how-to block ads

Forums >

Anyone know what spywiper is?

Share Topic

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

I hate Spywiper

@pacbell.net

Re: Anyone know what spywiper is?

Can anyone please, please post a *confirmed* fix to remove this. So far the "fixes" I have seen do not work. Or even answer me this: IS there a fix yet?

I've tried-

* Ad Aware 6 (detects nothing)
* Spybot S&D (detects nothing)
* Registry Clean Expert from Cnet
* Manually resetting the default homepage to yahoo.com
* Manually editing the registry and searching for default-homepage-network.com yields NO MATCHES

Even after all that... I can't remove it.

Within seconds of connecting to the Internet I begin getting multiple popups. I left my system on overnight and in the morning I had 45 instances of Internet Explorer and 15 instances of notepad open.

Logfile of HijackThis v1.97.7
Scan saved at 1:53:32 PM, on 12/2/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Canon\MultiPASS4\monitr32.exe
C:\Program Files\Canon\MultiPASS4\MPTBox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Registry Clean Expert\RCScheduler.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\notepad.exe
\192.9.200.8\mis\apps\popupkiller\HiJack This\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com···gi?k1-hp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »smbusiness.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCScheduler.exe" /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···.5978125
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - »http.gamezone.tukati.com/tukati/···kati.cab

Under R0 I want to add I manually delete/edit that out of the registry and within seconds of plugging the ethernet cable back in the entry re-appears after the popups begin again. So removing the entry does nothing. I'm missing a step here..

Thank you for ANY and all help. Formatting is NOT an option.

permalink · 2003-12-02 17:01:45 · Print ·

discogail

join:2001-12-05
Somerville, MA

Re: Anyone know what spywiper is?

Close all other windows.....check off the box next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.default-homepage-network.com/start

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscpbo.exe

"Fix Checked".....reboot

after restarting, preferably in safe mode..go to:

C:\WINDOWS\System32 & delete mscpbo.exe
--
»www.amazingtechs.com/

permalink · 2003-12-02 17:22:26 · Print ·

barrysadie

@asm.bellsouth.ne

I got this awful high-jacker last week, same homepage-network / spywiper / cellphone ad / porn ad crap. I ran "Spybot Search & Destroy" on it, w/ no success.(Spybot is an awesome free proggy, I sent them a report on this jacker). I cleared cookies & files...... got jacked again ! I have Adaware on my other computers...... forgot to put it on this one. After install, I ran it....... it found all mentioned IE entries / exploits / registry changes. Adaware, I assume, updated their database ( I updated after install, today ).... as it will recognize, and clean this highjacker ( I noticed some of you had no luck with Adaware against it ). My Adaware found it , it matches the registry reports, in previous posts here.
This one is a real bug-a-boo !

permalink · 2003-12-23 18:36:13 · Print ·

cyber11

@aol.com

Re: Anyone know what spywiper is?

Also, paltalk is trojan program who is disguised as chat .
He monitors everything you see and surf on web , even put code in memory of comp . Go to c: windows and choose 'startup; to erase their icon . If you go to »webroot.com they give you free trial , so you can clean comp for free 30 days from all spywares and paltalk things . Talking on forums dont help.....file complaint at »ftc.gov , they work with fbi . Also, find your state attorney complaint form online . You have also bbb online .
Zedmedia, default-homepage and mailwiper are probably same group .
IMPORTANT ...default-homepage-network.com in global whois for domain claims they are c/o networksolutions company to fool people so that people trust them .
Write or call networksolutions.com and report that , so they have high paid lawyers who will take care and we will all benefit . Fbi and government are probably hijacked in same manner as we are . Also, when Microsoft.com will add all this extra protection that we have to buy from third parties ? In united states, manufacturer is responsible for defected item and free replacement , why we have to pay for firewalls, virusscans , and else ? If product is not good then go out from business and let competion make better software . We had seen a lot recalls in america but never from microsoft .

permalink · 2003-12-23 20:10:48 · Print ·

vulcan146

@156.xx.204.Dial1.Bos

Re: Anyone know what spywiper is?

