This is regarding my computer, ever since my nieces and nephews messed with my computer approximately 2 months ago. It has been acting very strange.
1. My "System 32" folder always come up upon start up.
2. Even if I completely turn off my start up group items, some still comes back upon a restart.
3. Once in awhile a "ghost" Internet Explorer windows pops in a a minimized status. Every time I click on it, it goes out of my screen at the bottom.
4. Sometimes when typing something in the address bar, it slows to a crawl. I can actually see the letters displaying one at a time at a rate of 1 per second.
Kevin/Josh/Brandon/anyone - any ideas what the freak is going on? Where can i find this application that is running in the background, if any? Is there a ghost in my machine?
My little nieces and nephews were surfing on this computer for a long time that one day. I had to delete alot of their stuff already. If anyone can help me figure this out, it would help greatly.
Spyware or something is very weird
Moderator: snoopdog
Try Spybot and Ad-Aware:
Spybot:
http://www.safer-networking.org/index.php?page=mirrors
Ad-Aware:
http://www.lavasoftusa.com/support/download/
Spybot:
http://www.safer-networking.org/index.php?page=mirrors
Ad-Aware:
http://www.lavasoftusa.com/support/download/
Sounds like different types of spyware... no clue what they are. I can't keep up with all the different malicious stuff out there these days. I always just tell them to delete everything they find.
I would really like to shave the guys balls with a cheese grater who first invented this spyware and virus crap.
I would really like to shave the guys balls with a cheese grater who first invented this spyware and virus crap.
-
snoopdog
- Yellow Tang
- Posts: 4258
- Joined: Mon Feb 17, 2003 7:37 pm
- Are you a Bot ?: No
- Location: Mobile, Al
- Contact:
yes and please use the "update" button on the adaware everytime you run it. These people that I deal with daily get it as soon as the updates come out. Make sure you have a check on everything you want removed before you proceed to the quaranteen. Instead of individually clicking on every single one you can right click and choose select all.
"When they was no meat we ate fowl, when there was no fowl we ate crawdad. And when there was no crawdad to be found, we ate sand."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
-
snoopdog
- Yellow Tang
- Posts: 4258
- Joined: Mon Feb 17, 2003 7:37 pm
- Are you a Bot ?: No
- Location: Mobile, Al
- Contact:
A good popup blocker will prevent you from getting them quite as fast.
"When they was no meat we ate fowl, when there was no fowl we ate crawdad. And when there was no crawdad to be found, we ate sand."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
-
harbingerofthefish
- Copepod
- Posts: 393
- Joined: Sun Feb 23, 2003 2:55 pm
- Location: ^^Harbinger wishes he was way up here^^ - um...can we say abuse of power here?! and memphis, tn ;)
- Contact:
the prob. with pop up blockers is that they usually block everything. Once you insatll one you'll know what i meen.
Xster...if the clean up stuuf worked...cool.
i hve this thing called coolwebsearch on my machine and it's driving me crazy. it's loicated in a file that I cant't find. I clen it up via adaware, but it comes back. damn techies!!!
If someone has isolated this and can help me out...thanks!
Xster...if the clean up stuuf worked...cool.
i hve this thing called coolwebsearch on my machine and it's driving me crazy. it's loicated in a file that I cant't find. I clen it up via adaware, but it comes back. damn techies!!!
If someone has isolated this and can help me out...thanks!
"nothing is the matter, it don't matter what you think"
-
snoopdog
- Yellow Tang
- Posts: 4258
- Joined: Mon Feb 17, 2003 7:37 pm
- Are you a Bot ?: No
- Location: Mobile, Al
- Contact:
August 18, 2003
Weekly Spyware Alert: CoolWebSearch
By Webroot Software Development Team
Discuss this now (12 posts)
Variants: This spyware is morphing at a rapid rate. Below, variants and their estimated appearance date are listed in reverse chronological order.
DNSRelay.dll – August 7, 2003
Svchost32 – August 3, 2003
Oemsyspnp – July 29, 2003
Msspi.dll – July 28, 2003
Vrape – July 20, 2003
OSLogo.bmp – July 10, 2003
Bootconf – July 6, 2003
Datanotary – May 27, 2003
Description: CoolWebSearch is a name given to a wide range of different browser hijackers. The code is very different between variants, but all are currently used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The alarming trend with this hijacker is rapid metamorphosis and the increasing difficulty of removal. Some documented behaviors associated with each variant include:
DNSRelay.dll - Implemented as an IE URL hook. Hijacks address bar search phrases as well as any site name entered into the address bar without a leading 'http://' or 'www' to search aimed at activexupdate.com (a CWS site redirecting through yellow2.com to allhyperlinks.com).
