave me an indication of a problem. Share this post Link to post
Ali 0 Posted June 25, 2004 I only use Norton Antivirus 2003 with the latest definitions. Now the problem is worse than i thought!!! It keeps coming back because (I think) Microsoft SP2 has removed the security updates that were provided after SP1!!!!! they are still showing in add remove programs, and when i go to windows update website it tells me no ubdates are available!!! BUT WHEN BLASTER WORM IS SHUTTING DOWN MY SYSTEM and all of a sudden for the first time in my life i'm flooded with BHO's, i'm convinced that after installing SP2 something had gone wrong with all the fix patches that were installed before!!!! I'm trying to remove the viruses in safe mode and install the updates manually, to see what happens. if it didn't work, i'll just wipe it clean and start from scratch!!!! I won't install SP2 after it comes out untill they fix all this crap!!!! Share this post Link to post
Ali 0 Posted June 25, 2004 thank you guys for all your replies. you guys are the best. Funny!!! I just got the RPC thing that shuts down the system and guess what!!! I got removal tools from Norton, it's not Blaster, not sasser, not Welchina (these guys are not foun on the system!!!) what else does that? I'm running full system scan using Norton and it is not picking up anything at all (running it in safemode)!!! this just proves how useless antyvirus software are when there is actually a virus in the system!!! They don't do nothing! ;( what other worm/torjan/virus gives you that RPC message? \I'm thinking the entire computer business is so fragile with all the software problems. Linux is difficult to use (and i'm still strogling to learn the basics) and Windows is insecure! What should be done about this! This is not a question of tast or personal preference, but a question of survival of human race untill we wipe ourselves off the face of the planet with a piece of computer code!!!! (you can tell i'm going nuts!!!) Share this post Link to post
Sampson 0 Posted June 25, 2004 Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=Go You asked what other ones give this "RPC" message? Here are ten to start with 1. PestPatrol Pest Info - Exploit.Win32.DCom.e http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp size 11068 bytes - 6/24/2004 4:07:03 PM GMT 2. PestPatrol Pest Info - Rpc-cmsd.c http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp size 10138 bytes - 6/21/2004 8:00:51 PM GMT 3. PestPatrol Pest Info - RPC portmapper set/unset http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp size 10895 bytes - 6/21/2004 8:01:03 PM GMT 4. PestPatrol Pest Info - Rpc Bind 1.1 http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp size 13136 bytes - 6/21/2004 8:00:54 PM GMT 5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp size 10740 bytes - 6/21/2004 8:02:45 PM GMT 6. PestPatrol Pest Info - RPC Program Scanner http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp size 10091 bytes - 6/21/2004 8:01:04 PM GMT 7. PestPatrol Pest Info - Rpc scanner by console http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp size 10496 bytes - 6/21/2004 8:01:04 PM GMT 8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only) http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp size 10864 bytes - 6/21/2004 7:48:28 PM GMT 9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp size 10735 bytes - 6/21/2004 7:48:41 PM GMT 10. PestPatrol Pest Info - Unknown Flooder http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp size 16544 bytes - 6/21/2004 9:07:42 PM GMT Share this post Link to post
Ali 0 Posted June 25, 2004 Oh man, you said there were no information on that thing about a year ago!!! there is no information about anything named W32Parity on norton, and mcafee website. they must be using another name for it or something. I searched google, and guess what i found: http://www.ntcompatible.com/thread27230-1.html and that is the only result. PestPatrol worked, and BHODemon could help me to remove my 4th BHO and everything looks fine, but i know the thing is still in there, because when i type about:blank in IE, or type any invalid URL, that "search for..." site comes up. no sign of that RPC thing!!! it just desapeared, just like that, like it never existed!!!! now what? wait and see if there are more problems? howcome it's working for few hrs and then everything goes upside down? is there a time trigger or something? It all started after installing SP2! iwas so stupid, you know when they say if it ain't broke don't fix it!!! that is my problem!!! is there any way i could fix that blank page problem tho? where should i look to see what defines the "blank" page in windows? APK I'm not using kazaa or anything like that (if you remember AlecStaar a long time ago i had issues with my clients who used kazaa!! and i talked to my work place managers and the owner cause you said you could create a code that could remove kazaa or block it or something, i can't remember. but the owner of the business (after a while running after him) finally told me that i'm over reacting, and they cannot go with that plan. Now they are charging people $149 if any trace of any p2p software is found on their system before they even consider looking at any software (so much for me over-reacting). Alec you are one of the most helpful people on this forum and one of the most knowledgable ones. I really appreciate all your help. Share this post Link to post
