Unknown Ad-spy Ware?

sonoftom · Joined: Aug 09, 2003 Posts: 4

For the last couple of weeks I have had to deal with an annoying program that acts like spy ware. :angry:

It keeps changing my home page. A new search bar has been placed in my tool bar and even though I uncheck it. It keeps re-checking itself.

It uses some random name, apparently to keep people from finding it. In the tool bar the new tool is listed as "oaixlhfquo".
When I load the computer it places some randomly named executable file in the temp folder. It gives it a different name every time so I can't permanently block it.

At one time it even placed new icons on my desk top and in my favorites menu.

The bar that it placed on my computer when clicked takes me to a search engine.
This page: http://srch.lop.com/search/search.cgi?affi...ch&src=toolbar2

It is the same as it’s home page http://srch.lop.com

I’m not even sure if these are all related.

I tried the online virus scan at trendmicro.com. I used Norton Anti-Virus to check it again. I then used Adware 6.0, JV16 Powertools, and finally I downloaded spy-bot and after using it on my computer, a few things showed up, but when I started my computer again this spy ware, or whatever it is, was still doing the same things.
I’m using Windows XP and have a cable modem. I have Norton Anti Virus software always running and I’m using Sygate Personal Firewall.
Does anyone have any ideas what I do to get rid of this thing? If not, is there someplace where I can report it? I have no more ideas what to do.

Thanks for your help.

sonoftom

johnniecanuck · Joined: Apr 05, 2003 Posts: 505

It could be you are a victim of Browser hi-Jacking.
Google for a proggie called, "Hi-jack this," which, I am told, has rescued others distraught by the same problem.
Somehow, the scum seem to be able to write scumware that re-invents itself even after you scrub your registry and reboot.
:angry:
Hope you find the hijack-killer
Very Happy

sonoftom · Joined: Aug 09, 2003 Posts: 4

Thanks johnniecanuck, Very Happy

I just got home and read this thread again. I downloaded HijackThis as you suggested. They told me to paste the results of the scan, so here it is. Anybody have any idea what program(s) need to be removed?

Thanks for your help. Smile

(Edited out personal settings on computer, problem is fixed, I hope)

Jtimes2003 · Joined: Dec 28, 2002 Posts: 851

Try this http://www.surferbeware.com

Good luck in getting that malware off your machine!

Miz · Joined: Dec 09, 2002 Posts: 282

Post your HiJackThis log in the "Spyware and Hijack Removal" area of the SpywareInfo Forum. There are experts there who can help you get rid of your unwanted guest. Wink

sonoftom · Joined: Aug 09, 2003 Posts: 4

Well, I think I solved the problem. (I hope)

I goofed and downloaded (and paid for :angry: ) a program called "spy hunter". Well, I finally found the real spybot software, downloaded it (for free!) used it and got rid of a lot more junk.

Everything is back to normal for the most part. That stupid addition to my toolbar is still listed, but at least it hasn't showed it's ugly head. Smile

If I have any more problems, I'll post the results to the spyware and hijack removal fourm.

Thanks everyone for your help. You can't imagine how mad this made me.

goretsky · Posted: Tue Aug 12, 2003 2:25 am Post subject:

Hello,

While you're dealing with this problem through the browser-hijacking experts I do have a few minor suggestions.

You may wish to try adding a "null entry" to your hosts file to point any accesses made to srch.lop.com and related web sites back to your own computer. A hosts file is a small text file which helps your computer convert IP addresses to domain names, such as converting 69.42.68.195 into www.lockergnome.com. While this will not remove the spyware, it will prevent your computer from accessing their computers, which will might prevent reintroduction of the malicious program hijacking your web browser. Here is how to edit your hosts file, step-by-step:

Click on Start -> Run from the Taskbar and enter "NOTEPAD C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS." as the name of the program to run. Note that while the hosts file is a text file, it does not have a conventional three-letter extension like .TXT. This is why you should specify the "." at the end of the file name. Click on OK to start Notepad.
The hosts file will appear inside of Notepad.
Scroll down to the bottom of the hosts file and add the following lines at the end of it:
Click on File -> Save from the main menu bar in Notepad to save the changes to the hosts file, then close Notepad when done.

What we're doing is telling your computer to translate the various requests to go to lop.com's computers to instead go to the computer at the IP address of "127.0.0.1" which is a special reserved IP address used to refer to your own computer. While this doesn't prevent the requests from happening, it does prevent them from reaching their intended destination by instead re-routing them to your computer.

The other thing I would suggest is you may wish to temporarily disable the "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMPDPSRV.EXE" program running on your computer. From what I have been able to find out this is a third-party (i.e., non-Microsoft) program to provide remote printing via RPC, which is the service Microsoft has recently warned users to update because of a critical security issue.

I'm not familiar with the "C:\DOCUME~1\OWNER\APPLIC~1\HOACHSFD.EXE" program, either, but since I could not find any references to the program at all you might want to see what you can find out about it before making a decision about it. Perhaps it is some software installed by the computer manufacturer.

Regards,

Aryeh Goretsky

sonoftom · Joined: Aug 09, 2003 Posts: 4

Thanks goretsky,

I did what you suggested, so hopefully everything will be O.K. now.

And thanks to everyone else for your help.

sonoftom