Re: Anyone know what spywiper is?

Author	All Replies
I hate Spywiper @pacbell.net	reply to NHD tech Re: Anyone know what spywiper is? Can anyone please, please post a confirmed fix to remove this. So far the "fixes" I have seen do not work. Or even answer me this: IS there a fix yet? I've tried- * Ad Aware 6 (detects nothing) * Spybot S&D (detects nothing) * Registry Clean Expert from Cnet * Manually resetting the default homepage to yahoo.com * Manually editing the registry and searching for default-homepage-network.com yields NO MATCHES Even after all that... I can't remove it. Within seconds of connecting to the Internet I begin getting multiple popups. I left my system on overnight and in the morning I had 45 instances of Internet Explorer and 15 instances of notepad open. Logfile of HijackThis v1.97.7 Scan saved at 1:53:32 PM, on 12/2/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe C:\WINDOWS\System32\mnmsrvc.exe C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\CA\eTrust\InoculateIT\realmon.exe C:\Program Files\Canon\MultiPASS4\monitr32.exe C:\Program Files\Canon\MultiPASS4\MPTBox.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Registry Clean Expert\RCScheduler.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Handspring\HOTSYNC.EXE C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\regedit.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\notepad.exe \192.9.200.8\mis\apps\popupkiller\HiJack This\HijackThis.exe C:\WINDOWS\System32\notepad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com···gi?k1-hp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »smbusiness.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe" O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »i.a.cnn.net/cnn/resources/cult3d/cult.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···.5978125 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - »http.gamezone.tukati.com/tukati/···kati.cab Under R0 I want to add I manually delete/edit that out of the registry and within seconds of plugging the ethernet cable back in the entry re-appears after the popups begin again. So removing the entry does nothing. I'm missing a step here.. Thank you for ANY and all help. Formatting is NOT an option.
	to forum · permalink · 2003-12-02 17:01:45 ·
discogail join:2001-12-05 Somerville, MA	Close all other windows.....check off the box next to: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com/start O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file) O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe "Fix Checked".....reboot after restarting, preferably in safe mode..go to: C:\WINDOWS\System32 & delete mscpbo.exe -- »www.amazingtechs.com/
	to forum · permalink · 2003-12-02 17:22:26 ·
barrysadie @asm.bellsouth.ne	reply to I hate Spywiper I got this awful high-jacker last week, same homepage-network / spywiper / cellphone ad / porn ad crap. I ran "Spybot Search & Destroy" on it, w/ no success.(Spybot is an awesome free proggy, I sent them a report on this jacker). I cleared cookies & files...... got jacked again ! I have Adaware on my other computers...... forgot to put it on this one. After install, I ran it....... it found all mentioned IE entries / exploits / registry changes. Adaware, I assume, updated their database ( I updated after install, today ).... as it will recognize, and clean this highjacker ( I noticed some of you had no luck with Adaware against it ). My Adaware found it , it matches the registry reports, in previous posts here. This one is a real bug-a-boo !
	to forum · permalink · 2003-12-23 18:36:13 ·
cyber11 @aol.com	Also, paltalk is trojan program who is disguised as chat . He monitors everything you see and surf on web , even put code in memory of comp . Go to c: windows and choose 'startup; to erase their icon . If you go to »webroot.com they give you free trial , so you can clean comp for free 30 days from all spywares and paltalk things . Talking on forums dont help.....file complaint at »ftc.gov , they work with fbi . Also, find your state attorney complaint form online . You have also bbb online . Zedmedia, default-homepage and mailwiper are probably same group . IMPORTANT ...default-homepage-network.com in global whois for domain claims they are c/o networksolutions company to fool people so that people trust them . Write or call networksolutions.com and report that , so they have high paid lawyers who will take care and we will all benefit . Fbi and government are probably hijacked in same manner as we are . Also, when Microsoft.com will add all this extra protection that we have to buy from third parties ? In united states, manufacturer is responsible for defected item and free replacement , why we have to pay for firewalls, virusscans , and else ? If product is not good then go out from business and let competion make better software . We had seen a lot recalls in america but never from microsoft .
	to forum · permalink · 2003-12-23 20:10:48 ·