Ali 0 Posted June 25, 2004 Originally posted by sp4rk911: Quote: is the bar u cant remove the one called ISEARCH cuz i have that thing. if u can find a program to remove those things such as xoftspy or adware remover, you can get rid of everything. i have over 4800 spyware infected files so dont feel bad. Thanks for the reply man, but don't come to my service department cause i hate spyware so much now!!! Share this post Link to post
Ali 0 Posted June 25, 2004 Originally posted by Sampson: Quote: Look at this url: http://www.pestpatrol.com/Search/default.asp?qu=RPC&sc=%2F&Action=Go You asked what other ones give this "RPC" message? Here are ten to start with 1. PestPatrol Pest Info - Exploit.Win32.DCom.e http://www.pestpatrol.com/pestinfo/e/exploit_win32_dcom_e.asp size 11068 bytes - 6/24/2004 4:07:03 PM GMT 2. PestPatrol Pest Info - Rpc-cmsd.c http://www.pestpatrol.com/pestinfo/r/rpc-cmsd_c.asp size 10138 bytes - 6/21/2004 8:00:51 PM GMT 3. PestPatrol Pest Info - RPC portmapper set/unset http://www.pestpatrol.com/pestinfo/r/rpc_portmapper_set_unset.asp size 10895 bytes - 6/21/2004 8:01:03 PM GMT 4. PestPatrol Pest Info - Rpc Bind 1.1 http://www.pestpatrol.com/pestinfo/r/rpc_bind_1_1.asp size 13136 bytes - 6/21/2004 8:00:54 PM GMT 5. PestPatrol Pest Info - Sadmind Solaris RPC tiny Scanner http://www.pestpatrol.com/pestinfo/s/sadmind_solaris_rpc_tiny_scanner.asp size 10740 bytes - 6/21/2004 8:02:45 PM GMT 6. PestPatrol Pest Info - RPC Program Scanner http://www.pestpatrol.com/pestinfo/r/rpc_program_scanner.asp size 10091 bytes - 6/21/2004 8:01:04 PM GMT 7. PestPatrol Pest Info - Rpc scanner by console http://www.pestpatrol.com/pestinfo/r/rpc_scanner_by_console.asp size 10496 bytes - 6/21/2004 8:01:04 PM GMT 8. PestPatrol Pest Info - Prout.c abuse of pcnfs RPC program (version 2 only) http://www.pestpatrol.com/pestinfo/p/prout_c_abuse_of_pcnfs_rpc_program__version_2_only_.asp size 10864 bytes - 6/21/2004 7:48:28 PM GMT 9. PestPatrol Pest Info - Pscan2.c TCP/UDP/NIS/RPC scanner http://www.pestpatrol.com/pestinfo/p/pscan2_c_tcp_udp_nis_rpc_scanner.asp size 10735 bytes - 6/21/2004 7:48:41 PM GMT 10. PestPatrol Pest Info - Unknown Flooder http://www.pestpatrol.com/pestinfo/u/unknown_flooder.asp size 16544 bytes - 6/21/2004 9:07:42 PM GMT that's gonna take me a while getting to all of them. I'm getiing on them now, thank you! Edit: all of them seem to be picked up by Pestpatro and non of them turned up in the scans. this was a great help thou, i put this post somewhere else on this forum where they had the RPC issue when connecting to ISP (if you don't mind). this may help him too. Thank you very much Sampson. Share this post Link to post
Sampson 0 Posted June 25, 2004 There is a buffer overrun patch that was issued by Microsoft last year in relation to the RPC interface. You may not necessarily have lost it when you went back to SP1: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx At this point I am wondering if you aren't being hacked. Share this post Link to post
Ali 0 Posted June 25, 2004 Originally posted by AlecStaar: Thanks, but I forget things & the spelling was wrong above: it's "W32Parite" (my nephew had to remind me by phone & I am @ fault on both threads, because it is spelt this way, not the way I spelled it above). P.S.=> My nephew got it from Kazaa use & another user putting out infected files on it, & W32Parite did one "good" thing: Cured him of filesharing programs! apk BINGO: Quote: W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares. Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [sophos], Win32/Parite.A [RAV] Type: Virus Infection Length: ~177,917 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, OS/2, UNIX, Linux and here is a look at the solution: Quote: 1.Disable System Restore (Windows Me/XP). (have done it) 2.Update the virus definitions. (done that) 3.Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT). (done that) 4.mun a full system scan and repair all the files detected as W32.Pinfi. (there is non) 5.Reverse the value that the virus added to the registry. (it's not there!) the good news is this is not it!!! cause the registery item they mention is not there! the bad news is that i'm still lost and have no idea what's going on!!! Quote: quoted text Share this post Link to post
Ali 0 Posted June 25, 2004 HEY I FOUND THE BASTURD!!! I found the URL for the site where all my problems are coming from (with some tracing stuff) and my DNS provider gave me the Whois information for the guy!!! what is the best way of punishing the ass****? he has got to learn to earn his money by hard work not by stealing on the internet!!! and spreading the stuff all over my computer!!!! here is the domain name if you want to look it up: D8T.BIZ and he uses lots of submasks and stuff!!! It looks like he has provided a faulse phone number and his name doesn't sound right. And to top that off, he is giving out his Yahoo mail! could i give his info to FBI or something? Any suggestion on how i could have revenge on this guy ? And look at this: >>>> Whois database was last updated on: Fri Jun 25 06:21:43 GMT 2004 <<<< Share this post Link to post