I found the code that opens the cd-drive, am using it as joke on friends

document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u004c\u0041\u004e\u0047\u00 55\u0041\u0047\u0045\u003d\u0022\u0056\u0042\u0053\u0063\u0072\u0069\u0070\u0074\u0022\u003e \u000d\u000a\u003c\u0021\u002d\u002d\u000d\u000a\u0053\u0065\u0074\u0020\u006f\u0057\u004d\u 0050\u0020\u003d\u0020\u0043\u0072\u0065\u0061\u0074\u0065\u004f\u0062\u006a\u0065\u0063\u00 74\u0028\u0022\u0057\u004d\u0050\u006c\u0061\u0079\u0065\u0072\u002e\u004f\u0043\u0058\u002e \u0037\u0022\u0020\u0029\u000d\u000a\u0053\u0065\u0074\u0020\u0063\u006f\u006c\u0043\u0044\u 0052\u004f\u004d\u0073\u0020\u003d\u0020\u006f\u0057\u004d\u0050\u002e\u0063\u0064\u0072\u00 6f\u006d\u0043\u006f\u006c\u006c\u0065\u0063\u0074\u0069\u006f\u006e\u000d\u000a\u0069\u0066 \u0020\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u 0074\u0020\u003e\u003d\u0020\u0031\u0020\u0074\u0068\u0065\u006e\u000d\u000a\u0046\u006f\u00 72\u0020\u0069\u0020\u003d\u0020\u0030\u0020\u0074\u006f\u0020\u0063\u006f\u006c\u0043\u0044 \u0052\u004f\u004d\u0073\u002e\u0043\u006f\u0075\u006e\u0074\u0020\u002d\u0020\u0031\u000d\u 000a\u0063\u006f\u006c\u0043\u0044\u0052\u004f\u004d\u0073\u002e\u0049\u0074\u0065\u006d\u00 28\u0069\u0029\u002e\u0045\u006a\u0065\u0063\u0074\u000d\u000a\u004e\u0065\u0078\u0074\u0020 \u0027\u0020\u0063\u0064\u0072\u006f\u006d\u000d\u000a\u0045\u006e\u0064\u0020\u0049\u0066\u 000d\u000a\u002d\u002d\u003e\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u00 3e')

Hmmm.. if only I knew the actual workings of that

permalink · 2003-12-27 00:01:51 · Print ·

B Premium,MVM join:2000-10-28	Re: Anyone know what spywiper is? Isn't that C code? Not likely to be running from a web ad I think... I Googled up VBScript and JavaScript IE versions of this trick at »www.waxy.org/archive/2003/03/27/···dr.shtml . I haven't tried them. I don't know which method SpyWiper's ad uses; I just thought it was a cute feat. -- B
	permalink · 2003-12-27 02:48:43 · ·

Marco Soto @cableol.net	Re: Anyone know what spywiper is? Those of you having problems with constant jackings - can I recommend that you use a firewall. This normally stops the code from getting in.
	permalink · 2003-12-27 09:56:36 · ·

R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1

Re: Anyone know what spywiper is?

Not necessarily. The usual pathway into someone's computer is NOT through an open back door, it is through the front door. Just like all other crimes.

When I hear about a murder in a house, the first suspects are the spouse, the ex-spouse, and ex-lover, the kids, business partner, etc -- all of whom get let in the front door.

Stastically, most malware infections are let in by the user -- perhaps unknowingly by opening an email attachment or visiting a rogue web site with Active Content enabled. Until you do something more proactive than a firewall, the Hijackings will continue. JMHO

permalink · 2003-12-27 10:25:33 · Print ·

B Premium,MVM join:2000-10-28	Re: Anyone know what spywiper is? Well sure, R2, I thought that went without saying. Anything that worms its way in via inbound exploits (relying on open ports on your computer) is NOT going to be simple ad-ware/spyware. -- B
	permalink · 2003-12-27 10:28:21 · ·

R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
kudos:1

Re: Anyone know what spywiper is?

Hey, first edition single letter entity, you are usually correct. However, I don't know how many times I see comments like:

quote:
"I recommend that you use a firewall. This normally stops the code from getting in."

I found those comments a little naive in there approach. A basic firewall covers your rear, but it doesn not do so hot to protect you against things that come in through the front door.

Little kids don't get kidnapped by some strager, statistically they get kidnapped by the estranged father -- who got into the house quite easily.

permalink · 2003-12-27 10:59:36 · Print ·

B Premium,MVM join:2000-10-28	Re: Anyone know what spywiper is? [ Does that mean you're Revision 2? I never knew. ] Of course I agree with you. I was just saying that we would "consider the source", a semi-anonymous poster whose comment would be weighed appropriately. Best fishes. -- B
	permalink · 2003-12-27 13:10:00 · ·

Me123987 @25.xx.156.Dial1.Bost	Re: Anyone know what spywiper is? Oh that code is not C-code, it's Unicode. Unicode: A code where all characters are represented by a code. Web browsers automatically undertstand it. It translates into the Javascript code used to open the Cd-Drives.
	permalink · 2003-12-29 13:20:45 · ·

normmork join:2003-10-23 Canada	You may want to read this article for more information »www.lavasoftsupport.com/index.ph···pic=6553
	permalink · 2004-01-28 11:48:11 · ·

robtoo
R.J.T.
Premium
join:2003-10-13
United Kingd

3 edits

Thanks for posting the code vulcan146. Here's the converted version...

<script LANGUAGE="VBScript">
<!--
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
-->
</script>

In case anyone's surprised, this shows that the ejecting CD doesn't mean you're being spied upon.

Much later EDIT: the opening notepad trick's cute, too -- it uses view-source:hxxp://www.example.com/something.txt

permalink · 2004-01-11 10:24:21 · Print ·

your comment..

Forums > Broadband Tech > Security > Security