I need a bit of computer advice/help, please!

12/06/04 | me

[IamHD]

I think that I may have a trojan or a keylogger or something on my computer. I have tried everything that you can think of, short of completely deleting everything from my computer. I have all up to date anti-virus protection, pop-up stoppers, hijackthis, etc., etc., etc. I accidentally found 1,000's of porno, gambling, dialers, etc., in my REGISTRY:

HKEY_CURRENT_USER

LEADS TO INTERNET SETTINGS, THEN HISTORY, FILLED WITH HUNDREDS OF PORNO, GAMBLING AND AD SITES, AND;

LEADS TO A FOLDER CALLED ZONEMAP, WITH IS FILLED WITH OVER A THOUSAND MORE DIALERS, GAMBLING AND PORN SITES.

I have tried everything to delete them, and they keep reappearing in my REGISTRY. If I use my search option and check for these files, they don't show up, but they are in the REGISTRY. In the registry, it shows that these files are in my History and my Favorites, but they aren't. HELP!

[Prophet in the wilderness]

When ever in doubt when using your credit card number doing on line shopping, the best thing to do is to call your credit card company and have that credit card number closed, and they will issue a new number.
I had to call my credit card company to have them close my card number, after finding some spy ware on my computer. Some credit card companies have a thing called " Virtual account number " it's a number ( not your credit card number ) they give you so you can use it for shopping and you give that number to any merchants ( in some cases, you can only use it ONE TIME ) to do your shopping. It's a lot safer to use that virtual account number, than using you credit card number. If you can't get your ad ware scanner to work, or virus scanner to work, the next thing ( at least I did ) is to reformat, then, reinstall your OS and other programs on your PC, at least ( I had a peace of mind ) you'll have a peace of mind restoring your OS. Also, ALWAYS !!!!! keep your OS and PC up to date by checking for updates constantly. I never put my S.S. number on my PC, or my name or address. When ever you go to a web sight to do your shopping, always clean out the ( if you have Mozilla Fire FOX browser ) information cache

[edchambers]

There are a couple more free utilities that I find helpful.Spybot search and destroy will give you the option to download Javacools Spyware Blaster when you set up or immunize, get it, it's not a scanner it works resident to block thousands of malware programs and is compatible with Spybot you can run them both resident at the same time.Then there's one of my all time favorites CCleaner short for "crap cleaner" this is a killer disk cleanup tool much faster and more powerfull than the standard Windows Disk Cleanup. Plus it will detect and allow you to delete registry errors with or without backing them up.If you do go for a reinstall afterwards download, set up and update Zone Alarm first even before you update Windows.

[Prophet in the wilderness]

Yes, I use Spyblaster and WEBROOT SPYSWEEPER.
is it ok ? to use 2 firewalls at the same time ?
I heard there could be conflicts with them ?
Even if 2 firewalls had conflicts, will that make my PC more susceptible to attacks ?

[nw_arizona_granny]

Ping

[IamHD]

Thanks! :) I just registered and posted my HJT log.

[edchambers]

I don't recomend using two firewalls at once.I've done it with Mcaffee and Zone Alarm and while it worked it was more trouble than it's worth.Windows XP does not recomend using it's built-in firewall with anything else.Haveing tried all of the above I prefer Zone Alarm.The Windows fire wall was either too confusing or restrictive for me so I turned it off and went with Zone Alarm.

[edchambers]

(The best advice I can give any owner of an ME system is to upgrade to XP)

I like XP just fine on a modern system with ALOT of memory, but if you can find it 98se is better than Me and much less of a system resource hog than XP.It doesn't have all the built in security stuff of XP but with all the good freeware security available today that's a non issue.

[ProudVet77]

A point well taken. I have 98 on my laptop and it's just fine.

[Bloody Sam Roberts]

I have tried everything to delete them, and they keep reappearing in my REGISTRY.

There is an executable somewhere on your hardrive that is doing the nasty work of recreating all the registry entries.

I had the same problem with a friend's PC running XP. I had to reformat the drive and reload the OS to get rid of it. The bugger was hiding out in the Windows directory as an executable called "svhost.exe" which is supposed to look like a valid and necessary Microsoft program called "svchost.exe". It would run every ten minutes and recreate all the entries after deletion. It also would not allow Spybot S&D or CWShredder to run. The problem with XP is there is no way to delete a file that runs at startup per se. Since XP is the OS, you can't just startup in DOS mode and delete nasty files. And the creators of the spyware know this.

You may be horked and in need of a wipe 'n' load.

"Filthy nasty spywareses,
trying to hurt the Precious!
But we won't lets them, no we won't!"

[Bloody Sam Roberts]

I have WindowsME.

You're in luck. You can find and delete the executable I mentioned. I am certain that is what is happening on your system.

Use msconfig from the run box and go to the startup tab and look for executable files that do not belong there. To find out what some things are, got to www.answersthatwork.com and look at their startup task page. It will have an alphbetic index of just about everything you could find in a startup listing. And it will tell you what it is and what it does and if it is important or not.

Also, use your "Hijackthis!" to search for things that look out of the ordinary. It will take some detective work, but once you find it, you can boot from a 3 1/2" floppy startup disk and go directly to the path where it lives and delete it. Once done you can startup WinME and clean the registry....In safe mode of course.