jriling 0 Posted June 26, 2004 Norton is not capable of finding the culprits in your system. Download a good AV program (Kaspersky 5.0 trial version www.kaspersky.com) Run the updates, scan your pc, it WILL find the trojans on your HDD. Next: Download SpyBot Search and Destroy: http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button Run the updates, scan your HDD, it will remove the registry entries. I had the same issues going on, the above cleared it up & kept me from formatting. JR Share this post Link to post
Ali 0 Posted June 26, 2004 Non oif it worked, it's still there and its installing crap on my computer every 2~3hrs. The guy surely receives the emails, but no responce. I'm formatting the computer to reinstall windows, but the cheap 56x CDROM is acting up in the middle of installation *it stops functioning when it gets worm)!!! Just to make my life more miserable!!! thank god i always have at least two copies of my important files. Got to buy a new CD drive for the computer! It's just that at this time i'm totally broke (planning to get a DVDRW drive, but if the CD dies now, i could only replace it with another cheap one!!!) they say worse things happen at the worse time!!! wish me luck, since this is the 3rd time i'm formatting my primary Raid partition to get windows installed!!! and thank you for all your help, can't do without your help. Share this post Link to post
bushrat 0 Posted June 28, 2004 I found the answer! (or at least it works for now...) The pop-up come up saying "you might be infected by spyware........." I downloaded BHODeamon it showed this: {F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166} C:\WINDOWS\System32\jbafagd.dll What I did, was go to registry (regedit if someone does not know) and deleted all entrys containing "jbafagd.dll" and "{F51CCAF2-C6EB-4C4A-BB92-C5F4F1904166}" and also deleted the file. The problem was solved. If you decide to do it, DO IT AT YOUR OWN RISK. Share this post Link to post
yakkob 0 Posted June 28, 2004 Hi Ali, I know I haven't contributed to this thread, although everything has pretty much been said. But, I have just seen this http://www.majorgeeks.com/download4281.html on the front-page which looks pretty cool (I aint tried it yet, as I am at work, and I can't reg it (it must use another port apart from 8080)). I will try it when I get home. Anyways, just thought you might aswell give it a try too. GL Share this post Link to post
trex1966 0 Posted June 29, 2004 I have the same browser problem only mine started as "mukeh.dll" and kept changing to some weird stuff. I tried to go to the registry and deleting the keys but after 15 or so minutes it just comes back, which leads me to believe a program (hidden of course) is installing it.I have run ad-aware, spybot, avg antivirus, panda, nortons none pick it up and i think is it a very well executed pain in the a..... funny enough i have picked through my whole system32 folder (cause one antivirus program told me that was where it was)file by painstaking file and found only one program called "loader" I deleted it, rebooted and..........."PRESTO" there was old faithful "mukeh.dll" running my sh....... So Ali i feel you bro thought i knew a little sumptin sumptin about computers but this one almost has me tossing it out the window. peace y'all and God Bless whoever comes up with the answer Share this post Link to post
yakkob 0 Posted June 29, 2004 Could this be your problem? http://www.theregister.com/2004/06/29/cws_shredder/ Share this post Link to post
felix 0 Posted June 29, 2004 I was having similar problems on a work computer and a found a file called "jushed32.exe" or similar. I stopped it and renamed it and since then, no more problems. I have a simplem rule regarding programs: "If there's no Author's information etc on the .exe when I right click on the file, it gets shut down and deleted. If they don't have the integrity to put their name on it, blow it away. Share this post Link to post
Sampson 0 Posted June 29, 2004 Good rule. You might also check to see if it deleted the program: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe That file is part of the Bizten family of Trojans. It also plays fast and furious with IE's toolbars so you might also want to check the following Registry keys: HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar HKLM\Software\Microsoft\Internet Explorer\Main\Start Page HKLM\Software\Microsoft\Internet Explorer\Main\Search Page HKLM\Software\Microsoft\Internet Explorer\Main\SearchURL HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch HKLM\Software\Microsoft\Internet Explorer\TypedURLs\url1 HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\Internet Explorer\Main\Search Page HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1 Share this post Link to post