Svchost32 - Hosts file hijacker that uses a laundering technique to avoid detection by anti-hijacker tools. Targeted sites (Yahoo Search, MSN Search and all countries' versions of Google) are set in the Hosts file to point to 'localhost' (127.0.0.1). Because most local hosts are not running a web server, this results in an error page that is hijacked to the CWS site slawsearch.com.
Oemsyspnp - Hides inside the 'inf' folder usually used for storing device driver information. Its hijacker file is run on each startup, using a slightly different install command each time. Hijacks home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com and adds activexupdate.com to the IE 'Safe Sites' list.
Msspi.dll - Implemented as a Winsock2 Layered Service Provider. Hijacks search results and targets Google, Yahoo and Altavista, offering popups that advertised bogus enhanced results and leading to advertising from unipages.cc.
OSLogo.bmp - IE start and search pages are changed to several dozen different sites affiliated with CoolWebSearch. Over 80 domains that are known CWS have appeared in users' logs.
Bootconf - Also employs a CSS stylesheet, but hijacks homepage and all search settings to coolwebsearch.com. Site names are scrambled using URL-encoding to make them difficult to read. Bootconf.exe is set to run on every start-up, reestablishing the hijack. CoolWebSearch is added the IE 'Safe Sites' list.
Datanotary - First known variant, hijacks to datanotary.com. Places a CSS stylesheet in the Windows folder and sets it as the default sytlesheet for all pages viewed in IE. Embedded javascript code then tries to guess when a user is viewing pornographic images.
Method of Infection: CoolWebBrowser is suspected to be installed by pop-ups exploiting security holes in IE. However, to date, no one has caught a live CWS installer.
Privacy Issues: None reported
Security Issues: In the Bootconf variant, coolwebsearch.com is added to IE's Trusted Sites Zone, allowing it to download and install any code it likes.
cloudthestrife: I tell ya...it gets worse and worse.
view full post >
Stability Issues: DataNotary and BootConf variants may cause significant slowdown when typing in a browser window on some systems (particularly when entering information into forms). The SvcHost variant prevents you from completely reaching Google or the search services of MSN or Yahoo.
Removal Process: Manual removal is possible for most of the variants, but can be time consuming. As of this writing, most anti-spyware programs aren't currently addressing all variants.
Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch and has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically. To access both, visit The CoolWebSearch Chronicles.
Vendor: www.CoolWebSearch.com
Weekly Spyware Alert: CoolWebSearch
By Webroot Software Development Team
Discuss this now (12 posts)
Variants: This spyware is morphing at a rapid rate. Below, variants and their estimated appearance date are listed in reverse chronological order.
DNSRelay.dll – August 7, 2003
Svchost32 – August 3, 2003
Oemsyspnp – July 29, 2003
Msspi.dll – July 28, 2003
Vrape – July 20, 2003
OSLogo.bmp – July 10, 2003
Bootconf – July 6, 2003
Datanotary – May 27, 2003
Description: CoolWebSearch is a name given to a wide range of different browser hijackers. The code is very different between variants, but all are currently used to redirect users to coolwebsearch.com and other sites affiliated with its operators. The alarming trend with this hijacker is rapid metamorphosis and the increasing difficulty of removal. Some documented behaviors associated with each variant include:
DNSRelay.dll - Implemented as an IE URL hook. Hijacks address bar search phrases as well as any site name entered into the address bar without a leading 'http://' or 'www' to search aimed at activexupdate.com (a CWS site redirecting through yellow2.com to allhyperlinks.com).
Svchost32 - Hosts file hijacker that uses a laundering technique to avoid detection by anti-hijacker tools. Targeted sites (Yahoo Search, MSN Search and all countries' versions of Google) are set in the Hosts file to point to 'localhost' (127.0.0.1). Because most local hosts are not running a web server, this results in an error page that is hijacked to the CWS site slawsearch.com.