vulcan146 @156.xx.204.Dial1.Bos	I found the code that opens the cd-drive, am using it as joke on friends document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u004c\u0041\u004e\u0047\u00 55\u0041\u0047\u0045\u003d\u0022\u0056\u0042\u0053\u0063\u0072\u0069\u0070\u0074\u0022\u003e \u000d\u000a\u003c\u0021\u002d\u002d\u000d\u000a\u0053\u0065\u0074\u0020\u006f\u0057\u004d\u 0050\u0020\u003d\u0020\u0043\u0072\u0065\u0061\u0074\u0065\u004f\u0062\u006a\u0065\u0063\u00 74\u0028\u0022\u0057\u004d\u0050\u006c\u0061\u0079\u0065\u0072\u002e\u004f\u0043\u0058\u002e \u0037\u0022\u0020\u0029\u000d\u000a\u0053\u0065\u0074\u0020\u0063\u006f\u006c\u0043\u0044\u 0052\u004f\u004d\u0073\u0020\u003d\u0020\u006f\u0057\u004d\u0050\u002e\u0063\u0064\u0072\u00 6f\u006d\u0043\u006f\u006c\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u000d\u000a\u0069\u0066 \u0020\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u 0074\u0020\u003e\u003d\u0020\u0031\u0020\u0074\u0068\u0065\u006e\u000d\u000a\u0046\u006f\u00 72\u0020\u0069\u0020\u003d\u0020\u0030\u0020\u0074\u006f\u0020\u0063\u006f\u006c\u0043\u0044 \u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u0074\u0020\u002d\u0020\u0031\u000d\u 000a\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0049\u0074\u0065\u006d\u00 28\u0069\u0029\u002e\u0045\u006a\u0065\u0063\u0074\u000d\u000a\u004e\u0065\u0078\u0074\u0020 \u0027\u0020\u0063\u0064\u0072\u006f\u006d\u000d\u000a\u0045\u006e\u0064\u0020\u0049\u0066\u 000d\u000a\u002d\u002d\u003e\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u00 3e') Hmmm.. if only I knew the actual workings of that
	to forum · permalink · 2003-12-27 00:01:51 ·
B Premium,MVM join:2000-10-28	Isn't that C code? Not likely to be running from a web ad I think... I Googled up VBScript and JavaScript IE versions of this trick at »www.waxy.org/archive/2003/03/27/···dr.shtml . I haven't tried them. I don't know which method SpyWiper's ad uses; I just thought it was a cute feat. -- B
	to forum · permalink · 2003-12-27 02:48:43 ·
Marco Soto @cableol.net	Those of you having problems with constant jackings - can I recommend that you use a firewall. This normally stops the code from getting in.
	to forum · permalink · 2003-12-27 09:56:36 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	Not necessarily. The usual pathway into someone's computer is NOT through an open back door, it is through the front door. Just like all other crimes. When I hear about a murder in a house, the first suspects are the spouse, the ex-spouse, and ex-lover, the kids, business partner, etc -- all of whom get let in the front door. Stastically, most malware infections are let in by the user -- perhaps unknowingly by opening an email attachment or visiting a rogue web site with Active Content enabled. Until you do something more proactive than a firewall, the Hijackings will continue. JMHO
	to forum · permalink · 2003-12-27 10:25:33 ·
B Premium,MVM join:2000-10-28	Well sure, R2, I thought that went without saying. Anything that worms its way in via inbound exploits (relying on open ports on your computer) is NOT going to be simple ad-ware/spyware. -- B
	to forum · permalink · 2003-12-27 10:28:21 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	Hey, first edition single letter entity, you are usually correct. However, I don't know how many times I see comments like: quote: "I recommend that you use a firewall. This normally stops the code from getting in." I found those comments a little naive in there approach. A basic firewall covers your rear, but it doesn not do so hot to protect you against things that come in through the front door. Little kids don't get kidnapped by some strager, statistically they get kidnapped by the estranged father -- who got into the house quite easily.
	to forum · permalink · 2003-12-27 10:59:36 ·
B Premium,MVM join:2000-10-28	[ Does that mean you're Revision 2? I never knew. ] Of course I agree with you. I was just saying that we would "consider the source", a semi-anonymous poster whose comment would be weighed appropriately. Best fishes. -- B
	to forum · permalink · 2003-12-27 13:10:00 ·
Me123987 @25.xx.156.Dial1.Bost	Oh that code is not C-code, it's Unicode. Unicode: A code where all characters are represented by a code. Web browsers automatically undertstand it. It translates into the Javascript code used to open the Cd-Drives.
	to forum · permalink · 2003-12-29 13:20:45 ·

robtoo R.J.T. Premium join:2003-10-13 United Kingd 3 edits	reply to vulcan146 Thanks for posting the code vulcan146. Here's the converted version... <script LANGUAGE="VBScript"> <!-- Set oWMP = CreateObject("WMPlayer.OCX.7" ) Set colCDROMs = oWMP.cdromCollection if colCDROMs.Count >= 1 then For i = 0 to colCDROMs.Count - 1 colCDROMs.Item(i).Eject Next ' cdrom End If --> </script> In case anyone's surprised, this shows that the ejecting CD doesn't mean you're being spied upon. Much later EDIT: the opening notepad trick's cute, too -- it uses view-source:hxxp://www.example.com/something.txt
	to forum · permalink · 2004-01-11 10:24:21 ·
normmork join:2003-10-23 Canada	reply to Marco Soto You may want to read this article for more information »www.lavasoftsupport.com/index.ph···pic=6553
	to forum · permalink · 2004-01-28 11:48:11 ·

Broadband Tech > Security > Security > Anyone know what spywiper is?