[JoJo Gunn]

Don’t get excited just yet. It might be what you’re seeing in the registry is a good thing.

I run ME too, and just the other day I made an updated "nasties" list, which is/are unwanted cookies.

Go into Tools>Internet Options>Security, highlight "Restricted Sites", then click on "sites" and hopefully there is the list of what you speak.

If you find the list in the “trusted sites”, then of course that’s something else again and then you can worry.

My point is that if you're running Adaware or SpyBot or something similar it might very well be they put them there. You can individually place unwanted sites there as well, as I and others do, and then save them, (which someone started referring to as "nasties").

Here's an example of a “good thing”, the registry address of one site example I have in my restricted list:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\zonadialer.com]

[IamHD]

Thanks! :) That's exactly what's going on. I was doing further checking all night long, and the list in my registry is the same as the list in my restricted sites.

Now, I know that my browser was hijacked by something called CoolWebSearch.com, along with a few more. I'm trying to make absolutely certain that I don't have a hidden keylogger somewhere in my computer.

When this happened late Saturday night, my Ad-aware flashed on and turned to the German language, then shutdown, along with my spybot, my anti-virus software, and my firewall, so whatever it was, it got me good. What a nightmare!

I uninstalled and reinstalled all of my programs, and since then, hackers have been trying to get in, BIG time. My firewall is showing a lot of the same IP addresses trying to get into my computer. Everytime I scan with my Ad-aware, spybot, etc., etc., I have a ton of junk to remove, and my computer is running very slow, so I think that there is still something there.

Thanks to everyone! :) I'll stop by when I get an answer on my HijackThis log that I left at 2 different sites.

[JoJo Gunn]

I'm glad you haven't been that hammered after all. :)

One place you can't go wrong with your hijack list is here:

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

AnnMarie is one sharp cookie, and you can tell her I said so. :)

---

(Your "Hijack This" program has this next item built in, so it's posted for anyone else that might read this thread):

This is a direct link to a freebie zipped file called "startup list". It's small, nothing you install, and wherever you save it is where it'll create and save a text file of all the programs running in the background. Maybe you've been told that already, but if not.... and besides anyone else here can gain from it. It's one more thing to keep in the toolbox.

http://downloads.subratam.org/startuplist.zip

[JoJo Gunn]

My editing skills left something to be desired in that last post. Oh well....

There's a way to save all those listed in the Restricted Zone, for the time you might have to do a reinstall.

Go to Start>Run, and type in "regedit" without the quote marks, and then find your way to that "Domains" folder for the RESTRICTED sites. Here's the path:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

You highlight the Domains folder and then go all the way to the top and click Registry>Export registry file. Give it a name, I usually name it "nasties as of (date)" and save it.

By the way, you'll no doubt notice it's a little time consuming to find the exact place in the registry, and there's a place at the top to bookmark things, just as with a browser, "Favorites". Mark that place and you'll be able to export your unwanted additions with ease.

Since this is about nasties and such, here's another trick about entering unwanted things into that Restricted area. For example:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\coolwebsearsh.com]

What you can do is copy and paste that into a Notepad file, and save it with whatever name you want, but save it with a .reg at the end. That'll turn it into a registry file, and then you can double click it and enter it into the registry. (You'll get a confirmation box first). Sometimes people on some sites will post comprehensive lists in plain text, and you can make your own file that's quick to enter instead of doing them all one at a time.

To all: Obviously it's not that hard to mess with the registry, so let me give this caveat: in a very real sense we're talking about brain surgery here. You break the registry, you run a good chance of breaking your OS, so be methodical and careful and don't be afraid to ask if you're not sure! Go to Start>Run and then type "scanreg" without quotes and the registry will be checked for errors and then you'll be asked if you want to make a backup. Say YES.

Bookmark this and better yet print it:

http://www.helpwithwindows.com/windows98/start-145.html



Class dismissed.... :)

[daylate-dollarshort]

Does she really have a problem???

Is this what you find in the registry.

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains" ??

Spybot S&D and some other anti-spyware programs will put these into the registry so they can block downloads from the offending sites.

[IamHD]

Thank you for the links! I haven't heard anything from the other 2 sites that I placed my HijackThis log, yet, so another won't hurt! :)

[IamHD]

These really help, too! I knew that there was an easier way for me to do this...I just hadn't figured it out yet.

So far, my machine appears to be clean. I've been redoing my spybot, ad-aware, and all the others, and so far, so good. My computer is running a lot faster now.

I can't believe (well, I know that it's true, but as never happened to me until now) that just clicking on a supposedly innocent looking website, turned out to be a hacking site. How dumb do I feel?? My curiosity got the better of me.

Thanks again!

[rintense]

Hijack works well by identifying unusual windows registry entries, and allows you to delete them.

[IamHD]

Yes, that's what I finally figured out last night. And to think, my husband told me that I could go to jail for having these things on my computer. LOL

[IamHD]

It really does. I have been working on my computer since this happened. So far, I haven't received any replies to my HJT logs, (2 sites) so I found a place that tells you what you can remove or fix. I did find several browser hijacker entries and removed those, along with some other suspicious items. So far, so good. :) I'm going to send my log to another site recommended by JoJoGunn and see if they will take a look for my own peace of mind.