Spyware Help [:(]

MrElussive · Aug 24, 2005

So last night I went to azlyrics.com and it installed a host of spyware and adware bullshit on my computer while loading the main page. That will probably be the last time I used that ****ing site. Anyways, I got rid of everything except for this one mother****er. It is this program running in my background and when I am browsing a website, it pops up another window that is related to the website I'm visiting (or something I am searching for). In any case, I go into my msconfig into Startup and the program is just a bunch of random letters. Right now it's called "brohxes" and is located at C:\Windows\brohxes.exe. I uncheck the program from the Startup tab, I force quit the program through the task manager, under Processes. Then I go into the folder the file is located in and delete the bastard (and I had to uncheck "Hide protected operating system files" just to view it!). But then when I reboot, the file is there again, in Startup of msconfig, and in the C:\Windows folder, and running in the background. Except it has a new file name of random letters again. The weird part is that when I search for the file, it does not even show up. If I click on the properties of the file and checkout the details, it says the original name is "SysMon" or "SysMon.exe" and I checked that out online. Apparently it is some kind of trojan or virus or something, none of my spyware/adware removers are picking it up, and websites just tell me to delete the "SysMon.exe" and a couple other file names, but none of them are in the Windows folder, and again no files show up when I search for it.

WTF DO I DO THIS IS DRIVING ME CRAZY

epj3 · Aug 24, 2005

http://securityresponse.symantec.com/avcenter/venc/data/w32.bizex.worm.html

MrElussive · Aug 24, 2005

no.

bmwrocks · Aug 24, 2005

I have had this happen on one of my computers. I think I got rid of it by editing the registry in Safe Mode. I am not sure though, I may have had to go brute force method and reformat the disk and reinstall XP, I don't remember exactly.

Try this:
1. Boot XP in Safe Mode.
2. Start-->Run-->regedit
3. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. Find the offensive registry entry, select it, right-click delete and reboot

If it is gone, god bless me. Good luck buddy.

Oh, and run your spybot and adaware while in safe mode as well. Sometimes it will find and get rid of stuff it couldn't do in normal mode.

Kirby · Aug 24, 2005

Also look in the RunOnce key and RunOnceEx key, you will find them just below the Run key that Eric mentions above. Crap like this sometimes puts an entry in the RunOnce key. This key gets executed on startup. That is one way how the ratbast**ds can create a new, randomly named .exe everytime you start up.

MrElussive · Aug 25, 2005

Kirby, thanks for the help. I tried the regedit in Safe Mode technique as well as running the two programs in Safe Mode, and nothing worked. What bothers me is that when I do disable the temporary file of the worm, the adds still come up. This means that I have some other kind of spyware/adware causing the adds to come up. If it helps, the adds seem to come from the domain www.hoowah.com but when I go there, there is nothing there.

mjbst111 · Aug 25, 2005

did you kill the process before you deleted the key from the registry?

Abdoman · Aug 25, 2005

Usually the file makes two copies of itself, so if one gets deleted, it will recopy itself to the correct directory.

I feel for you - I had something similar happen and it takes some real research to remove it - you'll have to remove the reference keys from the registry - just make a full backup

Do you have system restore on? - you could roll it back

MrElussive · Aug 25, 2005

blah. thought I fixed it but I didn't.

MrElussive · Aug 25, 2005

Okay, apparently there are two problems. The worm was not causing the ads to pop-up. I got rid of the worm (WOOHOO!)...I noticed that the random-letter filename always had "Date Modified" from some time in 1989. So I just sorted the Windows folder by date and another file called "offun" was also last modified in 1989. I deleted the random-letter file as well as "offun" and rebooted and the file is no longer there! It is not in Startup in msconfig and it does not run in the background! BUT, I still get the stupid popup advertisement thing and it is really annoying me now...none of my spyware/adware programs are catching it....I guess I have to go through the processes list and figure out what program is running.

Frankie L · Aug 25, 2005

Adware

Mr E..........................I've successfully used the Elite toolbar remover which removed numberous bothersome adware crap. I'll give the link, download and run it in safe mode as previously suggested. Its a good program which got rid of this crap on both of my son's laptops and also my wife. Good luck, let me know how you make out.

http://www.simplytech.it/home_e.htm

MrElussive · Aug 26, 2005

Frankie, thanks for the suggestion, I gave that a try (in Safe Mode, as it recommends) and no dice. At least I got rid of the worm...I guess I can just deal with the popup thing until one of the spam programs can get rid of it.

bmwrocks · Aug 26, 2005

MrElussive said:

Congrats on being so resourceful and persistent and figuring out how tho get rid of "wxhyusd" or is it "xciyufg" [rofl]

And now we all know how to get rid of that horrendous thing if it ever shows up on any of our comps.

For the popup....have you checked "Add/remove programs" for any extranneous installed advertising crap? These popups could be a result of some ad program that got installed unbeknownst to you.....

mjbst111 · Aug 26, 2005

i found this... though i definitely have not used it or installed it so... at your own risk i guess.... probably won't help you...

http://www.tooto.com/popup-killer/popup-killer-download.htm

says it:

Block popup ads from Gator, Save Now! (WhenU), Downloadware, Promulgate, Hot Bar, web 3000, Rapid Blaster, IP Insignt, New.net, Tioga, Bargain Buddy, Cydoor, DSSAGENT, Flydesk, Onflow, Igetfile, etc

MrElussive · Aug 26, 2005

bmwrocks, that is a good suggestion. I have gone through the Add/Remove Programs section to find any suspicious-looking adware/spyware programs but I can find nothing abnormal.

mjbst111, thanks for the suggestion. The Hoowah.com popups were annoying enough to make me switch to FireFox. I'd rather chill with Internet Explorer, but these FireFox tabs are cool and there are no annoying popups.

epj3 · Aug 26, 2005

MrElussive said:

bmwrocks, that is a good suggestion. I have gone through the Add/Remove Programs section to find any suspicious-looking adware/spyware programs but I can find nothing abnormal.

mjbst111, thanks for the suggestion. The Hoowah.com popups were annoying enough to make me switch to FireFox. I'd rather chill with Internet Explorer, but these FireFox tabs are cool and there are no annoying popups.

Dude you are so far behind with firefox. Nobody uses ie anymore.

Spyware Help [:(]

MrElussive

2

epj3

Senior Member

MrElussive

2

bmwrocks

1000 Post Club

Kirby

2

MrElussive

2

mjbst111

2

Abdoman

2

MrElussive

2

MrElussive

2

Frankie L

2

MrElussive

2

bmwrocks

1000 Post Club

mjbst111

2

MrElussive

2

epj3

Senior Member