Oemsyspnp - Hides inside the 'inf' folder usually used for storing device driver information. Its hijacker file is run on each startup, using a slightly different install command each time. Hijacks home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com and adds activexupdate.com to the IE 'Safe Sites' list.
Msspi.dll - Implemented as a Winsock2 Layered Service Provider. Hijacks search results and targets Google, Yahoo and Altavista, offering popups that advertised bogus enhanced results and leading to advertising from unipages.cc.
OSLogo.bmp - IE start and search pages are changed to several dozen different sites affiliated with CoolWebSearch. Over 80 domains that are known CWS have appeared in users' logs.
Bootconf - Also employs a CSS stylesheet, but hijacks homepage and all search settings to coolwebsearch.com. Site names are scrambled using URL-encoding to make them difficult to read. Bootconf.exe is set to run on every start-up, reestablishing the hijack. CoolWebSearch is added the IE 'Safe Sites' list.
Datanotary - First known variant, hijacks to datanotary.com. Places a CSS stylesheet in the Windows folder and sets it as the default sytlesheet for all pages viewed in IE. Embedded javascript code then tries to guess when a user is viewing pornographic images.
Method of Infection: CoolWebBrowser is suspected to be installed by pop-ups exploiting security holes in IE. However, to date, no one has caught a live CWS installer.
Privacy Issues: None reported
Security Issues: In the Bootconf variant, coolwebsearch.com is added to IE's Trusted Sites Zone, allowing it to download and install any code it likes.
cloudthestrife: I tell ya...it gets worse and worse.
view full post >
Stability Issues: DataNotary and BootConf variants may cause significant slowdown when typing in a browser window on some systems (particularly when entering information into forms). The SvcHost variant prevents you from completely reaching Google or the search services of MSN or Yahoo.
Removal Process: Manual removal is possible for most of the variants, but can be time consuming. As of this writing, most anti-spyware programs aren't currently addressing all variants.
Merijn Bellekom has fully documented the metamorphosis of CoolWebSearch and has prepared a tool called CWShredder which should be able to remove all known CoolWebSearch variants automatically. To access both, visit The CoolWebSearch Chronicles.
Vendor: www.CoolWebSearch.com
"When they was no meat we ate fowl, when there was no fowl we ate crawdad. And when there was no crawdad to be found, we ate sand."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
-
snoopdog
- Yellow Tang
- Posts: 4258
- Joined: Mon Feb 17, 2003 7:37 pm
- Are you a Bot ?: No
- Location: Mobile, Al
- Contact:
This is supposedly a remover
http://www.siena.edu/antivirus/software/CWShredder.exe
Use at own risk though, not tested by me.
http://www.siena.edu/antivirus/software/CWShredder.exe
Use at own risk though, not tested by me.
"When they was no meat we ate fowl, when there was no fowl we ate crawdad. And when there was no crawdad to be found, we ate sand."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
-
harbingerofthefish
- Copepod
- Posts: 393
- Joined: Sun Feb 23, 2003 2:55 pm
- Location: ^^Harbinger wishes he was way up here^^ - um...can we say abuse of power here?! and memphis, tn ;)
- Contact:
snoop,
Yeah I ran around and found the shredder. I read the manual deinstall stuff and man that's some heavy...
I shredded (at my own risk of course) and so far so good. I read a lot that it's not known exactly where it comes from, but it mentioned warez sites. Notorius for thier pop ups
Yeah I ran around and found the shredder. I read the manual deinstall stuff and man that's some heavy...
I shredded (at my own risk of course) and so far so good. I read a lot that it's not known exactly where it comes from, but it mentioned warez sites. Notorius for thier pop ups
"nothing is the matter, it don't matter what you think"
-
snoopdog
- Yellow Tang
- Posts: 4258
- Joined: Mon Feb 17, 2003 7:37 pm
- Are you a Bot ?: No
- Location: Mobile, Al
- Contact:
I think everyone has popups but us now 
If you get popups while on our site you can bet you have adware on your computer.
If you get popups while on our site you can bet you have adware on your computer."When they was no meat we ate fowl, when there was no fowl we ate crawdad. And when there was no crawdad to be found, we ate sand."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate
"You ate what?"--H.I.
"We ate sand."--Cellmate
"You ate sand?"--H.I.
"That's right."--Cellmate