New at Spyware, need help

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Okay, I'm new with the spyware thing, and got hit with it last week.
In this instance, the spyware is taking control of my homepage and
hitting me with pop up ads.  During the first encounter, it also added
a ".bak" to the end of my notebook and mwp executable files,
essentially hiding them from shortcuts and such.

The problem I have is that over the course of the past week I've
deleted this same spyware from my computer about 9 times, and it keeps
coming back.  I've run Norton, and it doesn't detect anything.  I
downloaded AdAware and it can get rid of it when it comes back, but
doesn't detect anything else.  I've added the Goggle Toolbar with pop
up blocker, and that doesn't help.  I've deleted all my temporary
internet files, cookies and prefetch files (XP home), but that's not
helping.  Somehow, this particular spyware keeps coming back.  It
doesn't seem to be related to any particular website (otherwise I'd
stop going there), and sometimes, it comes back without surfing the
web at all.  I've noticed that it puts 2 files on my computer.  The
first is a dll with a random name (jemc.dll, dib.dll, dhise.dll, it's
a random 3-5 letter name each time), and the second is sp.html.

Is it possible that this thing has recorded my IP address and the host
sends the files to me at random times?  If so, how do I stop this from
happening?  Is it possible for a program to run in the background with
my knowledge that loads the files on my computer, and a program that
neither Norton or AdAware will pick up?


Re: New at Spyware, need help

On 28 Jun 2004 08:46:30 -0700, (Larry) wrote:

Quoted text here. Click to load it

Try cwshredder, often that's the problem

Re: New at Spyware, need help

On 28 Jun 2004 08:46:30 -0700, *email_address_deleted* (Larry) wrote:

Quoted text here. Click to load it


CWShredder may be part of the solution, but most likely you will also need
HijackThis, and expert advice to interpret it's log.

Try one or more of these free online virus scans, which should complement NAV:

Start by downloading each of the following free tools:
CWShredder <
CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
HijackThis <
LSP-Fix and WinsockLSPFix <
Spybot S&D <
Stinger <

Install and run Stinger.

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there.  Spybot S&D has an install routine - run it.  The other
downloaded programs can be copied into, and run from, any convenient folder.

Start by closing all Internet Explorer and Outlook windows, and running
CoolWebSearchSmartKillerMiniRemoval, then CWShredder.  Have the latter fix all.

Next, run Spybot S&D.  First update it ("Search for updates"), then run a scan
("Check for problems").  Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.

Then, run HijackThis ("Scan").  Do NOT make any changes immediately.  Save the
HJT Log.

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and post it, or a link to your forum posts, here):
Aumha: <
Net-Integration: <
Spyware Info: <
Spyware Warrior: <
Tom Coyote: <
Wilders Security<

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

And Larry, please don't contribute to the spread and success of email address
mining viruses.  Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums.  Protect yourself and the rest of the
internet - read this article.

Paranoia comes from experience - and is not necessarily a bad thing.

Site Timeline